Edit tour

Windows Analysis Report
25.exe

Overview

General Information

Sample name:	25.exe
Analysis ID:	1590621
MD5:	d220efd77969f8418843d51bfcff36b3
SHA1:	07eec3ccf903ca0a889b19a87e5e371973cf47fa
SHA256:	67d7e1bcdcc758743aec227b041b4c2ad2a3bfb3ccdca4e4910065654103ff73
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

25.exe (PID: 7268 cmdline: "C:\Users\user\Desktop\25.exe" MD5: D220EFD77969F8418843D51BFCFF36B3)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 25.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://exuik.com/downexui

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Origin\plug\update.exe

ReversingLabs: Detection: 60%

Multi AV Scanner detection for submitted file

Source: 25.exe	Virustotal: Detection: 41%			Perma Link
Source: 25.exe	ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Machine Learning detection for dropped file

Source: C:\Origin\plug\update.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 25.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_071AC740 CryptCreateHash,GetLastError,CryptSetHashParam,CryptSignHashW,CryptDestroyHash,	0_2_071AC740
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_071AC200 CryptExportKey,CryptExportKey,GetLastError,CryptExportKey,	0_2_071AC200
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_071AC000 MultiByteToWideChar,MultiByteToWideChar,CryptAcquireContextW,CryptReleaseContext,GetLastError,	0_2_071AC000
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_071ACFF0 CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertEnumCertificatesInStore,CertCloseStore,CryptDestroyKey,CryptReleaseContext,CertFreeCRLContext,	0_2_071ACFF0
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_07196D00 CryptExportKey,	0_2_07196D00
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_071AAD40 CryptEnumProvidersW,CryptEnumProvidersW,CryptEnumProvidersW,GetLastError,GetLastError,	0_2_071AAD40
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_07196DC0 CryptExportKey,	0_2_07196DC0
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_071ACCA0 CryptCreateHash,CryptSetHashParam,CryptSignHashW,CryptDestroyHash,	0_2_071ACCA0
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_071AAB50 CryptEnumProvidersW,GetLastError,CryptEnumProvidersW,GetLastError,	0_2_071AAB50
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_071ACA30 CryptDecrypt,GetLastError,_memmove,	0_2_071ACA30
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_071AD690 CryptAcquireContextW,CryptReleaseContext,	0_2_071AD690
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_071AB2B0 MultiByteToWideChar,MultiByteToWideChar,GetLastError,CryptAcquireContextW,GetLastError,CryptGetProvParam,GetLastError,CryptReleaseContext,CryptGetProvParam,GetLastError,CryptReleaseContext,	0_2_071AB2B0
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_071AB180 CryptDestroyKey,CryptReleaseContext,CertFreeCRLContext,	0_2_071AB180
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_071AB1F0 CryptDestroyKey,CryptReleaseContext,CertFreeCRLContext,	0_2_071AB1F0
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_071AB000 CryptDestroyKey,CryptReleaseContext,CertFreeCRLContext,	0_2_071AB000
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_071ABBC0 CryptAcquireContextW,GetLastError,CryptGetUserKey,CryptReleaseContext,	0_2_071ABBC0

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\25.exe

Unpacked PE file: 0.2.25.exe.6810000.5.unpack

Source: 25.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: C:\Program Files (x86)\e\lib\ExuiKrnln\ExuiKrnln_X32.pdb source: 25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp, 25.exe, 00000000.00000002.3296080377.0000000010162000.00000002.00001000.00020000.00000000.sdmp, 25.exe, 00000000.00000002.3290722845.0000000000F8B000.00000002.00000001.01000000.00000003.sdmp, update.exe.0.dr
Source:	Binary string: D:\MyWork\Linux\MyWork\HP-Socket\Windows\Lib\HPSocket4C\x86\HPSocket4C.pdb source: 25.exe, 25.exe, 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 182.43.28.179:61163

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\25.exe

Code function: 0_2_070EFE40 WSAWaitForMultipleEvents,SetLastError,recv,SetLastError,GetLastError,WSAGetLastError,

0_2_070EFE40

Source: global traffic

DNS traffic detected: DNS query: auth.ccnote.net

Source: 25.exe, 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.css
Source: 25.exe, 25.exe, 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.jpg
Source: 25.exe, 25.exe, 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: 25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ip-api.com/json/?lang=zh-CN
Source: 25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ip-api.com/json/?lang=zh-CNquerycountryhttps://cdid.c-ctrip.com/model-poc2/hhttps://ip.cn/api
Source: 25.exe, 00000000.00000002.3295830897.00000000098D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.co
Source: 25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://whois.pconline.com.cn/ipJson.jsp?json=true
Source: update.exe.0.dr	String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Source: 25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://1.0.0.1/cdn-cgi/trace
Source: 25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: 25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://api4.ipify.org/?format=json
Source: 25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://cdid.c-ctrip.com/model-poc2/h
Source: 25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp, 25.exe, 00000000.00000002.3296080377.0000000010162000.00000002.00001000.00020000.00000000.sdmp, 25.exe, 00000000.00000002.3290722845.0000000000F8B000.00000002.00000001.01000000.00000003.sdmp, update.exe.0.dr	String found in binary or memory: https://exuik.com/downexui
Source: 25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://getipfromgoogle.ipcheck.ing/
Source: 25.exe, 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/ldcsaa/HP-SocketF
Source: 25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ip.cn/api/index?ip=
Source: 25.exe, 00000000.00000002.3294700390.00000000069D0000.00000004.00000020.00020000.00000000.sdmp, 25.exe, 00000000.00000002.3294700390.00000000069EA000.00000004.00000020.00020000.00000000.sdmp, 25.exe, 00000000.00000003.2098451847.00000000068DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kdocs.cn/l/cmTsJ4NprvOb
Source: 25.exe, 00000000.00000002.3294700390.00000000069EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kdocs.cn/l/cmTsJ4NprvObc6L
Source: 25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://myip.ipip.net/json
Source: 25.exe, 00000000.00000002.3294700390.00000000069D0000.00000004.00000020.00020000.00000000.sdmp, 25.exe, 00000000.00000002.3294086309.0000000003F9E000.00000004.00000020.00020000.00000000.sdmp, 25.exe, 00000000.00000003.2098451847.00000000068DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vip.123yx.com/1825174603/Update/Origin/25.exe
Source: 25.exe, 00000000.00000002.3294700390.00000000069D0000.00000004.00000020.00020000.00000000.sdmp, 25.exe, 00000000.00000002.3294086309.0000000004031000.00000004.00000020.00020000.00000000.sdmp, 25.exe, 00000000.00000003.2098451847.00000000068DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.123pan.com/s/3axsjv-DtLgh.html
Source: 25.exe, 00000000.00000002.3294086309.0000000004031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.123pan.com/s/3axsjv-DtLgh.html2
Source: 25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ip138.com
Source: 25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ip138.comUser-Agent:
Source: 25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.uc.cn/ip
Source: 25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.uc.cn/iphttps://api.ip.sb/iphttps://getipfromgoogle.ipcheck.ing/iphttps://1.0.0.1/cdn-cg

Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_07122720	0_2_07122720
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_0711A790	0_2_0711A790
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_07120620	0_2_07120620
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_07106660	0_2_07106660
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_0711E520	0_2_0711E520
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_0711C420	0_2_0711C420
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_0712C4C0	0_2_0712C4C0
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_0724C4C0	0_2_0724C4C0
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_07254059	0_2_07254059
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_071180D0	0_2_071180D0
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_0719CE00	0_2_0719CE00
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_07126D30	0_2_07126D30
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070E6CC0	0_2_070E6CC0
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_07128B90	0_2_07128B90
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_071C6B80	0_2_071C6B80
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_07260A1E	0_2_07260A1E
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_07116990	0_2_07116990
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_0712A9A0	0_2_0712A9A0
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_071249D0	0_2_071249D0
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_071A89F0	0_2_071A89F0
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_07118890	0_2_07118890
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_0731D760	0_2_0731D760
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_072E57D0	0_2_072E57D0
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_07125570	0_2_07125570
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_0731F408	0_2_0731F408
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070B9470	0_2_070B9470
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_07191220	0_2_07191220
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_07117150	0_2_07117150
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_0712D170	0_2_0712D170
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_0710F1D0	0_2_0710F1D0
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_07119050	0_2_07119050
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_0711B050	0_2_0711B050
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_0712DF00	0_2_0712DF00
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_07125F60	0_2_07125F60
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_07119FD0	0_2_07119FD0
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_07127C00	0_2_07127C00
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_071F1CA0	0_2_071F1CA0
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_07177BC0	0_2_07177BC0
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_0712BA00	0_2_0712BA00
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_0713BA20	0_2_0713BA20
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_07129A70	0_2_07129A70
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_07105910	0_2_07105910
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_07117910	0_2_07117910
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_07119810	0_2_07119810

Source: C:\Users\user\Desktop\25.exe	Code function: String function: 07186B90 appears 317 times
Source: C:\Users\user\Desktop\25.exe	Code function: String function: 07186AE0 appears 54 times
Source: C:\Users\user\Desktop\25.exe	Code function: String function: 07199120 appears 45 times
Source: C:\Users\user\Desktop\25.exe	Code function: String function: 0717D300 appears 31 times
Source: C:\Users\user\Desktop\25.exe	Code function: String function: 07186B20 appears 61 times
Source: C:\Users\user\Desktop\25.exe	Code function: String function: 071920C0 appears 42 times
Source: C:\Users\user\Desktop\25.exe	Code function: String function: 0717ED20 appears 55 times
Source: C:\Users\user\Desktop\25.exe	Code function: String function: 0724BF80 appears 198 times
Source: C:\Users\user\Desktop\25.exe	Code function: String function: 07248530 appears 31 times

Source: 25.exe, 00000000.00000003.2078115813.00000000068D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameyyjson.dll. vs 25.exe
Source: 25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameExuiKrnl.lib* vs 25.exe
Source: 25.exe, 00000000.00000003.2078145272.000000000681F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameyyjson.dll. vs 25.exe
Source: 25.exe, 00000000.00000002.3296116817.000000001018A000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExuiKrnl.lib* vs 25.exe
Source: 25.exe, 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHPSocket4C.dll4 vs 25.exe
Source: 25.exe, 00000000.00000002.3294600731.0000000006863000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameyyjson.dll. vs 25.exe
Source: 25.exe, 00000000.00000003.2078266264.00000000069D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameyyjson.dll. vs 25.exe
Source: 25.exe, 00000000.00000002.3290722845.0000000000F04000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7za.exe, vs 25.exe
Source: 25.exe, 00000000.00000002.3290722845.0000000000F8B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameExuiKrnl.lib* vs 25.exe

Source: 25.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.evad.winEXE@1/4@1/1

Source: C:\Users\user\Desktop\25.exe

Code function: 0_2_070CAFC0 LoadResource,LockResource,SizeofResource,

0_2_070CAFC0

Source: C:\Users\user\Desktop\25.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\25.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 25.exe	Virustotal: Detection: 41%
Source: 25.exe	ReversingLabs: Detection: 31%

Source: 25.exe	String found in binary or memory: id-cmc-addExtensions
Source: 25.exe	String found in binary or memory: t xml:space=.gif" border="0"</body> </html> overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script> /favicon.ico" />operating system" style="width:1target="_blank">State Universitytext-align:left; document.write(, including the around t
Source: 25.exe	String found in binary or memory: set-addPolicy

Source: C:\Users\user\Desktop\25.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\25.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: 25.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 25.exe

Static file information: File size 24784896 > 1048576

Source: 25.exe

Static PE information: Raw size of .3Km1 is bigger than: 0x100000 < 0x179e000

Source:	Binary string: C:\Program Files (x86)\e\lib\ExuiKrnln\ExuiKrnln_X32.pdb source: 25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp, 25.exe, 00000000.00000002.3296080377.0000000010162000.00000002.00001000.00020000.00000000.sdmp, 25.exe, 00000000.00000002.3290722845.0000000000F8B000.00000002.00000001.01000000.00000003.sdmp, update.exe.0.dr
Source:	Binary string: D:\MyWork\Linux\MyWork\HP-Socket\Windows\Lib\HPSocket4C\x86\HPSocket4C.pdb source: 25.exe, 25.exe, 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\25.exe

Unpacked PE file: 0.2.25.exe.6810000.5.unpack

Source: C:\Users\user\Desktop\25.exe

Code function: 0_2_0725B562 LoadLibraryW,GetProcAddress,GetProcAddress,RtlEncodePointer,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

0_2_0725B562

Source: initial sample

Static PE information: section where entry point is pointing to: .3Km1

Source: 25.exe	Static PE information: section name: .3Km0
Source: 25.exe	Static PE information: section name: .3Km1
Source: 7za.exe.0.dr	Static PE information: section name: .sxdata

Source: C:\Users\user\Desktop\25.exe

Code function: 0_2_0724FF85 push ecx; ret

0_2_0724FF98

Source: C:\Users\user\Desktop\25.exe	File created: C:\Origin\plug\7za.exe			Jump to dropped file
Source: C:\Users\user\Desktop\25.exe	File created: C:\Origin\plug\update.exe			Jump to dropped file

Source: C:\Users\user\Desktop\25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ZSBIECTRL.EXESANDMAN.EXE
Source: 25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: SBIECTRL.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\25.exe	RDTSC instruction interceptor: First address: 3B1704C second address: 3B17074 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 btc eax, 40h 0x00000007 movsx edi, di 0x0000000a stc 0x0000000b mov edi, dword ptr [esp+28h] 0x0000000f rcl ebx, cl 0x00000011 bswap edx 0x00000013 rcr bp, 003Dh 0x00000017 rol edi, 1 0x00000019 sbb eax, ecx 0x0000001b test di, 1BD2h 0x00000020 cwd 0x00000022 xor edi, 2FFB6164h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\25.exe	RDTSC instruction interceptor: First address: 22E6BB6 second address: 22E6BDE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 btc eax, 40h 0x00000007 movsx edi, di 0x0000000a stc 0x0000000b mov edi, dword ptr [esp+28h] 0x0000000f rcl ebx, cl 0x00000011 bswap edx 0x00000013 rcr bp, 003Dh 0x00000017 rol edi, 1 0x00000019 sbb eax, ecx 0x0000001b test di, 1BD2h 0x00000020 cwd 0x00000022 xor edi, 2FFB6164h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\25.exe	RDTSC instruction interceptor: First address: 220A925 second address: 22E6BB6 instructions: 0x00000000 rdtsc 0x00000002 cdq 0x00000003 cwde 0x00000004 pop eax 0x00000005 cmovo dx, ax 0x00000009 movsx edx, bx 0x0000000c bswap edx 0x0000000e pop edx 0x0000000f cmovbe ecx, ebp 0x00000012 not ecx 0x00000014 mov ecx, ebp 0x00000016 pop ecx 0x00000017 jmp 00007F8B98A1BAD3h 0x0000001c ret 0x0000001d mov esp, ebp 0x0000001f pop ebp 0x00000020 ret 0x00000021 push A3668F91h 0x00000026 call 00007F8B987F37F1h 0x0000002b pushfd 0x0000002c stc 0x0000002d jmp 00007F8B98880702h 0x00000032 push ebx 0x00000033 not ebx 0x00000035 bt ebx, 64h 0x00000039 mov bx, ax 0x0000003c push edx 0x0000003d cmovnl edx, esi 0x00000040 rcl dx, 006Fh 0x00000044 bts ebx, eax 0x00000047 push esi 0x00000048 ror si, 0016h 0x0000004c push edi 0x0000004d cdq 0x0000004e bts si, cx 0x00000052 btr dx, 003Fh 0x00000057 push ecx 0x00000058 clc 0x00000059 push ebp 0x0000005a btr ebx, edx 0x0000005d push eax 0x0000005e stc 0x0000005f bt edi, ebx 0x00000062 mov ecx, 00000000h 0x00000067 movsx eax, cx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\25.exe	RDTSC instruction interceptor: First address: 4271AB second address: 4271AB instructions: 0x00000000 rdtsc 0x00000002 imul eax, eax, 000343FDh 0x00000008 add eax, 00269EC3h 0x0000000d shr eax, 10h 0x00000010 and eax, 00007FFFh 0x00000015 mov ecx, dword ptr [ebp+10h] 0x00000018 test ecx, ecx 0x0000001a jne 00007F8B98E73B77h 0x0000001c sub ecx, dword ptr [ebp+08h] 0x0000001f inc ecx 0x00000020 xor edx, edx 0x00000022 div ecx 0x00000024 add edx, dword ptr [ebp+08h] 0x00000027 mov eax, edx 0x00000029 pop edx 0x0000002a pop ecx 0x0000002b mov esp, ebp 0x0000002d pop ebp 0x0000002e retn 0010h 0x00000031 mov dword ptr [ebp-08h], eax 0x00000034 cmp dword ptr [ebp-08h], 01h 0x00000038 jne 00007F8B98E73C03h 0x0000003e push 00000001h 0x00000040 push 0000005Ah 0x00000045 push 00000001h 0x00000047 push 00000041h 0x0000004c call 00007F8B98E73C2Dh 0x00000051 push ebp 0x00000052 mov ebp, esp 0x00000054 push ecx 0x00000055 push edx 0x00000056 rdtsc

Source: C:\Users\user\Desktop\25.exe	Dropped PE file which has not been started: C:\Origin\plug\7za.exe			Jump to dropped file
Source: C:\Users\user\Desktop\25.exe	Dropped PE file which has not been started: C:\Origin\plug\update.exe			Jump to dropped file

Source: C:\Users\user\Desktop\25.exe

API coverage: 6.1 %

Source: C:\Users\user\Desktop\25.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\25.exe

Code function: 0_2_070C3050 GetSystemInfo,

0_2_070C3050

Source: 25.exe, 00000000.00000002.3294086309.0000000003F9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: plug.zip.0.dr	Binary or memory string: hGfs0

Source: C:\Users\user\Desktop\25.exe	API call chain: ExitProcess graph end node			graph_0-57575
Source: C:\Users\user\Desktop\25.exe	API call chain: ExitProcess graph end node			graph_0-57566

Source: C:\Users\user\Desktop\25.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\25.exe

Code function: 0_2_072485B4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_072485B4

Source: C:\Users\user\Desktop\25.exe

0_2_0725B562

Source: C:\Users\user\Desktop\25.exe

Code function: 0_2_0725D527 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_0725D527

Source: C:\Users\user\Desktop\25.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_072485B4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_072485B4
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_0724FA49 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0724FA49

Source: 25.exe, 00000000.00000002.3294700390.0000000006A0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: 25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp, 25.exe, 00000000.00000002.3296080377.0000000010162000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: ,LayoutFromTab_ControlTab_CanvasExLayeredTab_UpdateStateTab_NeedUpdateTab_RefreshCallBackCatchPopupControlFocusManagementTabDownTab_OLDFocuscontrolTab_WM_DESTROYTab_WM_DESTROY_TRUETab_WM_32879EXUI_USERDATATab_IsWinControlIsunicodeShell_TrayWndICON_1DownlistEx
Source: 25.exe, 00000000.00000002.3294700390.0000000006A0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: 25.exe, 00000000.00000002.3294700390.0000000006A0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: 25.exe, 00000000.00000002.3290722845.0000000000F8B000.00000002.00000001.01000000.00000003.sdmp, update.exe.0.dr	Binary or memory string: ,LayoutFromTab_CanvasExLayeredTab_UpdateStateTab_NeedUpdateTab_RefreshCallBackFocusManagementTabDownTab_OLDFocuscontrolTab_WM_DESTROYTab_WM_DESTROY_TRUETab_WM_32879EXUI_USERDATATab_IsWinControlIsunicodeShell_TrayWndICON_1DownlistEx
Source: 25.exe, 00000000.00000002.3294700390.0000000006A0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager'C0

Source: C:\Users\user\Desktop\25.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\25.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\25.exe

Code function: 0_2_0724975F GetSystemTimeAsFileTime,__aulldiv,

0_2_0724975F

Source: C:\Users\user\Desktop\25.exe

Code function: 0_2_07255508 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_07255508

Source: C:\Users\user\Desktop\25.exe

Code function: 0_2_0719BAF0 GetStdHandle,GetFileType,_vswprintf_s,WriteFile,MultiByteToWideChar,_vswprintf_s,GetVersion,RegisterEventSourceW,ReportEventW,DeregisterEventSource,MessageBoxW,

0_2_0719BAF0

Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070F0DA0 socket,WSAIoctl,WSAGetLastError,WSAGetLastError,setsockopt,ioctlsocket,bind,SetLastError,SetLastError,listen,WSAGetLastError,SetLastError,SetLastError,WSAGetLastError,SetLastError,WSAGetLastError,SetLastError,	0_2_070F0DA0
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070BF370 _HP_Client_StartWithBindAddressAndLocalPort@24,	0_2_070BF370
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070F7E40 bind,htons,bind,InterlockedIncrement,InterlockedIncrement,InterlockedIncrement,	0_2_070F7E40
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070BE700 _Create_HP_UdpCastListener@0,	0_2_070BE700
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070BE730 _Create_HP_UdpNodeListener@0,	0_2_070BE730
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070BE760 _Create_HP_UdpArqServerListener@0,	0_2_070BE760
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070BE7A0 _Create_HP_UdpArqClientListener@0,	0_2_070BE7A0
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070BE690 _Create_HP_UdpServerListener@0,	0_2_070BE690
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070BE6D0 _Create_HP_UdpClientListener@0,	0_2_070BE6D0
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070BE420 _Create_HP_TcpPullClientListener@0,	0_2_070BE420
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070BE450 _Destroy_HP_UdpServerListener@4,	0_2_070BE450
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070BE330 _Create_HP_TcpAgentListener@0,	0_2_070BE330
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070CC360 _HP_SSLServer_BindSSLServerName@12,	0_2_070CC360
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070BE370 _Create_HP_TcpClientListener@0,	0_2_070BE370
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070BE3A0 _Create_HP_TcpPullServerListener@0,	0_2_070BE3A0
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070BE3E0 _Create_HP_TcpPullAgentListener@0,	0_2_070BE3E0
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070BE2F0 _Create_HP_TcpServerListener@0,	0_2_070BE2F0
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070C0F10 _Destroy_HP_HttpServerListener@4,	0_2_070C0F10
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070C0E40 _Create_HP_HttpClientListener@0,	0_2_070C0E40
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070C0D70 _Create_HP_HttpAgentListener@0,	0_2_070C0D70
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070BEC20 _HP_TcpServer_GetSocketListenQueue@4,	0_2_070BEC20
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070C0C70 _Create_HP_HttpServerListener@0,	0_2_070C0C70
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070BEB60 _HP_TcpServer_SetSocketListenQueue@8,	0_2_070BEB60
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070BE9B0 _HP_Server_GetListenAddress@16,	0_2_070BE9B0
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070F69B0 bind,InterlockedIncrement,InterlockedIncrement,InterlockedIncrement,	0_2_070F69B0
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070BE800 _HP_Set_FN_UdpNode_OnPrepareListen@8,	0_2_070BE800
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070BF340 _HP_Client_StartWithBindAddress@20,	0_2_070BF340
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070C1030 _HP_Set_FN_HttpServer_OnPrepareListen@8,	0_2_070C1030
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070C1F10 _Create_HP_ThreadPoolListener@0,	0_2_070C1F10
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070C1F40 _Destroy_HP_ThreadPoolListener@4,	0_2_070C1F40
Source: C:\Users\user\Desktop\25.exe	Code function: 0_2_070EBA80 WSASetLastError,WSAGetLastError,SetLastError,WSAStringToAddressA,socket,bind,_memmove,closesocket,WSAGetLastError,SetLastError,closesocket,	0_2_070EBA80

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	321 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	115 System Information Discovery	SSH	Keylogging	1 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
25.exe	42%	Virustotal		Browse
25.exe	32%	ReversingLabs	Win32.Trojan.Generic
25.exe	100%	Avira	HEUR/AGEN.1334817
25.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Origin\plug\update.exe	100%	Joe Sandbox ML
C:\Origin\plug\7za.exe	0%	ReversingLabs
C:\Origin\plug\update.exe	61%	ReversingLabs	Win32.Infostealer.Babar

Source	Detection	Scanner	Label
http://ns.adobe.co	0%	Avira URL Cloud	safe
https://www.ip138.comUser-Agent:	0%	Avira URL Cloud	safe
https://exuik.com/downexui	100%	Avira URL Cloud	malware
https://www.uc.cn/iphttps://api.ip.sb/iphttps://getipfromgoogle.ipcheck.ing/iphttps://1.0.0.1/cdn-cg	0%	Avira URL Cloud	safe
https://vip.123yx.com/1825174603/Update/Origin/25.exe	0%	Avira URL Cloud	safe
https://1.0.0.1/cdn-cgi/trace	0%	Avira URL Cloud	safe
https://getipfromgoogle.ipcheck.ing/	0%	Avira URL Cloud	safe
https://www.uc.cn/ip	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
auth.ccnote.net	182.43.28.179	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	25.exe, 25.exe, 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp	false		high
http://www.eyuyan.com)DVarFileInfo$	update.exe.0.dr	false		high
https://api.ip.sb/ip	25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/ldcsaa/HP-SocketF	25.exe, 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmp	false		high
http://whois.pconline.com.cn/ipJson.jsp?json=true	25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	false		high
http://ns.adobe.co	25.exe, 00000000.00000002.3295830897.00000000098D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myip.ipip.net/json	25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://vip.123yx.com/1825174603/Update/Origin/25.exe	25.exe, 00000000.00000002.3294700390.00000000069D0000.00000004.00000020.00020000.00000000.sdmp, 25.exe, 00000000.00000002.3294086309.0000000003F9E000.00000004.00000020.00020000.00000000.sdmp, 25.exe, 00000000.00000003.2098451847.00000000068DD000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://1.0.0.1/cdn-cgi/trace	25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://www.123pan.com/s/3axsjv-DtLgh.html	25.exe, 00000000.00000002.3294700390.00000000069D0000.00000004.00000020.00020000.00000000.sdmp, 25.exe, 00000000.00000002.3294086309.0000000004031000.00000004.00000020.00020000.00000000.sdmp, 25.exe, 00000000.00000003.2098451847.00000000068DD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ip138.comUser-Agent:	25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com/json/?lang=zh-CN	25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://kdocs.cn/l/cmTsJ4NprvOb	25.exe, 00000000.00000002.3294700390.00000000069D0000.00000004.00000020.00020000.00000000.sdmp, 25.exe, 00000000.00000002.3294700390.00000000069EA000.00000004.00000020.00020000.00000000.sdmp, 25.exe, 00000000.00000003.2098451847.00000000068DD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://.css	25.exe, 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp	false		high
https://exuik.com/downexui	25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp, 25.exe, 00000000.00000002.3296080377.0000000010162000.00000002.00001000.00020000.00000000.sdmp, 25.exe, 00000000.00000002.3290722845.0000000000F8B000.00000002.00000001.01000000.00000003.sdmp, update.exe.0.dr	false	Avira URL Cloud: malware	unknown
https://www.uc.cn/iphttps://api.ip.sb/iphttps://getipfromgoogle.ipcheck.ing/iphttps://1.0.0.1/cdn-cg	25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://api4.ipify.org/?format=json	25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://getipfromgoogle.ipcheck.ing/	25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://cdid.c-ctrip.com/model-poc2/h	25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://kdocs.cn/l/cmTsJ4NprvObc6L	25.exe, 00000000.00000002.3294700390.00000000069EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.123pan.com/s/3axsjv-DtLgh.html2	25.exe, 00000000.00000002.3294086309.0000000004031000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ip138.com	25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://ip.cn/api/index?ip=	25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	false		high
http://.jpg	25.exe, 25.exe, 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp	false		high
https://www.uc.cn/ip	25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com/json/?lang=zh-CNquerycountryhttps://cdid.c-ctrip.com/model-poc2/hhttps://ip.cn/api	25.exe, 00000000.00000002.3290722845.0000000001AAE000.00000002.00000001.01000000.00000003.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
182.43.28.179	auth.ccnote.net	China		58519	CHINATELECOM-CTCLOUDCloudComputingCorporationCN	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590621
Start date and time:	2025-01-14 11:24:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	25.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@1/4@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 42 Number of non-executed functions: 255
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 20.109.210.53, 13.107.253.45, 4.175.87.197
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CHINATELECOM-CTCLOUDCloudComputingCorporationCN	res.m68k.elf	Get hash	malicious	Unknown	Browse	140.246.191.25
	3.elf	Get hash	malicious	Unknown	Browse	101.222.153.60
	Fantazy.x86.elf	Get hash	malicious	Unknown	Browse	101.192.103.253
	Fantazy.x86_64.elf	Get hash	malicious	Unknown	Browse	101.214.93.239
	sora.mpsl.elf	Get hash	malicious	Unknown	Browse	36.114.228.124
	miori.ppc.elf	Get hash	malicious	Unknown	Browse	101.130.234.247
	2.elf	Get hash	malicious	Unknown	Browse	101.213.162.101
	Fantazy.x86.elf	Get hash	malicious	Unknown	Browse	101.222.31.15
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	101.196.187.234
	splm68k.elf	Get hash	malicious	Unknown	Browse	101.221.212.96

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Origin\plug\7za.exe	Adobe_Photoshop_2024 (1).zip	Get hash	malicious	Unknown	Browse
	HEU_KMS_Activator.exe	Get hash	malicious	Unknown	Browse
	Chrome_update(1).js	Get hash	malicious	Unknown	Browse
	Browser_update16.0.5836.js	Get hash	malicious	Unknown	Browse
	Chrome_update(1).js	Get hash	malicious	Unknown	Browse
	Chrome_update.js	Get hash	malicious	Unknown	Browse
	Browser_update16.0.5836.js	Get hash	malicious	Unknown	Browse
	Chrome_update.js	Get hash	malicious	Unknown	Browse
	tUUPQygorhzFkIcHuB.bat	Get hash	malicious	Unknown	Browse
	VjFeSeLhGMruZwwyqsIvUMXvstQqpgFfbYh.bat	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Origin\plug\7za.exe

Download File

Process:	C:\Users\user\Desktop\25.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	587776
Entropy (8bit):	6.439962628647099
Encrypted:	false
SSDEEP:	12288:myyKdVnyNhXCV4EkP7AIfzNXZ0b5NrnkcAqIV0A1caRI:mKvyNhXCV4E8BXAfrnkcAqU0A
MD5:	42BADC1D2F03A8B1E4875740D3D49336
SHA1:	CEE178DA1FB05F99AF7A3547093122893BD1EB46
SHA-256:	C136B1467D669A725478A6110EBAAAB3CB88A3D389DFA688E06173C066B76FCF
SHA-512:	6BC519A7368EE6BD8C8F69F2D634DD18799B4CA31FBC284D2580BA625F3A88B6A52D2BC17BEA0E75E63CA11C10356C47EE00C2C500294ABCB5141424FC5DC71C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Adobe_Photoshop_2024 (1).zip, Detection: malicious, Browse Filename: HEU_KMS_Activator.exe, Detection: malicious, Browse Filename: Chrome_update(1).js, Detection: malicious, Browse Filename: Browser_update16.0.5836.js, Detection: malicious, Browse Filename: Chrome_update(1).js, Detection: malicious, Browse Filename: Chrome_update.js, Detection: malicious, Browse Filename: Browser_update16.0.5836.js, Detection: malicious, Browse Filename: Chrome_update.js, Detection: malicious, Browse Filename: tUUPQygorhzFkIcHuB.bat, Detection: malicious, Browse Filename: VjFeSeLhGMruZwwyqsIvUMXvstQqpgFfbYh.bat, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.rR9p..9p..9p..Bl..;p...l.. p...V..[p...xC.8p..9p...p...xA.>p...V...p..V....p..V...;p...v..8p..Rich9p..................PE..L....S.L............................L.............@.........................................................................\...P.......(...............................................................................P............................text............................... ..`.rdata..............................@..@.data............l..................@....sxdata.............................@....rsrc...(...........................@..@................................................................................................................................................................................................................................................................................................................

C:\Origin\plug\pic.zip

Download File

Process:	C:\Users\user\Desktop\25.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	8113558
Entropy (8bit):	7.994410643333036
Encrypted:	true
SSDEEP:	196608:mMb2migcp7/jWhxBpnHiba3bvhvK8qMdvQxeLIHMz:t4tjWhxrnHibIT8sQTHu
MD5:	0BDCCCF03E6556A031FAC73928C97D1C
SHA1:	30BEAD17F5E636F739538A1085C8C4388B9721C9
SHA-256:	2773CF30BAB673B1B490696B3766C88D72E19E61194EF113B8B355076B77FBCF
SHA-512:	934B3080CD3F762EFBC218D876D02DF5320B0A436D0856DF0425D0C79AE61BF172F8040E4AD913EACD943C8AD6BF3EBB25B6C0F48EED81DCD82B130C8FA94E3B
Malicious:	false
Reputation:	low
Preview:	PK........hopY................Pic/NPC...../PK........!.#Z................Pic/NPC...../..........bmpDMDM..Mb@&.#.P..2.....;./u.n;O.X}..'.Gi.=...n.w@.J.4....VC..`......~?..,E3..nq.......!m......0.......Q..w..#...!.P+...8u.d..;H..p/....Y...%..Q.<.)....P....w....YN.qB...k.T..~;...}...a\I........G.$...7#.p..................<>..u..z.cO...2.G.5...Nw..s......at.5..[...-..}e4.z.H}R..Z....r....j,..d...\`.}T..~.1Y.a.}Z..7..i+...0.P.b...^.!$z...%..f..A........,.7...[`..(.l...W.......K.U.\7.....X<.!.+../.I..6z."...&.Q}..:.w...g....M..N.1...LJ...W.(vT.Rl<2.......3pRF.]H...V#.Y.....;8^.C.'.+..(..hh..Y...e{.-...%"..+.:5_..Y.....,.@.....A.......-..%.....3M.f...?.+ .).6kTI5q.(..qUC..< ....a.....3......&S.-...4~Du.....k.=X`J\|4nr...S.j7....Z.m...........Q...d.)[P....C_...w^.C..!...Jm.n....A.rYO.O.............Di..c.BD....u.j..4..../p...R>.....&$.LK..u.q8S)W~Y.p..p..U.93u...Q].f....G......80..........u....R....d.>.......fl.P..4>..c..3E4w.\*&h..._bU.

C:\Origin\plug\plug.zip

Download File

Process:	C:\Users\user\Desktop\25.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	9189008
Entropy (8bit):	7.997210621453561
Encrypted:	true
SSDEEP:	196608:JKI8d5zTekX5ElYkKGJXjbzNQ0vg9vUYXKlHEe/xjm6fKz4:QIJkJElRvG0kvUYXKlrwcz
MD5:	D82B014C1A153825750E1905E55B9928
SHA1:	D40E7DF0FE42CB7194F668B95036D22BEC1E7ECA
SHA-256:	685DD7243760546762F650DE37166BB3790EB92461857D5AEB9AAA666EB2F31A
SHA-512:	D98B734225E84647E48391538F7801D82B541946257152C2944571514E4EB2654D96B64E8700CE6588A83E322CE5C9BD3BF6406A9826C766E56CBAB157883C00
Malicious:	false
Reputation:	low
Preview:	PK.........Q.Y...Bv....p......TURING.dll.y\|.W..'..7...I.k........... ..hH....k.......Rj....R..b.I.)...y..I.o.n...N.....y.s.9sf.M.u...(...KE.P..Q......n.VV....p.._.2.~._...~.{....s...d.^.~...........>..V.._....AMW...~.M.&.6...H..hzZ.Z......9...TQ.\.onD.s.e+..<...%.WQ.LZ...8.A..IK.qc.>..XQR...^Jq.2.....f....Ld..RY.\|.C..$..J.FN..=..QE4.......cS.a.....Jb..Z...>=.{"}=...~..R...2.7.....<.v.o.B...&$...4'ul....../t.E.....).S..A.a..................x}......J:X.6...:.....J1P.... ..uV......<..y.aw.....^...{....yE`.X'P... ..B..M...\....`%..0..r...'.o.....!l$..t..d...T..H/...s.......l....UJ.v...m.....6..;H...L.I..k.......n...>.W....Vu... ..@G....`.....'....$....eC\|.R.......lWPC.....=0.,..@.......d..e@...]A.....H'..`X..](?....&.s..i.P....l ..=........Hg.....f....a.=.8.....a.J!0.>...a.aCA{P.z.H@:.L.3.\|...G.......u....p.%...._........M....`......HO.s.R...P.kI.S....).g........O..80.....[.......!p........i?..BA8(..;.I`.....J......].......

C:\Origin\plug\update.exe

Download File

Process:	C:\Users\user\Desktop\25.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2793472
Entropy (8bit):	6.600226261066485
Encrypted:	false
SSDEEP:	24576:BgI8nNeDuBHyeH1FOhDI38QZD1Y6jG975ekTOXaTKsQul5BRa8ziXOu3fV9:BgznRygKZI9Y6jGLekCKWduRhzKO03
MD5:	D0528D1C98A75E47C7D493B9EA290AEA
SHA1:	AED86AD6320CBA38FB5111076E049A90CF966632
SHA-256:	26622666EEA430A8A2E7042BCDA32E28FF32F51FFDAA25065C6BC5633DA9E0DE
SHA-512:	49EA1031568F33C74CD71CFD0F3EB466A80D767B18BD083D15AA18AA8E4288B5551761D5BB415255B3E13B4C062610D7142D4EE61B14908B99C63DAC7AB32CEA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 61%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m...)..M)..M)..MF..M ..MF..M/..M...M.M...M...MR..M,..M...M...MK..M1..M)..M...M...M..M...Mu..M...MH..M...M0..M)..M...M.M(..MRich)..M................PE..L....I}f.................0...`".....%J.......@....@...........................,...............................................(.......,..Y...........................................................................@...............................text...........0.................. ..`.rdata..&. ..@.... ..@..............@..@.data........(..p....(.............@....rsrc....Y....,..`...@.............@..@........................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.996035970216909
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	25.exe
File size:	24'784'896 bytes
MD5:	d220efd77969f8418843d51bfcff36b3
SHA1:	07eec3ccf903ca0a889b19a87e5e371973cf47fa
SHA256:	67d7e1bcdcc758743aec227b041b4c2ad2a3bfb3ccdca4e4910065654103ff73
SHA512:	ff155d9e693d43817b5e6aa0a70d6fa9c8ce96ebf1e19a982bfd155f51715943ef6a86f272b202586b3f36dd76ca01d33ccd8e24555c656d635ada38665dc670
SSDEEP:	393216:ODY42gmvesGfQjsiufH+6jUxvjHfCRSaoXSm8yN9AgmonZpIuwAEtk4I1lCFUW8:ODY42gmvUagfzU9jKAawSm8zgTZpX+iA
TLSH:	2747332323785109E1D6883A4D373E9175FF07A78643B4B5995A7EC63BC08A5FB02B93
File Content Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......................................................c...................<...c...........6..........................................

File Icon


Icon Hash:	33478613938e4d13

Static PE Info

General

Entrypoint:	0x3b46afd
Entrypoint Section:	.3Km1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x6782C4A1 [Sat Jan 11 19:21:05 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	f04bbf493d734f25d66d7285dfc605a6

Entrypoint Preview

Instruction
push 36FD4A96h
call 00007F8B9950CBEFh
jmp 00007F8B97DAA627h
add byte ptr [eax], al
dec ebx
imul ebp, dword ptr [esp+ebp*2+54h], 72656D69h
add cl, bh
ror eax, 1
dec eax
bswap eax
xor ebx, eax
cmp edi, 013344F1h
test bx, 31C7h
stc
add ebp, eax
push ebp
ret
mov dword ptr [3577BD0Bh], eax
cmp edi, dword ptr [edx-4C957100h]
cdq
sbb dword ptr [edx-4Ch], ebx
out dx, al
mov edx, 2C70D0CFh
call edi
pop es
xchg eax, esi
scasb
ficomp word ptr [esi-16266200h]
xchg eax, ecx
and dword ptr [esi+79h], 07h
mov bl, 61h
push cs
mov ebp, 2B9768E2h
shr byte ptr [edi-20h], cl
mov byte ptr [edi+0Bh], al
jle 00007F8B994C1BD0h
jnbe 00007F8B994C1BBEh
or dword ptr [esi+16329005h], esp
add ah, bh

Rich Headers

Programming Language:

[ C ] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) build 8168
[ C ] VS98 (6.0) build 8168
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x208d608	0x154	.3Km1
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x37ba000	0x8c5e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3715000	0x80c	.3Km1
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2aacc2	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2ac000	0x1a09b08	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1cb6000	0x5ef4a	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.3Km0	0x1d15000	0x3064a6	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.3Km1	0x201c000	0x179d360	0x179e000	6bc8aa64f296044c468a66aa306ee760	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x37ba000	0x8c5e	0x4000	b142aed95b89a4af90349ce4716786b0	False	0.3724365234375	data	4.94694379620252	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
TEXTINCLUDE	0x37bdb1c	0xb	data	Chinese	China	1.0
TEXTINCLUDE	0x37bdb28	0x16	data	Chinese	China	0.5
TEXTINCLUDE	0x37bdb40	0x151	data	Chinese	China	0.03857566765578635
WAVE	0x37bdc94	0x1448	data	Chinese	China	0.019406392694063926
RT_CURSOR	0x37bf0dc	0x134	empty	Chinese	China	0
RT_CURSOR	0x37bf210	0x134	empty	Chinese	China	0
RT_CURSOR	0x37bf344	0x134	empty	Chinese	China	0
RT_CURSOR	0x37bf478	0xb4	empty	Chinese	China	0
RT_CURSOR	0x37bf52c	0x134	empty	Chinese	China	0
RT_CURSOR	0x37bf660	0x134	empty	Chinese	China	0
RT_BITMAP	0x37bf794	0x248	empty	Chinese	China	0
RT_BITMAP	0x37bf9dc	0x144	empty	Chinese	China	0
RT_BITMAP	0x37bfb20	0x158	empty	Chinese	China	0
RT_BITMAP	0x37bfc78	0x158	empty	Chinese	China	0
RT_BITMAP	0x37bfdd0	0x158	empty	Chinese	China	0
RT_BITMAP	0x37bff28	0x158	empty	Chinese	China	0
RT_BITMAP	0x37c0080	0x158	empty	Chinese	China	0
RT_BITMAP	0x37c01d8	0x158	empty	Chinese	China	0
RT_BITMAP	0x37c0330	0x158	empty	Chinese	China	0
RT_BITMAP	0x37c0488	0x158	empty	Chinese	China	0
RT_BITMAP	0x37c05e0	0x5e4	empty	Chinese	China	0
RT_BITMAP	0x37c0bc4	0xb8	empty	Chinese	China	0
RT_BITMAP	0x37c0c7c	0x16c	empty	Chinese	China	0
RT_BITMAP	0x37c0de8	0x144	empty	Chinese	China	0
RT_ICON	0x37bad40	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Chinese	China	0.26344086021505375
RT_ICON	0x37bb028	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Chinese	China	0.41216216216216217
RT_ICON	0x37bb150	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216			0.4337136929460581
RT_MENU	0x37c0f2c	0xc	empty	Chinese	China	0
RT_MENU	0x37c0f38	0x284	empty	Chinese	China	0
RT_DIALOG	0x37c11bc	0x98	empty	Chinese	China	0
RT_DIALOG	0x37c1254	0x17a	empty	Chinese	China	0
RT_DIALOG	0x37c13d0	0xfa	empty	Chinese	China	0
RT_DIALOG	0x37c14cc	0xea	empty	Chinese	China	0
RT_DIALOG	0x37c15b8	0x8ae	empty	Chinese	China	0
RT_DIALOG	0x37c1e68	0xb2	empty	Chinese	China	0
RT_DIALOG	0x37c1f1c	0xcc	empty	Chinese	China	0
RT_DIALOG	0x37c1fe8	0xb2	empty	Chinese	China	0
RT_DIALOG	0x37c209c	0xe2	empty	Chinese	China	0
RT_DIALOG	0x37c2180	0x18c	empty	Chinese	China	0
RT_STRING	0x37c230c	0x50	empty	Chinese	China	0
RT_STRING	0x37c235c	0x2c	empty	Chinese	China	0
RT_STRING	0x37c2388	0x78	empty	Chinese	China	0
RT_STRING	0x37c2400	0x1c4	empty	Chinese	China	0
RT_STRING	0x37c25c4	0x12a	empty	Chinese	China	0
RT_STRING	0x37c26f0	0x146	empty	Chinese	China	0
RT_STRING	0x37c2838	0x40	empty	Chinese	China	0
RT_STRING	0x37c2878	0x64	empty	Chinese	China	0
RT_STRING	0x37c28dc	0x1d8	empty	Chinese	China	0
RT_STRING	0x37c2ab4	0x114	empty	Chinese	China	0
RT_STRING	0x37c2bc8	0x24	empty	Chinese	China	0
RT_GROUP_CURSOR	0x37c2bec	0x14	empty	Chinese	China	0
RT_GROUP_CURSOR	0x37c2c00	0x14	empty	Chinese	China	0
RT_GROUP_CURSOR	0x37c2c14	0x14	empty	Chinese	China	0
RT_GROUP_CURSOR	0x37c2c28	0x14	empty	Chinese	China	0
RT_GROUP_CURSOR	0x37c2c3c	0x22	empty	Chinese	China	0
RT_GROUP_ICON	0x37bd6f8	0x14	data			1.25
RT_GROUP_ICON	0x37bd70c	0x14	data	Chinese	China	1.2
RT_GROUP_ICON	0x37bd720	0x14	data	Chinese	China	1.25
RT_VERSION	0x37bd734	0x214	data	Chinese	China	0.5281954887218046
RT_MANIFEST	0x37bd948	0x1d2	XML 1.0 document, ASCII text, with very long lines (466), with no line terminators			0.5879828326180258

Imports

DLL	Import
WINMM.dll	midiStreamStop, midiOutReset, midiStreamClose, midiStreamRestart, PlaySoundA, midiStreamOut, midiOutPrepareHeader, midiStreamProperty, midiStreamOpen, midiOutUnprepareHeader, waveOutOpen, waveOutGetNumDevs, waveOutClose, waveOutReset, waveOutUnprepareHeader, waveOutPrepareHeader, waveOutWrite, waveOutPause
WS2_32.dll	accept, getpeername, recv, ioctlsocket, recvfrom, WSAAsyncSelect, closesocket, WSACleanup, WSAStartup, gethostbyname, inet_ntoa
MSVFW32.dll	DrawDibDraw
AVIFIL32.dll	AVIStreamInfoA, AVIStreamGetFrame
KERNEL32.dll	GetTimeZoneInformation, GetVersion, InterlockedIncrement, InterlockedDecrement, LocalFree, FileTimeToSystemTime, FileTimeToLocalFileTime, lstrcpynA, DuplicateHandle, FlushFileBuffers, LockFile, UnlockFile, SetEndOfFile, lstrcmpiA, GlobalDeleteAtom, GlobalFindAtomA, GlobalAddAtomA, GlobalGetAtomNameA, lstrcmpA, LocalAlloc, TlsAlloc, GlobalHandle, TlsFree, TlsSetValue, LocalReAlloc, TlsGetValue, GetFileTime, GetCurrentThread, GlobalFlags, SetErrorMode, GetProcessVersion, GetCPInfo, GetOEMCP, GetStartupInfoA, RtlUnwind, GetSystemTime, GetLocalTime, RaiseException, HeapSize, GetACP, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetEnvironmentVariableA, HeapDestroy, HeapCreate, SetEnvironmentVariableW, SetEnvironmentVariableA, LCMapStringA, LCMapStringW, IsBadWritePtr, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, CompareStringA, CompareStringW, IsBadCodePtr, SetStdHandle, GlobalMemoryStatus, TerminateProcess, GetFileSize, SetFilePointer, TerminateThread, GetCurrentProcess, GetWindowsDirectoryA, GetSystemDirectoryA, GetCurrentProcessId, OpenFileMappingA, MapViewOfFile, CreateFileMappingA, UnmapViewOfFile, IsBadReadPtr, VirtualProtect, SetLastError, GetSystemInfo, VirtualFree, VirtualAlloc, WideCharToMultiByte, MultiByteToWideChar, CreateSemaphoreA, ResumeThread, ReleaseSemaphore, EnterCriticalSection, LeaveCriticalSection, GetProfileStringA, WriteFile, WaitForMultipleObjects, CreateFileA, SetEvent, FindResourceA, LoadResource, LockResource, ReadFile, lstrlenW, RemoveDirectoryA, GetModuleFileNameA, GetCurrentThreadId, ExitProcess, GlobalSize, GlobalFree, DeleteCriticalSection, InitializeCriticalSection, lstrcatA, lstrlenA, WinExec, lstrcpyA, FindNextFileA, GlobalReAlloc, HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetUserDefaultLCID, GetFullPathNameA, FreeLibrary, LoadLibraryA, GetLastError, GetVersionExA, GetPrivateProfileSectionNamesA, WritePrivateProfileStringA, GetPrivateProfileStringA, CreateThread, CreateEventA, Sleep, ExpandEnvironmentStringsA, GlobalAlloc, GlobalLock, GlobalUnlock, GetTempPathA, FindFirstFileA, FindClose, GetFileAttributesA, DeleteFileA, GetCurrentDirectoryA, SetCurrentDirectoryA, GetVolumeInformationA, GetModuleHandleA, GetProcAddress, MulDiv, GetCommandLineA, GetTickCount, CreateProcessA, WaitForSingleObject, CloseHandle, InterlockedExchange
USER32.dll	GetSysColorBrush, GetMenuCheckMarkDimensions, GetMenuState, SetMenuItemBitmaps, CheckMenuItem, MoveWindow, SetWindowTextA, IsDialogMessageA, ScrollWindowEx, SendDlgItemMessageA, MapWindowPoints, AdjustWindowRectEx, GetScrollPos, GetMenuItemCount, GetMenuItemID, SetWindowsHookExA, CallNextHookEx, GetClassLongA, UnhookWindowsHookEx, RemovePropA, GetMessageTime, GetLastActivePopup, RegisterWindowMessageA, GetWindowPlacement, EndDialog, CreateDialogIndirectParamA, DestroyWindow, GrayStringA, DrawTextA, TabbedTextOutA, EndPaint, BeginPaint, GetWindowDC, CharUpperA, GetWindowTextLengthA, GetNextDlgTabItem, UnregisterHotKey, RegisterHotKey, CallWindowProcA, GetWindowTextA, FindWindowExA, GetDlgItem, GetClassNameA, GetDesktopWindow, GetForegroundWindow, DefWindowProcW, GetPropA, RegisterClassA, CreateWindowExA, SetPropA, LoadIconA, TranslateMessage, UnregisterClassA, DrawEdge, DrawFocusRect, WindowFromPoint, GetMessageA, DispatchMessageA, SetRectEmpty, RegisterClipboardFormatA, CreateIconFromResourceEx, DrawIconEx, CreatePopupMenu, AppendMenuA, ModifyMenuA, CreateMenu, CreateAcceleratorTableA, GetDlgCtrlID, GetSubMenu, EnableMenuItem, ClientToScreen, EnumDisplaySettingsA, LoadImageA, SystemParametersInfoA, ShowWindow, IsWindowEnabled, TranslateAcceleratorA, GetKeyState, CopyAcceleratorTableA, PostQuitMessage, IsZoomed, GetClassInfoA, DefWindowProcA, GetSystemMenu, DeleteMenu, GetMenu, SetMenu, PeekMessageA, IsIconic, SetFocus, GetActiveWindow, GetWindow, DestroyAcceleratorTable, SetWindowRgn, GetMessagePos, ScreenToClient, ChildWindowFromPointEx, CopyRect, LoadBitmapA, WinHelpA, KillTimer, SetTimer, ReleaseCapture, GetCapture, SetCapture, GetScrollRange, SetScrollPos, SetRect, InflateRect, IntersectRect, DestroyIcon, PtInRect, OffsetRect, IsWindowVisible, EnableWindow, RedrawWindow, GetWindowLongA, SetWindowLongA, GetSysColor, SetActiveWindow, SetCursorPos, LoadCursorA, SetCursor, GetDC, FillRect, IsRectEmpty, ReleaseDC, IsChild, DestroyMenu, SetForegroundWindow, GetWindowRect, EqualRect, UpdateWindow, ValidateRect, InvalidateRect, GetClientRect, GetFocus, GetParent, GetTopWindow, PostMessageA, IsWindow, SetParent, DestroyCursor, SendMessageA, SetWindowPos, MessageBoxA, GetCursorPos, GetSystemMetrics, EmptyClipboard, SetClipboardData, OpenClipboard, GetClipboardData, CloseClipboard, wsprintfA, WaitForInputIdle, LoadStringA, CreateIconFromResource, SetScrollRange, DrawFrameControl
GDI32.dll	GetPolyFillMode, GetStretchBltMode, GetROP2, GetBkColor, CreateCompatibleBitmap, CreateDCA, GetBkMode, CreateBrushIndirect, CreateHatchBrush, CreateBitmap, CreatePatternBrush, SelectObject, CreatePen, GetTextColor, PatBlt, CombineRgn, CreateRectRgn, CreateRoundRectRgn, FillRgn, TranslateCharsetInfo, TextOutA, SetBkMode, SetTextColor, SetDIBitsToDevice, SaveDC, RestoreDC, SetPolyFillMode, SetROP2, SetMapMode, CreateSolidBrush, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, CreateFontIndirectA, ExcludeClipRect, MoveToEx, LineTo, ExtSelectClipRgn, GetViewportExtEx, PtVisible, RectVisible, ExtTextOutA, Escape, GetTextMetricsA, SetBkColor, CreateRectRgnIndirect, CreateDIBSection, SetStretchBltMode, GetClipRgn, CreatePolygonRgn, SelectClipRgn, DeleteObject, CreateDIBitmap, GetSystemPaletteEntries, CreatePalette, StretchBlt, SelectPalette, RealizePalette, GetDIBits, GetWindowExtEx, GetViewportOrgEx, GetWindowOrgEx, BeginPath, EndPath, PathToRegion, CreateEllipticRgn, GetStockObject, GetObjectA, EndPage, EndDoc, DeleteDC, StartDocA, StartPage, BitBlt, CreateCompatibleDC, Ellipse, Rectangle, GetClipBox, CreateFontA, LPtoDP, DPtoLP, GetCurrentObject, RoundRect, GetTextExtentPoint32A, SetViewportOrgEx, GetDeviceCaps
WINSPOOL.DRV	OpenPrinterA, DocumentPropertiesA, ClosePrinter
comdlg32.dll	GetSaveFileNameA, GetOpenFileNameA, ChooseColorA, GetFileTitleA
ADVAPI32.dll	RegCreateKeyExA, RegQueryValueA, RegSetValueExA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey
SHELL32.dll	SHGetSpecialFolderPathA, DragAcceptFiles, DragFinish, DragQueryFileA, ShellExecuteA, Shell_NotifyIconA
ole32.dll	CLSIDFromProgID, OleInitialize, OleUninitialize, CLSIDFromString, CoCreateInstance, OleRun
OLEAUT32.dll	SafeArrayGetUBound, VariantChangeType, VariantClear, VariantCopy, SafeArrayGetElement, VariantCopyInd, SafeArrayGetLBound, SysAllocString, SafeArrayDestroy, SafeArrayGetDim, SafeArrayUnaccessData, VariantInit, SafeArrayAccessData, SafeArrayCreate, SafeArrayPutElement, RegisterTypeLib, LHashValOfNameSys, LoadTypeLib, UnRegisterTypeLib
COMCTL32.dll	_TrackMouseEvent, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_Add, ImageList_BeginDrag, ImageList_Create, ImageList_Destroy, ImageList_EndDrag, ImageList_DragEnter
KERNEL32.dll	LocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress
USER32.dll	GetProcessWindowStation, GetUserObjectInformationW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 11:25:06.887449026 CET	49704	61163	192.168.2.5	182.43.28.179
Jan 14, 2025 11:25:06.892446041 CET	61163	49704	182.43.28.179	192.168.2.5
Jan 14, 2025 11:25:06.892534018 CET	49704	61163	192.168.2.5	182.43.28.179
Jan 14, 2025 11:25:06.977240086 CET	49704	61163	192.168.2.5	182.43.28.179
Jan 14, 2025 11:25:06.984401941 CET	61163	49704	182.43.28.179	192.168.2.5
Jan 14, 2025 11:25:07.813970089 CET	61163	49704	182.43.28.179	192.168.2.5
Jan 14, 2025 11:25:07.854626894 CET	49704	61163	192.168.2.5	182.43.28.179
Jan 14, 2025 11:26:07.814877033 CET	49704	61163	192.168.2.5	182.43.28.179
Jan 14, 2025 11:26:07.819875002 CET	61163	49704	182.43.28.179	192.168.2.5
Jan 14, 2025 11:27:07.827883959 CET	49704	61163	192.168.2.5	182.43.28.179
Jan 14, 2025 11:27:07.833019018 CET	61163	49704	182.43.28.179	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 11:25:06.393893957 CET	55988	53	192.168.2.5	1.1.1.1
Jan 14, 2025 11:25:06.855221033 CET	53	55988	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 11:25:06.393893957 CET	192.168.2.5	1.1.1.1	0xdbf6	Standard query (0)	auth.ccnote.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 11:25:06.855221033 CET	1.1.1.1	192.168.2.5	0xdbf6	No error (0)	auth.ccnote.net		182.43.28.179	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	05:25:01
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\25.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\25.exe"
Imagebase:	0x400000
File size:	24'784'896 bytes
MD5 hash:	D220EFD77969F8418843D51BFCFF36B3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	6%
Total number of Nodes:	1236
Total number of Limit Nodes:	48

Executed Functions

Function 070F0DA0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 192
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(?,00000001,00000006), ref: 070F0DF8
WSAIoctl.WS2_32(00000000,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 070F0E44
WSAGetLastError.WS2_32(?,00000001,00000006), ref: 070F0E55
setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 070F0E9C
ioctlsocket.WS2_32(?,8004667E,?), ref: 070F0EC4
bind.WS2_32(?,00000002,-0000001D), ref: 070F0EF2
SetLastError.KERNEL32(00000000,?,00000001,00000006), ref: 070F0F09
listen.WS2_32(?,00000000), ref: 070F0F28
WSAGetLastError.WS2_32(?,00000001,00000006), ref: 070F0F60
SetLastError.KERNEL32 ref: 070F0F6C

Strings

CTcpServer::CreateListenSocket, xrefs: 070F0FB9
0.0.0.0, xrefs: 070F0DCB

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLast$Ioctlbindioctlsocketlistensetsockoptsocket
String ID: 0.0.0.0$CTcpServer::CreateListenSocket
API String ID: 3957589473-4023130488
Opcode ID: 15291f3d14f2aa712462f312aa4a94c6da248acbc1ece4687480e0109c405e91
Instruction ID: 4d88ee86188454f519912c04b475b170f9858069c8f3e0d0482c331a99ce30d4
Opcode Fuzzy Hash: 15291f3d14f2aa712462f312aa4a94c6da248acbc1ece4687480e0109c405e91
Instruction Fuzzy Hash: 1B61BDF1500309AFE7209BA5DC85BABB7F9EF84714F14461DF65297B80D670E940CBA1

Function 070F7E40 Relevance: 7.6, APIs: 5, Instructions: 86networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(18B52151,?,-0000001D), ref: 070F7E73
htons.WS2_32(?), ref: 070F7EB7
bind.WS2_32(18B52151,00000002,-0000001D), ref: 070F7EDE
InterlockedIncrement.KERNEL32(0736D0CC), ref: 070F7EFE
InterlockedIncrement.KERNEL32(0736D0CC), ref: 070F7F09

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: IncrementInterlockedbind$htons
String ID:
API String ID: 1901664375-0
Opcode ID: 7773c8b0925363aa85988278057361ce605965d31d2eebdbf5a4355732437b1a
Instruction ID: 14fb9467631d8ba5a675793583ae587a069684f7bfb7cb6c3ad74f089255cce4
Opcode Fuzzy Hash: 7773c8b0925363aa85988278057361ce605965d31d2eebdbf5a4355732437b1a
Instruction Fuzzy Hash: 722103B2A101069BDB50EABCEC46ABF77E8EB49224B448757F914C7681E634D85183A2

Function 070EFE40 Relevance: 6.1, APIs: 4, Instructions: 72networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,00000000), ref: 070EFE64
SetLastError.KERNEL32(00000000), ref: 070EFE72
GetLastError.KERNEL32 ref: 070EFE96
WSAGetLastError.WS2_32 ref: 070EFEDA

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLast$recv
String ID:
API String ID: 316788870-0
Opcode ID: 592bf538a0b249bd0367b1c01a36ab0ec11d1f0f4d61c2d9ccc5f42b6769ca4b
Instruction ID: c3a20846c9ebd3100268fc3b495eb5cbf217c7657e6678d15e30d8dc2dc82fd7
Opcode Fuzzy Hash: 592bf538a0b249bd0367b1c01a36ab0ec11d1f0f4d61c2d9ccc5f42b6769ca4b
Instruction Fuzzy Hash: 07213BF1200B028FE374CF69E484B27B3E9AB88718F104A2EE55AC7781D775F8458B50

Function 070C3050 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 070C306B

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 84ae2c4c0e7754aa68828b6db63872396d0cdeb9f44163c587aa6a1e86865d00
Instruction ID: d80d16b12a34212cc15ed8b92af813708196f3a2d6742c6f0c87cf40df939e07
Opcode Fuzzy Hash: 84ae2c4c0e7754aa68828b6db63872396d0cdeb9f44163c587aa6a1e86865d00
Instruction Fuzzy Hash: 2DE0D873A251285B8B00EB6CD8014AEB3BCBB49620B10834AFC11EB380C631BC1087D2

Function 070BF370 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b2deb79e13e61ded0c8d404cd0bb8c9a3ab813605c934b4b00f919d9190d57d
Instruction ID: aaf1fa5fa21a1a1df01858c35b7e0903dc1608eb1d6190aa4af65ccf4f6ef768
Opcode Fuzzy Hash: 3b2deb79e13e61ded0c8d404cd0bb8c9a3ab813605c934b4b00f919d9190d57d
Instruction Fuzzy Hash: 45E02D7A200209AF8B80DF9CD880EAB77EDAB8C210B148544FA19C7301C630FD629BA0

Function 070C7150 Relevance: 33.2, APIs: 22, Instructions: 229
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(00000014), ref: 070C7172
ResetEvent.KERNEL32(?), ref: 070C71A3
InterlockedExchange.KERNEL32(00000038,00000001), ref: 070C71B5
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,000000FF), ref: 070C71C1
WaitForSingleObject.KERNEL32(?,070C70C2), ref: 070C71CF
InterlockedExchange.KERNEL32(00000038,00000000), ref: 070C71DF
RtlLeaveCriticalSection.NTDLL(?), ref: 070C71F6
WaitForSingleObject.KERNEL32(00000038,0000EA60), ref: 070C724F
CloseHandle.KERNEL32(00000038), ref: 070C725A
RtlLeaveCriticalSection.NTDLL(00000014), ref: 070C7282
RtlLeaveCriticalSection.NTDLL(?), ref: 070C729F
RtlLeaveCriticalSection.NTDLL(?), ref: 070C72B5
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 070C72D4
ResetEvent.KERNEL32(?), ref: 070C72E8
WaitForSingleObject.KERNEL32(?,070C70C2), ref: 070C7317
CloseHandle.KERNEL32(00000000,?,?), ref: 070C733C
RtlLeaveCriticalSection.NTDLL(?), ref: 070C7356
RtlLeaveCriticalSection.NTDLL(00000014), ref: 070C736F
CloseHandle.KERNEL32(00000000), ref: 070C7388
RtlLeaveCriticalSection.NTDLL(00000014), ref: 070C738F

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalSection$Leave$CloseHandleObjectSingleWait$EventExchangeInterlockedReset$CompletionEnterExceptionPostQueuedRaiseStatus
String ID:
API String ID: 579648409-0
Opcode ID: 7a4aa9175f7050a3c36452124eac78e0fd8f1b358aeb29578aeece4c37b20b07
Instruction ID: c513e481cfb235eb34d46d80367bd09c56d32d5286f0f8c2931ba47d5cb85b6a
Opcode Fuzzy Hash: 7a4aa9175f7050a3c36452124eac78e0fd8f1b358aeb29578aeece4c37b20b07
Instruction Fuzzy Hash: 986161F2604216ABD710DFA8F849A5EB7E8FB88315F00966AFA45D7340D774E8118BA1

Function 070EF3E0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 168
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 070EF47B
ResetEvent.KERNEL32(00000002,?,?,?,?,?,?), ref: 070EF4CD
WSAGetLastError.WS2_32(?,?,?,?,?,?,?), ref: 070EF504
SetLastError.KERNEL32(00000000,?,?,?), ref: 070EF524
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 070EF52A
SetLastError.KERNEL32(00000000,?,?,?), ref: 070EF553

Part of subcall function 070EFA30: WSAEventSelect.WS2_32(18B52151,?,00000030), ref: 070EFA48
Part of subcall function 070EFA30: connect.WS2_32(18B52151,?,-0000001D), ref: 070EFA6D
Part of subcall function 070EFA30: WSAGetLastError.WS2_32(?,070EF4A2,?,?,?,?,?,?,?), ref: 070EFA7C

WSAGetLastError.WS2_32(?,?,?,?,?,?), ref: 070EF559
WSAGetLastError.WS2_32(?,?,?,?), ref: 070EF577
SetLastError.KERNEL32(00000000,?,?,?), ref: 070EF59D
GetLastError.KERNEL32 ref: 070EF5B3
SetLastError.KERNEL32(00000000), ref: 070EF5C5

Part of subcall function 070F7E40: bind.WS2_32(18B52151,?,-0000001D), ref: 070F7E73

Strings

CTcpClient::Start, xrefs: 070EF4E6, 070EF50F, 070EF53E, 070EF564, 070EF582

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLast$Event$ResetSelectbindconnect
String ID: CTcpClient::Start
API String ID: 1052395590-3740072585
Opcode ID: 2fd6b37a2af41e871f0a4440062ae6425d2346f047f163250c5dc6d43520d8a3
Instruction ID: d49910b5391cb70d5fd9edea31b05b3c6683aeb372872a3b201a03a388cdaba4
Opcode Fuzzy Hash: 2fd6b37a2af41e871f0a4440062ae6425d2346f047f163250c5dc6d43520d8a3
Instruction Fuzzy Hash: F351A3F2600605DFD720EF55EC45E6FB7F9EF98304F00866AEA1593350EB71A9058BA1

Function 070F2280 Relevance: 15.2, APIs: 10, Instructions: 241
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000), ref: 070F22AF
_memmove.LIBCMT ref: 070F22E1
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 070F2347
CloseHandle.KERNEL32(00000000,?,00000001,000000FF,?,00000001,000000FF), ref: 070F2364

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CloseCompletionHandleMultipleObjectsPostQueuedStatusWait_memmove
String ID:
API String ID: 3218539664-0
Opcode ID: 2346ced5acbd4b52cd13d866911f391adde1176ef71bc5103bdab8d544493491
Instruction ID: c397cd5fa50d651de242bb9c2cda3445de0bcd36b61a440470ce3419f1a7e8de
Opcode Fuzzy Hash: 2346ced5acbd4b52cd13d866911f391adde1176ef71bc5103bdab8d544493491
Instruction Fuzzy Hash: FF818FF1A1021AEFDB14DF68D885AAEBBE8FF48304F00466AEA15D7640D774E941CB91

Function 070D2750 Relevance: 15.1, APIs: 10, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?), ref: 070D2772
GetLastError.KERNEL32 ref: 070D277C

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpin
String ID:
API String ID: 439134102-0
Opcode ID: 7402795a5c6b1152b3df6d861744f0df83a2ef56cad11035b85af7b69769c680
Instruction ID: 69e89113f13517491cbaa82078a2348f68f5349ae5bb8f46dc0780ff54ac3d48
Opcode Fuzzy Hash: 7402795a5c6b1152b3df6d861744f0df83a2ef56cad11035b85af7b69769c680
Instruction Fuzzy Hash: 99217EB62407019BD370EB69FD89B1AB7ECFB94725F10862BF645C6680DA75E8048B24

Function 070D1440 Relevance: 13.7, APIs: 9, Instructions: 212
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 070D14C3
_free.LIBCMT ref: 070D15E1
std::exception::exception.LIBCMT ref: 070D1610
__CxxThrowException@8.LIBCMT ref: 070D1625
SetLastError.KERNEL32(0000000D,?,?), ref: 070D162C
_free.LIBCMT ref: 070D1633
SetLastError.KERNEL32(00000018,?,?), ref: 070D1654
_free.LIBCMT ref: 070D165B

Part of subcall function 07248728: HeapFree.KERNEL32(00000000,00000000,?,07250575,00000000,?,?,0724AA58,0724871D), ref: 0724873E
Part of subcall function 07248728: GetLastError.KERNEL32(00000000,?,07250575,00000000,?,?,0724AA58,0724871D), ref: 07248750

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLast_free$Exception@8FreeHeapThrow_mallocstd::exception::exception
String ID:
API String ID: 3837565262-0
Opcode ID: 9279f86d8e50b64eb86bd878afc646bf0437bf2b4e719a8c063127d57349fe93
Instruction ID: f9b13eb41d8033756a312c682292c65a16d37cf75415e4c113a20a1ebe150b50
Opcode Fuzzy Hash: 9279f86d8e50b64eb86bd878afc646bf0437bf2b4e719a8c063127d57349fe93
Instruction Fuzzy Hash: A0718FF6E103199FDB18CFA8D885AAEB7F4FB48710F15427AE815A7340DA759D00CBA1

Function 070E57C0 Relevance: 13.6, APIs: 9, Instructions: 141
networkstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000000,?,?), ref: 070E5848
_free.LIBCMT ref: 070E585D

Part of subcall function 07248728: HeapFree.KERNEL32(00000000,00000000,?,07250575,00000000,?,?,0724AA58,0724871D), ref: 0724873E
Part of subcall function 07248728: GetLastError.KERNEL32(00000000,?,07250575,00000000,?,?,0724AA58,0724871D), ref: 07248750

Part of subcall function 070B2260: __CxxThrowException@8.LIBCMT ref: 070B2272

WSASetLastError.WS2_32(00000000,?,?,?,?), ref: 070E586A
lstrlen.KERNEL32(?), ref: 070E5887
_memcpy_s.LIBCMT ref: 070E58B1
_memmove.LIBCMT ref: 070E590F
FreeAddrInfoW.WS2_32(?), ref: 070E591D
htons.WS2_32(?), ref: 070E592B
WSASetLastError.WS2_32(00002AF9,?,?,?,?), ref: 070E5950

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLast$Free$AddrException@8HeapInfoThrow_free_memcpy_s_memmovegetaddrinfohtonslstrlen
String ID:
API String ID: 3043740235-0
Opcode ID: af82688f72f6dc1dc919b53325a59112a528ceaecfd89f5f0117ad84da048860
Instruction ID: 8491a8e9746f6d7244f036e513ed91d03652ca0289a7de4ac39a78c1beb6c735
Opcode Fuzzy Hash: af82688f72f6dc1dc919b53325a59112a528ceaecfd89f5f0117ad84da048860
Instruction Fuzzy Hash: E1515EF1614300DFC754DF68D845AABB7E9EF88614F418A6EF849DB210E734D910CBA6

Function 070EFA30 Relevance: 12.1, APIs: 8, Instructions: 92
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAEventSelect.WS2_32(18B52151,?,00000030), ref: 070EFA48
connect.WS2_32(18B52151,?,-0000001D), ref: 070EFA6D
WSAGetLastError.WS2_32(?,070EF4A2,?,?,?,?,?,?,?), ref: 070EFA7C
connect.WS2_32(18B52151,?,-0000001D), ref: 070EFAB2
WSAEventSelect.WS2_32(18B52151,?,00000023), ref: 070EFAC7
SetLastError.KERNEL32(00000000,?,070EF4A2,?,?,?,?,?,?,?), ref: 070EFADF
GetLastError.KERNEL32(?,070EF4A2,?,?,?,?,?,?,?), ref: 070EFAF6
WSASetLastError.WS2_32(00000000,?,070EF4A2,?,?,?,?,?,?,?), ref: 070EFB06

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLast$EventSelectconnect
String ID:
API String ID: 371153081-0
Opcode ID: 79c0b31e35903ea1e05c8d234629f9b14a4cf6d27cfd35e64926fddf06ba4aca
Instruction ID: 31b2a10e00bf7126ecd6641234d1492573f49ca37dfe45b9aa4fc1c8c8cca8af
Opcode Fuzzy Hash: 79c0b31e35903ea1e05c8d234629f9b14a4cf6d27cfd35e64926fddf06ba4aca
Instruction Fuzzy Hash: F72183F22006029FD3649E78FC8DA2BB7EDEB94734B148B26F555C66C0D778E891C620

Function 07249922 Relevance: 12.1, APIs: 8, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___set_flsgetvalue.LIBCMT ref: 07249947
__calloc_crt.LIBCMT ref: 07249953
__getptd.LIBCMT ref: 07249960
__initptd.LIBCMT ref: 07249969
CreateThread.KERNEL32(?,?,072498BD,00000000,?,?), ref: 07249997
GetLastError.KERNEL32(?,070C7306,00000000,?,070C82C0,00000000,00000000,?), ref: 072499A1
_free.LIBCMT ref: 072499AA
__dosmaperr.LIBCMT ref: 072499B5

Part of subcall function 0724AA53: __getptd_noexit.LIBCMT ref: 0724AA53

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit__initptd_free
String ID:
API String ID: 73303432-0
Opcode ID: 787f46532f8cdac20ae1df794ed89150963cd67607ae6596061b9217e29e889d
Instruction ID: f21686792a3c0c3a1b96bbbe239bec03a317849f4509c6b5a2800ef66775c763
Opcode Fuzzy Hash: 787f46532f8cdac20ae1df794ed89150963cd67607ae6596061b9217e29e889d
Instruction Fuzzy Hash: 2111E5F2124707EFDB29AFA5AC44E9B37ACEF45374B10402AFD54C6140DB75E94186A2

Function 070EF7E0 Relevance: 10.7, APIs: 7, Instructions: 201
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 070D6740: StrChrA.SHLWAPI(?,0000005E,?,070EF454,?,070EF829,?,18B52151,00000000,?,0736D060,?,?,?,?,07265268), ref: 070D674B

Part of subcall function 070E5570: StrChrA.SHLWAPI(?,0000003A,?,070E5A56,18B52151), ref: 070E558C

Part of subcall function 070E56B0: WSASetLastError.WS2_32(00002741,?,?,070EF84E,?,?,18B52151,00000000,?,0736D060,?,?,?,?,07265268,000000FF), ref: 070E56C6

WSAStringToAddressA.WS2_32(?,?,00000000,?,?,0736D060,?,?,?,?,07265268,000000FF,?,070EF454,?,?), ref: 070EF8C6
WSASetLastError.WS2_32(0000273F,?,00000000,?,?,0736D060,?,?,?,?,07265268,000000FF,?,070EF454,?,?), ref: 070EF8E0
socket.WS2_32(?,00000001,00000006), ref: 070EF90D
WSAIoctl.WS2_32(00000000,98000004,000000FF,0000000C,00000000,00000000,0736D060,00000000,00000000), ref: 070EF959
WSAGetLastError.WS2_32(?,00000001,00000006,0736D060,?,?,?,?,07265268,000000FF,?,070EF454,?,?,?), ref: 070EF964
setsockopt.WS2_32(18B52151,00000006,00000001,0736D060,00000004), ref: 070EF9AC
WSACreateEvent.WS2_32 ref: 070EF9C0

Part of subcall function 070E5570: _swscanf.LIBCMT ref: 070E55C5

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLast$AddressCreateEventIoctlString_swscanfsetsockoptsocket
String ID:
API String ID: 449100552-0
Opcode ID: 11d6cffa29599ee05c807414811525fd953a539404962eb3b225d64540493ea8
Instruction ID: b4e7b2f8d2e7e3789426826e5957d69872c188468c229011dac8eb8c43a907c9
Opcode Fuzzy Hash: 11d6cffa29599ee05c807414811525fd953a539404962eb3b225d64540493ea8
Instruction Fuzzy Hash: EB718FF1A0020AEFDB54DF64D845BEEB7B9FF48714F04461AE952B7280D734A950CBA1

Function 070EFB20 Relevance: 10.6, APIs: 7, Instructions: 128
threadnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 070EFB32
GetCurrentThreadId.KERNEL32 ref: 070EFB42
_free.LIBCMT ref: 070EFB89

Part of subcall function 07248728: HeapFree.KERNEL32(00000000,00000000,?,07250575,00000000,?,?,0724AA58,0724871D), ref: 0724873E
Part of subcall function 07248728: GetLastError.KERNEL32(00000000,?,07250575,00000000,?,?,0724AA58,0724871D), ref: 07248750

WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,000000FF,00000000), ref: 070EFBC2
GetCurrentThreadId.KERNEL32 ref: 070EFC1D
GetCurrentThreadId.KERNEL32 ref: 070EFC47
WSAGetLastError.WS2_32 ref: 070EFC76

Part of subcall function 070EFF90: RtlEnterCriticalSection.NTDLL(?), ref: 070EFFDA
Part of subcall function 070EFF90: RtlLeaveCriticalSection.NTDLL(?), ref: 070F0025
Part of subcall function 070EFF90: HeapFree.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,18B52151,?,?), ref: 070F006C
Part of subcall function 070EFF90: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,18B52151,?,?), ref: 070F008E

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CurrentThread$FreeHeap$CriticalErrorLastSection$EnterEventsLeaveMultipleWait_free
String ID:
API String ID: 2369052291-0
Opcode ID: c5ecfdfdaf385a96742e6d43bfd1b06dc5de32760bbfc811994bb37f346cc53d
Instruction ID: c8714e8af48e027329cb178a21ca87bdaa074be7a1101a05b64a890896246943
Opcode Fuzzy Hash: c5ecfdfdaf385a96742e6d43bfd1b06dc5de32760bbfc811994bb37f346cc53d
Instruction Fuzzy Hash: 664151F42006039FD794DF28D994B6AB3E9BF88314F148A19D969C7380DB34F991CB92

Function 070E6290 Relevance: 10.6, APIs: 7, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(?,0000FFFF,000000FB,00000001,00000004), ref: 070E62BE
setsockopt.WS2_32(?,0000FFFF,00000004,00000000,00000004), ref: 070E62D0
setsockopt.WS2_32(?,0000FFFF,000000FB,00000000,00000004), ref: 070E62F3
setsockopt.WS2_32(?,0000FFFF,00000004,00000000,00000004), ref: 070E6305

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 2252566eea957e12f7a871bf44b2168fc5d875899f773f15c04708248812cac4
Instruction ID: 2e058c795961936fd266ce37b37d0529647b0e63b9c46be96ac997a5c14f389d
Opcode Fuzzy Hash: 2252566eea957e12f7a871bf44b2168fc5d875899f773f15c04708248812cac4
Instruction Fuzzy Hash: 39210A7274420A7AE610D694BC82FBE73ACDF85734F200371F714DB2C0DAB1990843A9

Function 070EFF90 Relevance: 9.1, APIs: 6, Instructions: 121
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 070EFFDA
RtlLeaveCriticalSection.NTDLL(?), ref: 070F0025
HeapFree.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,18B52151,?,?), ref: 070F006C
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,18B52151,?,?), ref: 070F008E
RtlEnterCriticalSection.NTDLL(?), ref: 070F00AF
RtlLeaveCriticalSection.NTDLL(?), ref: 070F00E8

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeave
String ID:
API String ID: 3296397286-0
Opcode ID: 2165bae47d49e08aa58da68d16d0d17d547f3523d1037640bb7b579b32864410
Instruction ID: 8e1b0028200edf4958900fca26fea22da5d3507403a60d15d659a34b8c6149a2
Opcode Fuzzy Hash: 2165bae47d49e08aa58da68d16d0d17d547f3523d1037640bb7b579b32864410
Instruction Fuzzy Hash: B74129B1504605DFDB50CFA4D988BAABBF8FB49310F508A6EEA1AD7701D735A840CB60

Function 070D2210 Relevance: 9.1, APIs: 6, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000003), ref: 070D221E
SetLastError.KERNEL32(0000139F), ref: 070D222E
SetLastError.KERNEL32(?,?,?), ref: 070D2282
GetLastError.KERNEL32(?,?,?), ref: 070D2284
SetLastError.KERNEL32(00000000,?,?,?), ref: 070D2298

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLast$CompareExchangeInterlocked
String ID:
API String ID: 4252562804-0
Opcode ID: d79c947940c0a56a5a0b751e85209401ec0701ef39838a0265c06175845c7df1
Instruction ID: 9a817b80fbc8c47b54dc31b2db3d6b8177f72d73ba483a7cab8aa641d4788ef2
Opcode Fuzzy Hash: d79c947940c0a56a5a0b751e85209401ec0701ef39838a0265c06175845c7df1
Instruction Fuzzy Hash: 761166B6300305AFD714DFA9EC84E6BB7A9FB88321B008626F619C7740D775E911DBA0

Function 070C73D0 Relevance: 9.1, APIs: 6, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 070C73EA

Part of subcall function 07248728: HeapFree.KERNEL32(00000000,00000000,?,07250575,00000000,?,?,0724AA58,0724871D), ref: 0724873E
Part of subcall function 07248728: GetLastError.KERNEL32(00000000,?,07250575,00000000,?,?,0724AA58,0724871D), ref: 07248750

_free.LIBCMT ref: 070C73F3
_malloc.LIBCMT ref: 070C742D
_malloc.LIBCMT ref: 070C7439
_memset.LIBCMT ref: 070C7448
_memset.LIBCMT ref: 070C7456

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _free_malloc_memset$ErrorFreeHeapLast
String ID:
API String ID: 3649356292-0
Opcode ID: fde4dfc3c3ff727f576041babac2595dfb05109e3034c4fac499dff57249d17d
Instruction ID: e7d0119f31bae52121f4ddedd27cf0f58aca3f7098109e5392a76792387b3cba
Opcode Fuzzy Hash: fde4dfc3c3ff727f576041babac2595dfb05109e3034c4fac499dff57249d17d
Instruction Fuzzy Hash: A511F7F1A22612FFC758EF749D50B9AFBE8BB08200F1046299628D7640E735B520CBD1

Function 070F1030 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 070F1157
GetLastError.KERNEL32(vector<T> too long), ref: 070F115C
SetLastError.KERNEL32 ref: 070F116C

Strings

vector<T> too long, xrefs: 070F1152
CTcpServer::CreateWorkerThreads, xrefs: 070F1175

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLast$Xinvalid_argumentstd::_
String ID: CTcpServer::CreateWorkerThreads$vector<T> too long
API String ID: 1024515993-3928122342
Opcode ID: b86ac04ec0861fd1b29310e2433f064dd2f9218a12fab6febc7ddbc554e65b78
Instruction ID: a0bf50402c7d97ff1f2434ee72f26b050b5654b29d875c5589b3299cd6c0e8b6
Opcode Fuzzy Hash: b86ac04ec0861fd1b29310e2433f064dd2f9218a12fab6febc7ddbc554e65b78
Instruction Fuzzy Hash: 4D413CF170020ADBCB289F64DC8576EB7D6FB84315F24876DDA16D7784D6B1E8418B40

Function 070F11A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

CreateIoCompletionPort.KERNEL32(?,?,?,00000000,?,?,?,070F0A9A,?,?,?,?,?,070E1319,?,?), ref: 070F11B7
PostQueuedCompletionStatus.KERNEL32(?,000000F1,00000000,00000000,?,?,?,?,070F0A9A,?,?,?,?,?,070E1319,?), ref: 070F11E2
GetLastError.KERNEL32(?,?,?,070F0A9A,?,?,?,?,?,070E1319,?,?), ref: 070F1201
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 070F1211

Strings

CTcpServer::StartAccept, xrefs: 070F121A

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CompletionErrorLast$CreatePortPostQueuedStatus
String ID: CTcpServer::StartAccept
API String ID: 350138180-877316848
Opcode ID: 579600eff87901d9e0f54fa118254e42881061ec78124b74bb5c27bd97cc61b8
Instruction ID: 825799a907f6cb5c61aab5462f10e0a92cd9ff3e834e4983ab071de50f7aff70
Opcode Fuzzy Hash: 579600eff87901d9e0f54fa118254e42881061ec78124b74bb5c27bd97cc61b8
Instruction Fuzzy Hash: 1D115BB1600708EFE720DB9AED49B5BB3ECFB85714F10429EFA4997780C671A9018B61

Function 071D28E0 Relevance: 7.7, APIs: 6, Instructions: 155COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,00000000,00000000,?,?,?,?,071908A3,?,?,?,?), ref: 071D2936
GetLastError.KERNEL32(?,?,?,?,071908A3,?,?,?,?,?,?,071A9D54,?,07346D34,-00000040,(TEST_ENG_OPENSSL_PKEY)Loading Private key %s), ref: 071D293E
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,?,?,?,071908A3,?,?,?,?), ref: 071D2962
GetLastError.KERNEL32(?,?,?,?,071908A3,?,?,?,?,?,?,071A9D54,?,07346D34,-00000040,(TEST_ENG_OPENSSL_PKEY)Loading Private key %s), ref: 071D296A
MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,?,00000000,?,?,?,?,071908A3,?,?,?,?), ref: 071D29BC
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,00000008,?,00000000,?,?,?,?,071908A3,?,?), ref: 071D29E9

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 9d5a86698cbe89ca54a4ddcdfd52d370fac3e46347d5b5737a2a7a827968b51d
Instruction ID: 34316de5b526c617ee6e29ed9d4e50b3229eedffaac82b0267780f41ded6a1d0
Opcode Fuzzy Hash: 9d5a86698cbe89ca54a4ddcdfd52d370fac3e46347d5b5737a2a7a827968b51d
Instruction Fuzzy Hash: 0441F9B2B00116DBDB25DBA4DC45BEEB7B5FF84710F00006AEA15EB280DB709D04CBA1

Function 070BAAB0 Relevance: 7.6, APIs: 5, Instructions: 150memoryCOMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?,18B52151,00000008,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 070BAB13
GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,07263495,000000FF), ref: 070BAB28
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,18B52151,00000008,00000000), ref: 070BAB9B
HeapCreate.KERNEL32(?,?,?,?,00000004,00000000,00000000), ref: 070BAC09
_free.LIBCMT ref: 070BAC72

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CreateInfoNativeSystem$EventHeap_free
String ID:
API String ID: 2317652866-0
Opcode ID: 0ae77cfca2c8038407c3e28712c5a26b5ff9c9477a35933bd1c53f0fca5a76b4
Instruction ID: e7e0bd897d3d9c4f243e7bdf3c25791daa99757e689c4d3731f705e8c47601d8
Opcode Fuzzy Hash: 0ae77cfca2c8038407c3e28712c5a26b5ff9c9477a35933bd1c53f0fca5a76b4
Instruction Fuzzy Hash: 406112F0A00B46EFD758CF69D584789FBE8FB08304F50822ED52887781D775A664CB94

Function 070F0110 Relevance: 7.6, APIs: 5, Instructions: 85networkCOMMON

Download Yara Rule

APIs

send.WS2_32(00000000,?,?,00000000), ref: 070F013D
RtlEnterCriticalSection.NTDLL(?), ref: 070F0150
RtlLeaveCriticalSection.NTDLL(?), ref: 070F015D
SetLastError.KERNEL32(00000000,?,070F0047,00000000,00000000,18B52151,?,?), ref: 070F0165
WSAGetLastError.WS2_32(?,070F0047,00000000,00000000,18B52151,?,?), ref: 070F01C1

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeavesend
String ID:
API String ID: 421069059-0
Opcode ID: 1d6e36b8306ecea94e2c7cd3e144129a3a080cec60a60d5d7e3a1bba1000be65
Instruction ID: 14372b9bab99b5ffe9d4bff4cb5d2dce6478e789fb556c4f642f995bd00346bf
Opcode Fuzzy Hash: 1d6e36b8306ecea94e2c7cd3e144129a3a080cec60a60d5d7e3a1bba1000be65
Instruction Fuzzy Hash: F33191B22006019FD728CF68E8C8A5BBBE5FF94310F10465AF945CB746DB75E851CBA0

Function 072497B0 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 072497BE

Part of subcall function 07248694: __FF_MSGBANNER.LIBCMT ref: 072486AD
Part of subcall function 07248694: __NMSG_WRITE.LIBCMT ref: 072486B4
Part of subcall function 07248694: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 072486D9

_free.LIBCMT ref: 072497D1

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: a84099078b2ed93ffe8a85e0a27b5ce3b479b240359ba32824c317d97ad3b8b2
Instruction ID: f215d0de4bf610c4f17de41c21190213db6cfad0dbae85d597cfad3381c174d4
Opcode Fuzzy Hash: a84099078b2ed93ffe8a85e0a27b5ce3b479b240359ba32824c317d97ad3b8b2
Instruction Fuzzy Hash: C2110DF3874217EBDB2D2F78B80865B37A5EF45270F108526E8989B180DE7498C187E1

Function 07190890 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 071D28E0: MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,00000000,00000000,?,?,?,?,071908A3,?,?,?,?), ref: 071D2936
Part of subcall function 071D28E0: GetLastError.KERNEL32(?,?,?,?,071908A3,?,?,?,?,?,?,071A9D54,?,07346D34,-00000040,(TEST_ENG_OPENSSL_PKEY)Loading Private key %s), ref: 071D293E
Part of subcall function 071D28E0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,?,?,?,071908A3,?,?,?,?), ref: 071D2962
Part of subcall function 071D28E0: GetLastError.KERNEL32(?,?,?,?,071908A3,?,?,?,?,?,?,071A9D54,?,07346D34,-00000040,(TEST_ENG_OPENSSL_PKEY)Loading Private key %s), ref: 071D296A

GetLastError.KERNEL32(crypto\bio\bss_file.c,00000045), ref: 071908CB

Strings

',', xrefs: 071908E1
crypto\bio\bss_file.c, xrefs: 071908C6, 0719090C, 07190928
fopen(', xrefs: 071908E7

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLast$ByteCharMultiWide
String ID: ','$crypto\bio\bss_file.c$fopen('
API String ID: 3361762293-2653154188
Opcode ID: 55747abe9c0d24473daa2cb0d1cd0f1e5d38d22ca3ecbfa15dbb4a744f400e21
Instruction ID: 9ff497ee3476fa2da9bab57766c0d1d7ecbf155502f70d1061426c6a6421a242
Opcode Fuzzy Hash: 55747abe9c0d24473daa2cb0d1cd0f1e5d38d22ca3ecbfa15dbb4a744f400e21
Instruction Fuzzy Hash: 0021C0F3BD1314B6E63135A86C07F9B66A9CB85AB2F014072F708A91C2EB92545582F3

Function 070F0580 Relevance: 4.6, APIs: 3, Instructions: 130memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 070F0601
_memmove.LIBCMT ref: 070F069E
SetEvent.KERNEL32(?), ref: 070F06EE

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: AllocateEventHeap_memmove
String ID:
API String ID: 3966493562-0
Opcode ID: c1444bfdea1db20438c0a340f33cba900893b3c177b3a6a09c77ed703fa4cbc2
Instruction ID: f11227728c4519f3defe4cd8028c74c7941dfeb6b9dce96fc32c3288946b9cab
Opcode Fuzzy Hash: c1444bfdea1db20438c0a340f33cba900893b3c177b3a6a09c77ed703fa4cbc2
Instruction Fuzzy Hash: F2513AB0A00606DFCB58CF69D4849AAF7F5FF88304B15C66ED9199B712E730EA44CB90

Function 070F04C0 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 070F050B
RtlLeaveCriticalSection.NTDLL(?), ref: 070F0539

Part of subcall function 070F0580: RtlAllocateHeap.NTDLL(?,00000000,?), ref: 070F0601
Part of subcall function 070F0580: _memmove.LIBCMT ref: 070F069E

SetLastError.KERNEL32(00000057,18B52151,?,?,?,?,?,07262698,000000FF,?,070BAE61,?), ref: 070F0544

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalSection$AllocateEnterErrorHeapLastLeave_memmove
String ID:
API String ID: 865482700-0
Opcode ID: 782199d3d7f392300a7e05212a20ef32317114d627367b4248948040054ff59a
Instruction ID: f9049bcc613e8fe960001733af349063a06cee98dc233c3ffa5558a359702ca3
Opcode Fuzzy Hash: 782199d3d7f392300a7e05212a20ef32317114d627367b4248948040054ff59a
Instruction Fuzzy Hash: 8C11D3F2A04616DFD710CB18D854BABB7A8EB44B50F418266EE15D7741DB79DD0087D0

Function 070F0A40 Relevance: 4.6, APIs: 3, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 070F0DA0: socket.WS2_32(?,00000001,00000006), ref: 070F0DF8
Part of subcall function 070F0DA0: WSAIoctl.WS2_32(00000000,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 070F0E44
Part of subcall function 070F0DA0: WSAGetLastError.WS2_32(?,00000001,00000006), ref: 070F0E55
Part of subcall function 070F0DA0: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 070F0E9C
Part of subcall function 070F0DA0: ioctlsocket.WS2_32(?,8004667E,?), ref: 070F0EC4

ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 070F0AA9
GetLastError.KERNEL32(?,?,?,?,070E1319,?,?), ref: 070F0ABA
SetLastError.KERNEL32(00000000,?,?,?,070E1319,?,?), ref: 070F0ACB

Part of subcall function 070F0FE0: CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000,070F0A87,?,?,?,?,070E1319,?,?), ref: 070F0FE8
Part of subcall function 070F0FE0: GetLastError.KERNEL32(?,?,?,?,070E1319,?,?), ref: 070F0FF6
Part of subcall function 070F0FE0: SetLastError.KERNEL32 ref: 070F1006

Part of subcall function 070F11A0: CreateIoCompletionPort.KERNEL32(?,?,?,00000000,?,?,?,070F0A9A,?,?,?,?,?,070E1319,?,?), ref: 070F11B7
Part of subcall function 070F11A0: PostQueuedCompletionStatus.KERNEL32(?,000000F1,00000000,00000000,?,?,?,?,070F0A9A,?,?,?,?,?,070E1319,?), ref: 070F11E2

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLast$Completion$CreatePort$EventIoctlPostQueuedResetStatusioctlsocketsetsockoptsocket
String ID:
API String ID: 2762756280-0
Opcode ID: 1eccbfab7b54cdf4fb7a2fee5ca597beb81c62cf6bcdc0c3b1319aef57e291d7
Instruction ID: 877a38926714a279c18109f7c4bc5105df911eb0062a4f3f034741dc93f2958f
Opcode Fuzzy Hash: 1eccbfab7b54cdf4fb7a2fee5ca597beb81c62cf6bcdc0c3b1319aef57e291d7
Instruction Fuzzy Hash: F8115EB13016128FD750EBA9E8449AFB3E9EF98350F148226EB45C3B41EB25D80287B1

Function 070E5F40 Relevance: 4.5, APIs: 3, Instructions: 42networkCOMMON

Download Yara Rule

APIs

Part of subcall function 070E5570: StrChrA.SHLWAPI(?,0000003A,?,070E5A56,18B52151), ref: 070E558C

WSASetLastError.WS2_32(00002741,?,?,?,070F683F,?,?,?), ref: 070E5F60
WSAStringToAddressA.WS2_32(?,?,00000000,?,070F683F,?,?,?,070F683F,?,?,?), ref: 070E5F88
htons.WS2_32(?), ref: 070E5F98

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: AddressErrorLastStringhtons
String ID:
API String ID: 1418563660-0
Opcode ID: 888260a09fb86346dfe61d07de7f977e38637d1489e92d2ab51de9eb5b824c71
Instruction ID: 6ae510fd742dda69cbe136ba5738c86a115fcfab17a8f82c24f55b9c30c6456a
Opcode Fuzzy Hash: 888260a09fb86346dfe61d07de7f977e38637d1489e92d2ab51de9eb5b824c71
Instruction Fuzzy Hash: EEF0F6B1524215AFD7146764BC0ABF973ECDF44308F448B5BFC0987290E6A4586053E5

Function 0724987C Relevance: 4.5, APIs: 3, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 07249888

Part of subcall function 07250584: __getptd_noexit.LIBCMT ref: 07250587
Part of subcall function 07250584: __amsg_exit.LIBCMT ref: 07250594

__endthreadex.LIBCMT ref: 07249898

Part of subcall function 0724985D: __getptd_noexit.LIBCMT ref: 07249862
Part of subcall function 0724985D: __freeptd.LIBCMT ref: 0724986C
Part of subcall function 0724985D: RtlExitUserThread.NTDLL(?,?,0724989D,00000000), ref: 07249875
Part of subcall function 0724985D: __XcptFilter.LIBCMT ref: 072498A9

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__endthreadex__freeptd__getptd
String ID:
API String ID: 4175385852-0
Opcode ID: 0358ec04bb4cea58d19d955c78dfe568599d8dbfe92d3b266af30878e1728927
Instruction ID: c3a5a39d353dec5fe1b06206b8c421744d9db010b927174fef504a0857e79a54
Opcode Fuzzy Hash: 0358ec04bb4cea58d19d955c78dfe568599d8dbfe92d3b266af30878e1728927
Instruction Fuzzy Hash: 52E0ECF1951604DFEB1CABA0C945E2E7B75AF46711F200088E9016B2A1CA75A9409A22

Function 070EFCA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110networkCOMMON

Download Yara Rule

APIs

WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 070EFCC8

Part of subcall function 070F8500: WSAGetLastError.WS2_32(00000001,00000001,?,070EFCDC,?), ref: 070F8505
Part of subcall function 070F8500: WSAResetEvent.WS2_32(?,?,070EFCDC,?), ref: 070F8542

Strings

, xrefs: 070EFD64

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: EnumErrorEventEventsLastNetworkReset
String ID:
API String ID: 1050048411-3916222277
Opcode ID: ee00d86d98bbb13fee67c2a64ddeb9ccf4d70793084c78bc837814c2b835f51f
Instruction ID: eac0335c3707c35539eab4bf387c881103f8c66c56b0a2a1f7eed674495ff679
Opcode Fuzzy Hash: ee00d86d98bbb13fee67c2a64ddeb9ccf4d70793084c78bc837814c2b835f51f
Instruction Fuzzy Hash: BA3181F161470A8FCBA0DF69D440A6AFBFABF84214F14476DD956C3740EB31E9058B81

Function 070BA4E0 Relevance: 3.1, APIs: 2, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000004,00000000,00000000,18B52151,070BE1C5,070BE1BD,?,00000000,072634E3,000000FF,?,070C3553,070BE561,070BE1C9,?,18B52151), ref: 070BA52F
_free.LIBCMT ref: 070BA58B

Part of subcall function 070B2260: __CxxThrowException@8.LIBCMT ref: 070B2272

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CreateException@8HeapThrow_free
String ID:
API String ID: 1065114656-0
Opcode ID: 5f1c013630d0f4561c5d3e6f89b6818316e985397ca3be7a0a910c63cd6de6d9
Instruction ID: 6471be63553655fc4e312de7f73047f1e71c6b2e5abb7f9c0268cb595733e1b1
Opcode Fuzzy Hash: 5f1c013630d0f4561c5d3e6f89b6818316e985397ca3be7a0a910c63cd6de6d9
Instruction Fuzzy Hash: ED3125F1A01A46EFD744CF6AC888799FBA8FB08300F50863ED52997640D774AA608F91

Function 07186C00 Relevance: 3.1, APIs: 2, Instructions: 60COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 07186C5B

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 7ca57608e893d9c15037655741261e2fcf1f1a8a01a5d0a83e13f7c347fe7b88
Instruction ID: 26aff01094831118b6ce05361a2201681b6bb4b0dc35be33a54350b3fc96bea5
Opcode Fuzzy Hash: 7ca57608e893d9c15037655741261e2fcf1f1a8a01a5d0a83e13f7c347fe7b88
Instruction Fuzzy Hash: BD1152F0724342ABDAA9EB65DC95A2B33D9EBC0640F18C91CF454C6282E739E544DE12

Function 070C2E20 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000004,00000000,00000000,?,00000000,070BC2A3,18B52151,00000008,00000000), ref: 070C2E3B
_free.LIBCMT ref: 070C2E76

Part of subcall function 070B2260: __CxxThrowException@8.LIBCMT ref: 070B2272

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CreateException@8HeapThrow_free
String ID:
API String ID: 1065114656-0
Opcode ID: 882a6b5dc7aa30d0f12b0d0701464620da0ac7b83fe85812be7d4895a1dd15f9
Instruction ID: 09a7489f0e5da1e944388d1d65a97672f4c4cb90ab142312d14afaab59bd4443
Opcode Fuzzy Hash: 882a6b5dc7aa30d0f12b0d0701464620da0ac7b83fe85812be7d4895a1dd15f9
Instruction Fuzzy Hash: 4B017EF0A00B449FD730CF2AD844A47FAE8FF94704B104A1EE2DAD6A10D375A105CF55

Function 070C2D30 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000004,00000000,00000000,?,00000000,070BAC39,?,?,?,?,00000004,00000000,00000000), ref: 070C2D4B
_free.LIBCMT ref: 070C2D86

Part of subcall function 070B2260: __CxxThrowException@8.LIBCMT ref: 070B2272

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CreateException@8HeapThrow_free
String ID:
API String ID: 1065114656-0
Opcode ID: 785ccba49b457dfaf518520421ee82570440bf4e01b7f3dfd14470293f306ec0
Instruction ID: c5a1ecce5648554d201bd14156771978b91c26f7dd08c090ef9bdf0af2c28552
Opcode Fuzzy Hash: 785ccba49b457dfaf518520421ee82570440bf4e01b7f3dfd14470293f306ec0
Instruction Fuzzy Hash: F4017AF1A00B409FD730DF6A9884A47FAE8FF98700B104A1EE2DAC6A10D375A145CB55

Function 070B9E80 Relevance: 3.0, APIs: 2, Instructions: 36COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 070B9EA4
GetNativeSystemInfo.KERNEL32(?), ref: 070B9EB9

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: ba46d9f2d666c9138b53172c612d6e42512b73026d2dabf63a437ddb92e3f39b
Instruction ID: ac4eb4081c611b5e2735fba03ecb148f08ba579a384d975ea81f98437a69df8d
Opcode Fuzzy Hash: ba46d9f2d666c9138b53172c612d6e42512b73026d2dabf63a437ddb92e3f39b
Instruction Fuzzy Hash: ADF062B1B2421D8BEF10CBB8E5829A977ECE70C318F004197DC0893602E6BAA9408BC4

Function 070C2AA0 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(?,?,?,?,00000004,00000000,00000000,?,070BB23E), ref: 070C2AB4
_free.LIBCMT ref: 070C2AF3

Part of subcall function 070B2260: __CxxThrowException@8.LIBCMT ref: 070B2272

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CreateException@8HeapThrow_free
String ID:
API String ID: 1065114656-0
Opcode ID: 6e77d6ffabe54bf2b612e70c271579a9de408b3947bbb51e4e92b202c0845cc0
Instruction ID: c09262ebaeec25c74007513b2c954a764fc60073b6182a4706e5330da6bdbf2e
Opcode Fuzzy Hash: 6e77d6ffabe54bf2b612e70c271579a9de408b3947bbb51e4e92b202c0845cc0
Instruction Fuzzy Hash: 600188F0A00B409FD731CF2A9844A4BFAE8FFA4740F104A1EE2DA86A10D3B5A145CB91

Function 07250E5F Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 07250EA2

Part of subcall function 0724AA53: __getptd_noexit.LIBCMT ref: 0724AA53

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 5662364dd35cfe9f84b05beee68f4cad448de2c02e69c3edf9b9c3ef785dce0b
Instruction ID: bddb216b0438a32e097b84706e8823a3f0103e427e831ae8aa09a603cb004fa1
Opcode Fuzzy Hash: 5662364dd35cfe9f84b05beee68f4cad448de2c02e69c3edf9b9c3ef785dce0b
Instruction Fuzzy Hash: E001B1B262125F9BEB38AE35DC18B6B3758EF81760F248929EC55DB290DB749440C660

Function 07186AE0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 07186B0F

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: e55799ada3d1866706bb7d15b8fd6b6ae9aad08f5da2452ebb27ca3665181b08
Instruction ID: 9bbc49e87e5b0cb6fe0a931fc0071dfe17120790fc758775102c054578cc59d1
Opcode Fuzzy Hash: e55799ada3d1866706bb7d15b8fd6b6ae9aad08f5da2452ebb27ca3665181b08
Instruction Fuzzy Hash: 5BD09EF4A04246AAEAA9AA56F84A7163399A790F44FA8C868D414CA1D2F378D554CE03

Function 0724E5C6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 0724E5D3

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
Instruction ID: c9ba5706eeb69708943bf06b977887d418ceedf9b215e7d19ceeeec43ff1bb05
Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
Instruction Fuzzy Hash: 9DC09BF244010C77DF111B42DC05F453F1997C0660F054010FB1C19160A573D5619985

Function 0724A9B3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

__fsopen.LIBCMT ref: 0724A9C0

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: __fsopen
String ID:
API String ID: 3646066109-0
Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction ID: dd8d4042a07b9d810917f83d108be0b2d4b64a40d017318a94aae9132a0492f0
Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction Fuzzy Hash: 01C09BB244020C77DF111942DC01E453F19DBC4660F148010FB1C191609573D5619585

Non-executed Functions

Function 071AB2B0 Relevance: 33.5, APIs: 11, Strings: 8, Instructions: 287encryptionCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,071AD3BA), ref: 071AB307
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000,?,?,?,?,071AD3BA), ref: 071AB32C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,071AD3BA), ref: 071AB360
CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,?,F0000000,?,?,?,?,?,?,071AD3BA), ref: 071AB3B0
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,071AD3BA), ref: 071AB3E4
CryptGetProvParam.ADVAPI32(?,00000002,00000000,?,00000001,?,?,?,?,071AD3BA), ref: 071AB412
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,071AD3BA), ref: 071AB446
CryptReleaseContext.ADVAPI32(?,00000000), ref: 071AB476
CryptGetProvParam.ADVAPI32(?,00000002,00000000,?,00000000), ref: 071AB513
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,071AD3BA), ref: 071AB559
CryptReleaseContext.ADVAPI32(?,00000000), ref: 071AB5E5

Strings

Error code= 0x, xrefs: 071AB37B, 071AB461, 071AB5A5
engines\e_capi.c, xrefs: 071AB34E, 071AB3D2, 071AB434, 071AB4A8, 071AB4D4, 071AB581, 071AB5D1
%lX, xrefs: 071AB367, 071AB3EB, 071AB44D, 071AB591
Got max container len %d, xrefs: 071AB485
Container name %s, len=%d, index=%d, flags=%d, xrefs: 071AB527
%lu. %s, xrefs: 071AB548
Enumerate bug: using workaround, xrefs: 071AB5BD
Listing containers CSP=%s, type = %d, xrefs: 071AB2D9

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Crypt$ErrorLast$Context$ByteCharMultiParamProvReleaseWide$Acquire
String ID: %lX$%lu. %s$Container name %s, len=%d, index=%d, flags=%d$Enumerate bug: using workaround$Error code= 0x$Got max container len %d$Listing containers CSP=%s, type = %d$engines\e_capi.c
API String ID: 3840881184-806891013
Opcode ID: 0863e40f9e6036a01c91c8d4b3a5f0b340a9fc3adbc8534e02e27c2b1bf5acf0
Instruction ID: cba8df0fa25853f5b86e5e68cbe32baa9989b10bf837f4b05415359fb3ad8bb6
Opcode Fuzzy Hash: 0863e40f9e6036a01c91c8d4b3a5f0b340a9fc3adbc8534e02e27c2b1bf5acf0
Instruction Fuzzy Hash: E591B3F4B44245BBEB20EBA4EC46FBF7778AF45B14F008415F609A62C1D7B499148BE2

Function 071AC200 Relevance: 21.4, APIs: 3, Strings: 9, Instructions: 374encryptionCOMMON

Download Yara Rule

APIs

CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,00000000,?,00000000,?,00000000,00000000,071AD266,?,00000000,FFFFFFFF), ref: 071AC245
GetLastError.KERNEL32 ref: 071AC275
CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,00000000,?), ref: 071AC2EB

Strings

Error code= 0x, xrefs: 071AC292
%ux, xrefs: 071AC55D
engines\e_capi.c, xrefs: 071AC263, 071AC2BF, 071AC309, 071AC32F, 071AC38A, 071AC503, 071AC51A, 071AC573, 071AC5BE
DSS1, xrefs: 071AC36C
magic=0x, xrefs: 071AC39D, 071AC5D1
%lX, xrefs: 071AC27C
RSA1, xrefs: 071AC5A0
%lx, xrefs: 071AC374, 071AC5A8
aiKeyAlg=0x, xrefs: 071AC589

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CryptExport$ErrorLast
String ID: %lX$%lx$%ux$DSS1$Error code= 0x$RSA1$aiKeyAlg=0x$engines\e_capi.c$magic=0x
API String ID: 2635512942-970454313
Opcode ID: a4c259b8f1468306c10ebad5fd3d1f65ee5db0132d4641ad34417d6ab4176deb
Instruction ID: aa2f6fccd861710341ee133be9e299c3ef517bb5171dd9eb31abed7bc1028cdf
Opcode Fuzzy Hash: a4c259b8f1468306c10ebad5fd3d1f65ee5db0132d4641ad34417d6ab4176deb
Instruction Fuzzy Hash: 76C176F5B54301BBE610EF64AC82F6B73A9AF84644F444828F6499A2C1EB74E501C7F7

Function 071AAD40 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 168encryptionCOMMON

Download Yara Rule

APIs

CryptEnumProvidersW.ADVAPI32(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,071AD35B), ref: 071AADA7
CryptEnumProvidersW.ADVAPI32(00000000,00000000,00000000,?,00000000,?), ref: 071AADE2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,071AD35B), ref: 071AAE50
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,071AD35B), ref: 071AAED3

Part of subcall function 07186B90: _free.LIBCMT ref: 07186BA7

Strings

Error code= 0x, xrefs: 071AAF34
capi_get_provname, returned name=%s, type=%d, xrefs: 071AAE15
capi_get_provname, index=%d, xrefs: 071AAD81
engines\e_capi.c, xrefs: 071AADBA, 071AADF7, 071AAE3C, 071AAE7C, 071AAEBF, 071AAEDE, 071AAF0E
%lu. %s, type %lu, xrefs: 071AAE2C
capi_list_providers, xrefs: 071AAD5F
Available CSPs:, xrefs: 071AAD6F
%lX, xrefs: 071AAE8C, 071AAF1E

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CryptEnumErrorLastProviders$_free
String ID: %lX$%lu. %s, type %lu$Available CSPs:$Error code= 0x$capi_get_provname, index=%d$capi_get_provname, returned name=%s, type=%d$capi_list_providers$engines\e_capi.c
API String ID: 168267975-2617589956
Opcode ID: dbc46fcb06b17cdf1074525c251166c192684bcd0d35304b85216feba7035295
Instruction ID: e43bd7df7f27cc3253b0650277cbaa1a65c2474fadd764c89d81d6e1fdfe87fc
Opcode Fuzzy Hash: dbc46fcb06b17cdf1074525c251166c192684bcd0d35304b85216feba7035295
Instruction Fuzzy Hash: F041B6F5B84301B6F210FA60AC42F6B769C9F85B10F008419F749A62C1EBA4A515C7F7

Function 071AC740 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 239encryptionCOMMON

Download Yara Rule

APIs

CryptCreateHash.ADVAPI32(?,0000800D,00000000,00000000,?), ref: 071AC8BB
GetLastError.KERNEL32 ref: 071AC8EF
CryptSetHashParam.ADVAPI32(?,00000002,?,00000000), ref: 071AC93B
CryptSignHashW.ADVAPI32(?,?,00000000,00000000,?,?), ref: 071AC999
CryptDestroyHash.ADVAPI32(?), ref: 071ACA07

Strings

Error code= 0x, xrefs: 071AC90C
Called CAPI_rsa_sign(), xrefs: 071AC78B
engines\e_capi.c, xrefs: 071AC7C5, 071AC868, 071AC8DD, 071AC95D, 071AC9A8
%lX, xrefs: 071AC8F6
NID=0x, xrefs: 071AC87C

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CryptHash$CreateDestroyErrorLastParamSign
String ID: %lX$Called CAPI_rsa_sign()$Error code= 0x$NID=0x$engines\e_capi.c
API String ID: 196291967-4120660026
Opcode ID: efb43f695dd1573d4ddc5ed1a17074ea41104a44a7d710bd9e38fcdf3fc3c0f9
Instruction ID: 487491bc46423927d33dd4cf1475351332b3b255e2ec44419463484186515fa9
Opcode Fuzzy Hash: efb43f695dd1573d4ddc5ed1a17074ea41104a44a7d710bd9e38fcdf3fc3c0f9
Instruction Fuzzy Hash: 4771E3F5758301BBE214EF68EC42F2B72A8AB85714F444519F659DA2C0E764E9048BF3

Function 071ACFF0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 235encryptionCOMMON

Download Yara Rule

APIs

CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 071AD053
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 071AD163
CertCloseStore.CRYPT32(00000000,00000000), ref: 071AD17E
CryptDestroyKey.ADVAPI32(?), ref: 071AD1E7
CryptReleaseContext.ADVAPI32(?,00000000), ref: 071AD1F3
CertFreeCRLContext.CRYPT32(00000000), ref: 071AD200

Strings

engines\e_capi.c, xrefs: 071AD0F8, 071AD20B
Can't Parse Certificate %d, xrefs: 071AD08C

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Cert$Store$CertificatesContextCryptEnum$CloseDestroyFreeRelease
String ID: Can't Parse Certificate %d$engines\e_capi.c
API String ID: 514671724-3721758623
Opcode ID: 094d4f05f8777b0d12859e9a179e3519170b2d896008f651001dab141cabf169
Instruction ID: 36cdbb74dc6f26471081daf5a5232bbdb51731add112f26f6c55b5495f4c8332
Opcode Fuzzy Hash: 094d4f05f8777b0d12859e9a179e3519170b2d896008f651001dab141cabf169
Instruction Fuzzy Hash: DC7193F9604705EBD210EF64EC81A2B73E8EF85614F044829F98997385EB35E915CBF2

Function 071AAB50 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 163encryptionCOMMON

Download Yara Rule

APIs

CryptEnumProvidersW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,?,071AC1BD,?,?,071AD566), ref: 071AAB8D
GetLastError.KERNEL32(?,00000000,?,?,?,?,071AC1BD,?,?,071AD566), ref: 071AAB9B

Strings

Error code= 0x, xrefs: 071AAC00
capi_get_provname, returned name=%s, type=%d, xrefs: 071AAD1A
capi_get_provname, index=%d, xrefs: 071AAB6D
engines\e_capi.c, xrefs: 071AABDA, 071AAC2C, 071AAC58, 071AAC9F, 071AACC0, 071AACF6
%lX, xrefs: 071AABEA

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CryptEnumErrorLastProviders
String ID: %lX$Error code= 0x$capi_get_provname, index=%d$capi_get_provname, returned name=%s, type=%d$engines\e_capi.c
API String ID: 747760079-960962821
Opcode ID: c2648a0af76159aad6d0ae15fd1d97572ddefab4eff26fdacb6873d5728a620c
Instruction ID: 0d2683cc5c7c1250fe856bd1e41f12ff11e910e773df8e9800132d53d5fef5fb
Opcode Fuzzy Hash: c2648a0af76159aad6d0ae15fd1d97572ddefab4eff26fdacb6873d5728a620c
Instruction Fuzzy Hash: BE41D5F5790301BBF610BB78AC02F5F7398AF94B10F808429F749962C1EBA49514C6E7

Function 071AC000 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 146encryptionCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 071AC046
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000,?,000000FF,00000000,00000000), ref: 071AC069
CryptAcquireContextW.ADVAPI32(000000FF,00000000,?,00000000,F0000000,?,000000FF,?,00000000,?,000000FF,00000000,00000000), ref: 071AC087
CryptReleaseContext.ADVAPI32(000000FF,00000000,?,00000000,F0000000,?,000000FF,?,00000000,?,000000FF,00000000,00000000), ref: 071AC097
GetLastError.KERNEL32(?,?,000000FF,00000000,00000000), ref: 071AC127

Strings

Error code= 0x, xrefs: 071AC142
engines\e_capi.c, xrefs: 071AC0A5, 071AC0D5, 071AC115, 071AC16F
%lX, xrefs: 071AC12E
capi_ctx_set_provname, name=%s, type=%d, xrefs: 071AC023

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ByteCharContextCryptMultiWide$AcquireErrorLastRelease
String ID: %lX$Error code= 0x$capi_ctx_set_provname, name=%s, type=%d$engines\e_capi.c
API String ID: 2868654666-3877675152
Opcode ID: 83afbfa78a5d980c3d4546c76a454572a932b5a5d25398599dd62ec01eed15ca
Instruction ID: ae46760e2209a6ba3c236ba915fd9026457d740e8c7e6cd754cf14d455911248
Opcode Fuzzy Hash: 83afbfa78a5d980c3d4546c76a454572a932b5a5d25398599dd62ec01eed15ca
Instruction Fuzzy Hash: 5441B9F5740205BBEB10EFA4EC46FAA73A8EB44714F104125F609A72C1DBB5A914CBE5

Function 071ACA30 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 211COMMON

Download Yara Rule

Strings

Error code= 0x, xrefs: 071ACC1C
engines\e_capi.c, xrefs: 071ACABF, 071ACB1C, 071ACB59, 071ACB72, 071ACBED, 071ACC38, 071ACC77
padding=, xrefs: 071ACB30
%lX, xrefs: 071ACC06
Called capi_rsa_priv_dec(), xrefs: 071ACA85

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID: %lX$Called capi_rsa_priv_dec()$Error code= 0x$engines\e_capi.c$padding=
API String ID: 0-178263006
Opcode ID: 5ed67ee6a068bd40ce9afd5d6ef73261fde3a90d562ecda2a9b141e351eaaf78
Instruction ID: f95360a3e8222f910fe4154f75fade63a238380b8f44e553e9c0adcd4815d672
Opcode Fuzzy Hash: 5ed67ee6a068bd40ce9afd5d6ef73261fde3a90d562ecda2a9b141e351eaaf78
Instruction Fuzzy Hash: 9751F7F5754301ABF200FB68AC42F6F73999F94A24F404519F749AA2C1EBA5E60487E3

Function 071ACCA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 199encryptionCOMMON

Download Yara Rule

APIs

CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?), ref: 071ACD8E
CryptSetHashParam.ADVAPI32(?,00000002,?,00000000), ref: 071ACDE5
CryptSignHashW.ADVAPI32(?,?,00000000,00000000,?,?), ref: 071ACE2E

Part of subcall function 071AB260: GetLastError.KERNEL32(071AC320), ref: 071AB275

CryptDestroyHash.ADVAPI32(?), ref: 071ACECE

Strings

engines\e_capi.c, xrefs: 071ACD11, 071ACD56, 071ACDB0, 071ACDF4, 071ACE3D
(, xrefs: 071ACE1F
Called CAPI_dsa_do_sign(), xrefs: 071ACCD7

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CryptHash$CreateDestroyErrorLastParamSign
String ID: ($Called CAPI_dsa_do_sign()$engines\e_capi.c
API String ID: 196291967-3930400009
Opcode ID: 0632423fbf190db96e11837ff9124aefd19b6187ca58dcbfa7d74805d77af38d
Instruction ID: 24daef487ede43467ca68d2b5f38aee250d27de726f536eeaefa277b212f5dde
Opcode Fuzzy Hash: 0632423fbf190db96e11837ff9124aefd19b6187ca58dcbfa7d74805d77af38d
Instruction Fuzzy Hash: A151D8F5B54305BBE620BF74AC43F2B37A8AF50B14F414429F64AA62C1EB64E50486F3

Function 0711A790 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 786COMMON

Download Yara Rule

Strings

, xrefs: 0711A81F

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e256a5bd928b0fab3bcfb47feaad5d6c3a4bfd1ce66cdf04ecc16d011e9ba566
Instruction ID: 95f0da833efd1766c55b397be7374caa3c643755d27ddda87c088a528c44cd5b
Opcode Fuzzy Hash: e256a5bd928b0fab3bcfb47feaad5d6c3a4bfd1ce66cdf04ecc16d011e9ba566
Instruction Fuzzy Hash: 3152D8F190051A9FDB19CF68C890AADBBF2FF88310F55C678D956AB385D730A901CB94

Function 0711B050 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 786COMMON

Download Yara Rule

Strings

, xrefs: 0711B0DF

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ad1adbcfd74a242c42f7edcd7943e31d041c8ea4ee6aa6c595920aaca19bcd7c
Instruction ID: b59f7b62c2a076e38adf10c6559cf2b780dab8af414a87537176a6f7fd44f596
Opcode Fuzzy Hash: ad1adbcfd74a242c42f7edcd7943e31d041c8ea4ee6aa6c595920aaca19bcd7c
Instruction Fuzzy Hash: 7452A6F1A145199FCB29CF58C890AADB7F2FF89300F15867CE956AB385D730A911CB90

Function 071180D0 Relevance: 7.7, APIs: 3, Strings: 1, Instructions: 718COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 07118317
_memmove.LIBCMT ref: 071187AC
_memmove.LIBCMT ref: 0711885D

Strings

, xrefs: 0711815C

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-3916222277
Opcode ID: 12c9b3ef0d5a8c850d67fe141f9dcc596d3907de6dad325123e07a11547b5fde
Instruction ID: c12d23a97b6ab6ab2a2d0471065ed895ed4d8a59768cd73251305063b4ea96d5
Opcode Fuzzy Hash: 12c9b3ef0d5a8c850d67fe141f9dcc596d3907de6dad325123e07a11547b5fde
Instruction Fuzzy Hash: 3A42A4B1A105199FCB18CF68C890AADB7F2FF88320F55C678D916AB3C5D730A941CB94

Function 07116990 Relevance: 7.7, APIs: 3, Strings: 1, Instructions: 718COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 07116BD7
_memmove.LIBCMT ref: 0711706C
_memmove.LIBCMT ref: 0711711D

Strings

, xrefs: 07116A1C

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-3916222277
Opcode ID: 5a5dabcb1302b4d9713e01c9c3a080e2c66d3476ad5e5cf5e1d304c4837defc7
Instruction ID: 16d28ca91585efa41b59a181896f70830c654f9fbb7ed633dae2c0ec3b02f831
Opcode Fuzzy Hash: 5a5dabcb1302b4d9713e01c9c3a080e2c66d3476ad5e5cf5e1d304c4837defc7
Instruction Fuzzy Hash: 8342B7B1A105159BCF18CF68C890AADB7F2FF89310F158678D916AB3C5DB35A901CB94

Function 07118890 Relevance: 7.7, APIs: 3, Strings: 1, Instructions: 718COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 07118AD7
_memmove.LIBCMT ref: 07118F6C
_memmove.LIBCMT ref: 0711901D

Strings

, xrefs: 0711891C

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-3916222277
Opcode ID: 84b9b176596ed0d0bde1c3ed61768480e6d89218f4c2a04e353c231c25245d21
Instruction ID: 381dbefcdeb41ab289ea5881621cacf0bd208cbf33a20454dfcbe981fe9f6f49
Opcode Fuzzy Hash: 84b9b176596ed0d0bde1c3ed61768480e6d89218f4c2a04e353c231c25245d21
Instruction Fuzzy Hash: 3B4295B1E1051A9BCF18CF68C8906ADB7B2FF89320F15C679D916AB3C5D734A901CB94

Function 07117150 Relevance: 7.7, APIs: 3, Strings: 1, Instructions: 718COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 07117397
_memmove.LIBCMT ref: 0711782C
_memmove.LIBCMT ref: 071178DD

Strings

, xrefs: 071171DC

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-3916222277
Opcode ID: d3ee4091167cc3856c3e1a41d2844502c5fbdaf2fe136c8eb1c7be7d6dfdd7af
Instruction ID: 125886d4fb4369931b0b808ee235e40ff18e5e299e02deb30aa8df35a74b7e62
Opcode Fuzzy Hash: d3ee4091167cc3856c3e1a41d2844502c5fbdaf2fe136c8eb1c7be7d6dfdd7af
Instruction Fuzzy Hash: C342B4B1E1051A9FDB18CF68C8909ADB7F2FF89310F158678E916AB7C5D730A901CB90

Function 07119050 Relevance: 7.7, APIs: 3, Strings: 1, Instructions: 718COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 07119297
_memmove.LIBCMT ref: 0711972C
_memmove.LIBCMT ref: 071197DD

Strings

, xrefs: 071190DC

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-3916222277
Opcode ID: 1f50666af9e37010835c39738a56cee58170fc362876f87b42cdc3647a155ca9
Instruction ID: 85da0dad22194a151fa3ec93f565ed205ea627453fbc4cf8ad0d4d9543571f71
Opcode Fuzzy Hash: 1f50666af9e37010835c39738a56cee58170fc362876f87b42cdc3647a155ca9
Instruction Fuzzy Hash: F842B4B1E005599FCB18CF68C8A09ADB7F2FF88310F158679D926AB3C5D734A901CB90

Function 07119FD0 Relevance: 7.7, APIs: 3, Strings: 1, Instructions: 718COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0711A217
_memmove.LIBCMT ref: 0711A6AC
_memmove.LIBCMT ref: 0711A75D

Strings

, xrefs: 0711A05C

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-3916222277
Opcode ID: 93a676e94c64e8f6038aa5c5a42a96f0314805875d09df3d1b406a71de09dd5b
Instruction ID: 4de6e013fc0665f863db8423b1f4e61fbe2d0b36540570afb861fff117ae4d75
Opcode Fuzzy Hash: 93a676e94c64e8f6038aa5c5a42a96f0314805875d09df3d1b406a71de09dd5b
Instruction Fuzzy Hash: BC42B4B1A015199FDB18CF68C890AADBBF2FF88310F55C679D916AB3C5D734A901CB90

Function 072485B4 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0724E873
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0724E888
UnhandledExceptionFilter.KERNEL32(0733B6E4), ref: 0724E893
GetCurrentProcess.KERNEL32(C0000409), ref: 0724E8AF
TerminateProcess.KERNEL32(00000000), ref: 0724E8B6

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: dcca83299b289957ec4996b8f8a38c4539b2d8a1cae2d28eb9a659a1f6962fec
Instruction ID: 4c324a12010a316ff50f72e5d581177a856e0efc2ab29678ca993678bdf26e1b
Opcode Fuzzy Hash: dcca83299b289957ec4996b8f8a38c4539b2d8a1cae2d28eb9a659a1f6962fec
Instruction Fuzzy Hash: 9821F3B4810214CFE702DF25F08A6643BEAFB08315F90E12AE48887342D77D69818F69

Function 07122720 Relevance: 7.5, APIs: 2, Strings: 1, Instructions: 2228COMMON

Download Yara Rule

Strings

, xrefs: 0712295F

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: aab3e419e3082767e7406dca3151d720c25fc40b454af5c8c1551c65c65c0b56
Instruction ID: 9b659f32704266af6faa5b6b0dd45a8675d3ba459e1bb5df2d1d09751c5a5014
Opcode Fuzzy Hash: aab3e419e3082767e7406dca3151d720c25fc40b454af5c8c1551c65c65c0b56
Instruction Fuzzy Hash: 7323D1B0A00A698FCB68CF29CC906AEB7F1BF49301F1585E9D98997391D7349E91CF50

Function 07120620 Relevance: 7.5, APIs: 2, Strings: 1, Instructions: 2228COMMON

Download Yara Rule

Strings

, xrefs: 0712085F

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f2491e11d359082e97b300791e3d61394ab6bfdc8d8a578c7760a44b68166a49
Instruction ID: 1068eabd6da305d32a6586d3a7b3e01e66583f1728b9e00cfd03de0b2adeef55
Opcode Fuzzy Hash: f2491e11d359082e97b300791e3d61394ab6bfdc8d8a578c7760a44b68166a49
Instruction Fuzzy Hash: D923C0B0A00A298FCB68CF29CC90BAAB7F1BF49305F1585E9D58997391D7349E91CF50

Function 0711E520 Relevance: 7.5, APIs: 2, Strings: 1, Instructions: 2228COMMON

Download Yara Rule

Strings

, xrefs: 0711E75F

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5f04c4f7fb939729584efefcf14f9b71eaf8bf629d18742f88e431a37b3899a9
Instruction ID: 4cd61edec482b8318c7e2a48846cdfdf8209378076df10decb15afe7fa6174c6
Opcode Fuzzy Hash: 5f04c4f7fb939729584efefcf14f9b71eaf8bf629d18742f88e431a37b3899a9
Instruction Fuzzy Hash: 5C23D2B4A00A298FCB68CF19CC907AAB7F1BF49306F1585E9D94997391D7349E81CF50

Function 0711C420 Relevance: 7.5, APIs: 2, Strings: 1, Instructions: 2228COMMON

Download Yara Rule

Strings

, xrefs: 0711C65F

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e32759218d4294aac6fc3d3c86bec91087e22be2cba9721a3dcc5731b6c279c9
Instruction ID: 224cb3922cc1f357bb1243e52e98f5592f51c8b7e494f2dc918c76ef3454baad
Opcode Fuzzy Hash: e32759218d4294aac6fc3d3c86bec91087e22be2cba9721a3dcc5731b6c279c9
Instruction Fuzzy Hash: 5A23C1B0A00A298FCB68CF29CC90BAAB7F1BF49315F1585E9D58997391D7349E81CF50

Function 071AD690 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 193encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000000), ref: 071AD8DA
CryptReleaseContext.ADVAPI32(?,00000000), ref: 071AD8F5

Strings

engines\e_capi.c, xrefs: 071AD89B
Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 071AD8CE

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ContextCrypt$AcquireRelease
String ID: Microsoft Enhanced RSA and AES Cryptographic Provider$engines\e_capi.c
API String ID: 2306398074-90255163
Opcode ID: 0f89332248586d85b1e61305b5bec551ace3786a424173bc8b992e747ec6618f
Instruction ID: 9220759aee1826b497b6b150bdb61166f59cc9e92aef5f6a222cad266954c162
Opcode Fuzzy Hash: 0f89332248586d85b1e61305b5bec551ace3786a424173bc8b992e747ec6618f
Instruction Fuzzy Hash: 9F5152F9B00601FBEB25BBB0FD43F5A226C5F14740F144425FA44D62C6EBA9E5108BB6

Function 071AB180 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38encryptionCOMMON

Download Yara Rule

APIs

CryptDestroyKey.ADVAPI32(?), ref: 071AB19F
CryptReleaseContext.ADVAPI32(?,00000000), ref: 071AB1AB
CertFreeCRLContext.CRYPT32(00000000), ref: 071AB1B8

Strings

engines\e_capi.c, xrefs: 071AB1C3

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ContextCrypt$CertDestroyFreeRelease
String ID: engines\e_capi.c
API String ID: 3901750479-2638333933
Opcode ID: 0d544d9ce145823962cfe49a4818f85dbe6e7ed254071aa8a97dda090afcc590
Instruction ID: 7fd1af931211a1681e89b255857294cf5d9b4e7e34864e5ab4314a68258d309e
Opcode Fuzzy Hash: 0d544d9ce145823962cfe49a4818f85dbe6e7ed254071aa8a97dda090afcc590
Instruction Fuzzy Hash: 1CF0B4F6600200BBD230A6A4FC4AF6B73ACDF85B15F008818F945D7380D778E94187B2

Function 071AB1F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38encryptionCOMMON

Download Yara Rule

APIs

CryptDestroyKey.ADVAPI32(?), ref: 071AB20F
CryptReleaseContext.ADVAPI32(?,00000000), ref: 071AB21B
CertFreeCRLContext.CRYPT32(00000000), ref: 071AB228

Strings

engines\e_capi.c, xrefs: 071AB233

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ContextCrypt$CertDestroyFreeRelease
String ID: engines\e_capi.c
API String ID: 3901750479-2638333933
Opcode ID: 02a5843dfa5631fabde903892f55af867429cd653f0bbce28c60b4a749209261
Instruction ID: b5e77f26eaa8afc80e50386ced9c5210e64d7625d9f0ecd660fb7b430ea72ca7
Opcode Fuzzy Hash: 02a5843dfa5631fabde903892f55af867429cd653f0bbce28c60b4a749209261
Instruction Fuzzy Hash: 1DF090FA604240BBD230AA94FC46F6B73ACEF85B15F048419F9159A280D779A94297B2

Function 071AB000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23encryptionCOMMON

Download Yara Rule

APIs

CryptDestroyKey.ADVAPI32(B8CCCCCC,00000000,071AC735,00000000), ref: 071AB00D
CryptReleaseContext.ADVAPI32(C35FC78B,00000000), ref: 071AB019
CertFreeCRLContext.CRYPT32(00000000), ref: 071AB026

Strings

engines\e_capi.c, xrefs: 071AB031

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ContextCrypt$CertDestroyFreeRelease
String ID: engines\e_capi.c
API String ID: 3901750479-2638333933
Opcode ID: 31112d1a466c826890a81df20169c42c4e695a6d46a995bf0c0aea4255909c8f
Instruction ID: 031f2a9f7ab52571e5a06b9d88bc3a5f6b7d4b47dc2a87d644d954ec2a3be289
Opcode Fuzzy Hash: 31112d1a466c826890a81df20169c42c4e695a6d46a995bf0c0aea4255909c8f
Instruction Fuzzy Hash: D6E04FF5605711A7C630BBA4FC0DF4B77A8AF44B05F044819FA5697381DB78E5408BB5

Function 071249D0 Relevance: 4.8, Strings: 3, Instructions: 1047COMMON

Download Yara Rule

Strings

BX, xrefs: 0712530F
@R, xrefs: 071253C0
BX, xrefs: 071253E8, 0712544B

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID: BX$@R$BX
API String ID: 0-3079288139
Opcode ID: 48bc3b0709cb7b74760e98224290a4c8c98ee6eb2a314323460c7f3ea80493da
Instruction ID: 50f4c5cc48852b2bcf4f31a0573d590c026441042cd90b684ced14a7d6e6c890
Opcode Fuzzy Hash: 48bc3b0709cb7b74760e98224290a4c8c98ee6eb2a314323460c7f3ea80493da
Instruction Fuzzy Hash: 729260B1E006698FCB18CF58C4D05ADBBB2FF88314F258169D856EB395D730E962DB84

Function 070CAFC0 Relevance: 4.5, APIs: 3, Instructions: 47COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(?,00000000,?,?,070CAF86,00000000,?,00000000,00000000,?,?,?,?,070CB134,?,070DCB53), ref: 070CAFCB
LockResource.KERNEL32(00000000,00000000,?,070CAF86,00000000,?,00000000,00000000,?,?,?,?,070CB134,?,070DCB53,?), ref: 070CAFDA
SizeofResource.KERNEL32(?,00000000,?,070CAF86,00000000,?,00000000,00000000,?,?,?,?,070CB134,?,070DCB53,?), ref: 070CAFEB

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 9b60f0e5353bba27cbbce73466e811eebe6be42c94a1cafda16140af0d6b7a7b
Instruction ID: 9fe18dc65d2c1ebe7d98529d9361bd6de290d9ca46397adcab1be0f058e76282
Opcode Fuzzy Hash: 9b60f0e5353bba27cbbce73466e811eebe6be42c94a1cafda16140af0d6b7a7b
Instruction Fuzzy Hash: 77F09CF370012E56DB30ABB9FC4A9BEB7DCDB806AA314867BF559C7240E134D84592B0

Function 070F69B0 Relevance: 4.5, APIs: 3, Instructions: 27networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,?,-0000001D), ref: 070F69C6
InterlockedIncrement.KERNEL32(0736D0CC), ref: 070F69E0
InterlockedIncrement.KERNEL32(0736D0CC), ref: 070F69EB

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: IncrementInterlocked$bind
String ID:
API String ID: 3786334496-0
Opcode ID: e2bafb04f19aef9b7fce4707cfe9886cc02d884ee94f3289fd3c203c58bf89f6
Instruction ID: 382b3564a2f80ce0214f1a13e3535f93573d381ab73ad98974cbb37c6a0bf946
Opcode Fuzzy Hash: e2bafb04f19aef9b7fce4707cfe9886cc02d884ee94f3289fd3c203c58bf89f6
Instruction Fuzzy Hash: F0E0DFF2A20922ABEB446B3CFC0AAA926D8EF05230700439AF111C35C4E7B4D88187B0

Function 07191220 Relevance: 4.3, Strings: 3, Instructions: 592COMMON

Download Yara Rule

Strings

, xrefs: 071912AF
gfff, xrefs: 071915A0
0, xrefs: 071915F1

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID: $0$gfff
API String ID: 0-3930087101
Opcode ID: 1fca9816227f9a9f5a290d0447d7aa9cbb82e4c32fe2e6fa0eb9f1df9850d676
Instruction ID: 5f2b8e35162f3b5cc9eabb047966e07b1926b113bcf209038d5427f63e9adf69
Opcode Fuzzy Hash: 1fca9816227f9a9f5a290d0447d7aa9cbb82e4c32fe2e6fa0eb9f1df9850d676
Instruction Fuzzy Hash: 7D12F5F2E0830BABDF169E29C50036AB7F4BB84654F14497DE885932D1F731D9869B83

Function 0710F1D0 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 742COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0710F2C1

Strings

TUUU, xrefs: 0710F7DD

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _memset
String ID: TUUU
API String ID: 2102423945-3549538264
Opcode ID: 632f6f053a61493bd2fd7d0caf5ad3fb5972c0692e2f7c473a09ca0a8bfe1a27
Instruction ID: 8b86b301959c83ed2ad271d15b72f4cf7f049108c441016981ed5d0f73312e67
Opcode Fuzzy Hash: 632f6f053a61493bd2fd7d0caf5ad3fb5972c0692e2f7c473a09ca0a8bfe1a27
Instruction Fuzzy Hash: 55525FB4E012198FCB28CFA8D4915ADFBF6FF89310B25852DE955A7384D774A902CF90

Function 070B9470 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 481COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 070B9958

Strings

[RO] %ld bytes, xrefs: 070B94F4, 070B9604, 070B9687, 070B98DC, 070B99A0

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _memmove
String ID: [RO] %ld bytes
API String ID: 4104443479-772938740
Opcode ID: 94f85d5e557077e36de6812a3d47d7598b7d0aec59a6f54eb7e0b590f11481ac
Instruction ID: e41e3f2578851784e1ef4fd6e3114a9c6fc5e5016ba5de3416c0bd2938718e6a
Opcode Fuzzy Hash: 94f85d5e557077e36de6812a3d47d7598b7d0aec59a6f54eb7e0b590f11481ac
Instruction Fuzzy Hash: 552214B0A10B06DFDB64CF69C580A9ABBF1BF48300F248A6DD95A97751D730FA41CB90

Function 071A89F0 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 071A8A14
_memset.LIBCMT ref: 071A8A34

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 745242eff855a5eab6359e9f2c5b05d56f1b80fd96de237ea85b257b4fdf3a56
Instruction ID: 9032a2e30923e3a63b2654ae129151e54febf25be55d8d358f7eccbeda29d7cd
Opcode Fuzzy Hash: 745242eff855a5eab6359e9f2c5b05d56f1b80fd96de237ea85b257b4fdf3a56
Instruction Fuzzy Hash: 8341B26960D7C19FC35ECB3948C09A6BF926FB2000B49C59CD8845B7C7C564E959C7B2

Function 0712DF00 Relevance: 2.8, Strings: 1, Instructions: 1600COMMON

Download Yara Rule

Strings

@R, xrefs: 0712EEA2

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID: @R
API String ID: 0-3205503559
Opcode ID: 817d7b362375d138e633925dbc51e6699565d7dab4a1476e1aa04e388262c4b2
Instruction ID: f62622ee61268ad2d9ed17e7b161b2258eb3c05a3149cd50ba23a0ab762c1712
Opcode Fuzzy Hash: 817d7b362375d138e633925dbc51e6699565d7dab4a1476e1aa04e388262c4b2
Instruction Fuzzy Hash: 46E28FB1A0062A8FCB18CF68C4D49ADBBB2FF88304F24856DD456AB795D730E956CF44

Function 0712A9A0 Relevance: 2.6, Strings: 1, Instructions: 1366COMMON

Download Yara Rule

Strings

@R, xrefs: 0712B702

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID: @R
API String ID: 0-3205503559
Opcode ID: e580cad04b08f39f2f0cfb42117607938ecda181c9a702d827679ecd037691e0
Instruction ID: e8372d560c821acb7db2416a39bbb165de7be6fb2445a6ba4aeefb7410e12487
Opcode Fuzzy Hash: e580cad04b08f39f2f0cfb42117607938ecda181c9a702d827679ecd037691e0
Instruction Fuzzy Hash: E5C262F1E0422ACFCB19CF58C4906ADB7B2FF48314F19816DD856AB385E734A952DB84

Function 07126D30 Relevance: 2.6, Strings: 1, Instructions: 1320COMMON

Download Yara Rule

Strings

@R, xrefs: 071279F5

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID: @R
API String ID: 0-3205503559
Opcode ID: 29df9d3de8e5ce953e88fca107935599179e56907dc9dcba8ed2d0c71ff7f080
Instruction ID: d7c2942bfe071fcd8828c139367afad791976cf4a3be5540bfac2147d975b00c
Opcode Fuzzy Hash: 29df9d3de8e5ce953e88fca107935599179e56907dc9dcba8ed2d0c71ff7f080
Instruction Fuzzy Hash: 3BC27FB1E0022ACFCB18CF58C5905AEB7B2FF88314F25856DD946AB7D5D730A952DB80

Function 07128B90 Relevance: 2.5, Strings: 1, Instructions: 1250COMMON

Download Yara Rule

Strings

@R, xrefs: 071297E0

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID: @R
API String ID: 0-3205503559
Opcode ID: 5eb3750c71a30e680746a7434cd2a8ec5aa772580941fcbdb8293aeb80376235
Instruction ID: eda2cfc8f11f3ffae4387890d18e55ec2a605f24c1be3ccbb23af1525526e310
Opcode Fuzzy Hash: 5eb3750c71a30e680746a7434cd2a8ec5aa772580941fcbdb8293aeb80376235
Instruction Fuzzy Hash: 7EB27DB1E0022A8FCB18CF58C4906ADB7B6FF88314F258169D855FB395E731A952DB84

Function 07125F60 Relevance: 2.4, Strings: 1, Instructions: 1159COMMON

Download Yara Rule

Strings

@R, xrefs: 07126B31

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID: @R
API String ID: 0-3205503559
Opcode ID: 208efd161a77d315fb5d9eba9bda1dabd9be98beee78bb28d9cf60f3f58338bb
Instruction ID: dbfe146219f3adf10080846fe2dce13cfb209786ea55c52506889773ba569551
Opcode Fuzzy Hash: 208efd161a77d315fb5d9eba9bda1dabd9be98beee78bb28d9cf60f3f58338bb
Instruction Fuzzy Hash: 7FA22DB5E002298FDB18CF68D890AADB7B2FF48304F24816DD45AEB785D734A952DF44

Function 0712D170 Relevance: 2.4, Strings: 1, Instructions: 1146COMMON

Download Yara Rule

Strings

@R, xrefs: 0712DCF0

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID: @R
API String ID: 0-3205503559
Opcode ID: 843e27737a403d5dc5371b4a3d17602a088cac0be249f5f201fbab0cdab15f5d
Instruction ID: cf1b1a4b790f2f98064b4f5a09a0616d40be48d391b3eab3643ff54ed2000b08
Opcode Fuzzy Hash: 843e27737a403d5dc5371b4a3d17602a088cac0be249f5f201fbab0cdab15f5d
Instruction Fuzzy Hash: 76A22AB1F106298FCB18CF68D8906ACB7B2FB49314F25816DD496EB385D734A952DF80

Function 0712C4C0 Relevance: 2.4, Strings: 1, Instructions: 1115COMMON

Download Yara Rule

Strings

@R, xrefs: 0712CF82

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID: @R
API String ID: 0-3205503559
Opcode ID: 82d94a43488e52c34e1432456e4498772f67803285816f15645acef5d14c3109
Instruction ID: f87cdb342fc906188738d6aa43bf3a92df99d2534a89408eea7f818c71605e48
Opcode Fuzzy Hash: 82d94a43488e52c34e1432456e4498772f67803285816f15645acef5d14c3109
Instruction Fuzzy Hash: 03A282B1E0062A8FCB18CF58C4906ADBBB2FF88314F258169D955EB385D730E952DBD4

Function 07125570 Relevance: 2.1, Strings: 1, Instructions: 891COMMON

Download Yara Rule

Strings

@R, xrefs: 07125D95

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID: @R
API String ID: 0-3205503559
Opcode ID: 657d77cf1d21d5f2bac100ea2585fdc7f512ff3c58f923199296cbe9c736870c
Instruction ID: acc1597ca590904c602bcaa241f9398a3c43f431183948ff1507fec99d358a38
Opcode Fuzzy Hash: 657d77cf1d21d5f2bac100ea2585fdc7f512ff3c58f923199296cbe9c736870c
Instruction Fuzzy Hash: 777260B1E102298FCB18CF58C4D06ADBBF6FF88314F2581ADD856A7385D734A962DB50

Function 07196DC0 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

crypto\rsa\rsa_lib.c, xrefs: 07196DC3, 07196DDA, 07196E06, 07196E18, 07196E55, 07196E84, 07196EC5

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _memset
String ID: crypto\rsa\rsa_lib.c
API String ID: 2102423945-3747402232
Opcode ID: 2c75fc140ed21488244cb83685c4cf02d728d605489d23370222fa11f6fbc9ae
Instruction ID: 32c89ec8603c47b891be8062743369a4a41c031433648ea313136f5eb8c8f9c8
Opcode Fuzzy Hash: 2c75fc140ed21488244cb83685c4cf02d728d605489d23370222fa11f6fbc9ae
Instruction Fuzzy Hash: B2315DF0B847026AE731FA34EC12F57B6D45F00B24F004135F719B92C1F7A6E1428AA2

Function 072E57D0 Relevance: .9, Instructions: 862COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466ee654afb456c5e5854b7dd40efcfc14597b6310f39110f81ab4397227583d
Instruction ID: 41e8dbdbe6c7e8a0e59ec95ed18b3d179d7d267cdad6dd1a741d0d303c8f1dc5
Opcode Fuzzy Hash: 466ee654afb456c5e5854b7dd40efcfc14597b6310f39110f81ab4397227583d
Instruction Fuzzy Hash: 5F62DEF247D7D60ED32787324D7A5A1BFB8AE03118B4D44CFC0C18A5B3D1589A2AC36A

Function 0731F408 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fba5f91d6fd91b5ff993041425a9d6f0c57c4be20749e8b756acf9c8e76804b
Instruction ID: 5e5c1a50f7c6bfb516ea098a82a3201b44ccb13752325935e4a1f74cba45fa15
Opcode Fuzzy Hash: 1fba5f91d6fd91b5ff993041425a9d6f0c57c4be20749e8b756acf9c8e76804b
Instruction Fuzzy Hash: C3E1D47408E3C39FC3569BB4985A9D2FFE49E2222032545EBD4C2CA073D79C45A7DB61

Function 0731D760 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878a445c35058eed2e0aaa9c0f23dc954d68f4e761c05bdab4315fef5558ff8c
Instruction ID: e5f97e4210e170dc4a7d33cd35a3e1f5e31f80afb076e6a3fe66e1bd61224873
Opcode Fuzzy Hash: 878a445c35058eed2e0aaa9c0f23dc954d68f4e761c05bdab4315fef5558ff8c
Instruction Fuzzy Hash: 64C14D3114E3E38FD7179BB098965C2BFE0AF1322072A45E7D485CF0A3D6A8055BCB92

Function 071C6B80 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 960bc9dfe07f9e8f1e9932a2e3e3b25ac3cf09293ab857ad8873604c57a6c982
Instruction ID: 6a628906bcea0c8409c83763bf21e14b723667609bd59f678dc77485fbc20ed2
Opcode Fuzzy Hash: 960bc9dfe07f9e8f1e9932a2e3e3b25ac3cf09293ab857ad8873604c57a6c982
Instruction Fuzzy Hash: 7CC14B71988A925ED325EF58C8C0AB47B62EF84308F5BC1BC8D890F7A3C63ED4959751

Function 07106660 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eae045e1b83ac526bb10992304509a74053ac58036b067401197fdd60130385
Instruction ID: d9d491f2bc95f54c73788dd2d0ace536a1e2d29e19a75a3b5859bfd97c704640
Opcode Fuzzy Hash: 3eae045e1b83ac526bb10992304509a74053ac58036b067401197fdd60130385
Instruction Fuzzy Hash: 5EA114B1600B018FD764CF39D489A97B7F5FB88324F108A2ED0AE87A90DB74B555CB91

Function 070E6CC0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe4ceeafd167ca9e782a2fd1f2727c1106e6d6578b1265e339983ed76d8da45
Instruction ID: 38bff7161dfb3ec39f1407cd26ed7b6e70331c7001301ea227f222fee10a43bd
Opcode Fuzzy Hash: 0fe4ceeafd167ca9e782a2fd1f2727c1106e6d6578b1265e339983ed76d8da45
Instruction Fuzzy Hash: 00411AB2A181564FCB28CE3CE5502BD77D9EB56224F5443AEDC66CB381D633889287D1

Function 0724C4C0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: bc1395c927e8fa7ab060c2a4f0cb7fcf549e02b0235803718b962a10cd947455
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 63112BF722308343D60D873DD8B86BFA399EBC5220B2C437AD1429B758D522E1C59920

Function 0719CE00 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc281d633757abb1e25df9bd32246cd0c115047ba5503716c0a59fd9e2aa907a
Instruction ID: 22e5c61ec793be3b84c407c6eab48209d7987e519b5809fbb6a4910005246b59
Opcode Fuzzy Hash: dc281d633757abb1e25df9bd32246cd0c115047ba5503716c0a59fd9e2aa907a
Instruction Fuzzy Hash: FF01E773B7182A035B1CC42E9C021AA418757C952439FCB7DED6BEF286F828DC1292D0

Function 07196D00 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d77069556efb3998dd7976833ed94329bda10600e207d923fba6dcc261bb3f70
Instruction ID: 9a4d96f0a570f0cf1ed1e4968adedf7f37a88b4f8db218a71dfe483abd8f75fb
Opcode Fuzzy Hash: d77069556efb3998dd7976833ed94329bda10600e207d923fba6dcc261bb3f70
Instruction Fuzzy Hash: 050144F660070187DF31DE59A580A17F3F8AFD4A24F14093EE5D587285D771E41A87B2

Function 070C0D70 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 85437ab440bf419aa15b7661e53b5c6a35f1ab825eece2ed2a2bef4b0c6f03a8
Instruction ID: 44bd7cc3f878724a5eebf13d62843fab7868155c497cd3b087ac3ddadad04a67
Opcode Fuzzy Hash: 85437ab440bf419aa15b7661e53b5c6a35f1ab825eece2ed2a2bef4b0c6f03a8
Instruction Fuzzy Hash: C8112EF492A2508FD38C8F1AA6488087FE0BB08310B1686EEA50D8B732D331D484CF49

Function 070C0C70 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 4d9f9dc6a58df30cfbeb81704c135e3c6519c55a2fe1e1fa4815a85719933bf0
Instruction ID: 42b63450d349f274a3332a0a561a624f5c134d37a7e7082133ce437b3ca667cc
Opcode Fuzzy Hash: 4d9f9dc6a58df30cfbeb81704c135e3c6519c55a2fe1e1fa4815a85719933bf0
Instruction Fuzzy Hash: 09112FF492A3108FD39C8F1AA6888083FE0BB48310B1696EEA10D8F732D331C444CF49

Function 070C0E40 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 4bf7d4f0a4b4fb90551105bc46a434eb95f5c6b018a69c228ef32baefbc8b5ea
Instruction ID: 8816fcd9055b502b5509b4237da2376592deabbc559b10abd501e8ebeb663d0a
Opcode Fuzzy Hash: 4bf7d4f0a4b4fb90551105bc46a434eb95f5c6b018a69c228ef32baefbc8b5ea
Instruction Fuzzy Hash: F61100F49293649FD39C8F1AA6488097EE0BB08314B5696EEA60D8B732D331C444CF49

Function 070BF340 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c49fdd2755746407b380d3e66225006847016148d81a3283c9ebc212c3aec2b
Instruction ID: 074402e8b203748079ccda577a55a2b8c6fc7e433a556464f2a416201d4fb8c7
Opcode Fuzzy Hash: 6c49fdd2755746407b380d3e66225006847016148d81a3283c9ebc212c3aec2b
Instruction Fuzzy Hash: 09E0247A200209AFCB40DE9CD881EAA77EDAB8C610F148544FA09CB351C630F8629BA0

Function 070BE760 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: dd5650cb7cdd0769ac7481a00f95b8012e86deae31d25621f10ad43ae5b0390d
Instruction ID: 29e7ff8a67b5fb4d51311081c4ff12a9ff39fee461b35be1b46ec23e4859418e
Opcode Fuzzy Hash: dd5650cb7cdd0769ac7481a00f95b8012e86deae31d25621f10ad43ae5b0390d
Instruction Fuzzy Hash: CEE099F095A2008FD78C8F18E4498167AE0AB08310B1A85FEA00ECB362C334C600DF9A

Function 070BE690 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 3a042a21b0363c7c50bbdf5250af10e7dcb378c8046edbddb033d9b8383ccb6f
Instruction ID: 90c07aef3ecc9da74ca53104023c18131cc053020fb1c2df1e0720c0c146bfe4
Opcode Fuzzy Hash: 3a042a21b0363c7c50bbdf5250af10e7dcb378c8046edbddb033d9b8383ccb6f
Instruction Fuzzy Hash: 6EE099F09192008FDB8C9F18A8058017AE0AF08310B1A85FEA00ECB362C334C600DF9A

Function 070BE330 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: d3ce9b2ebf8fb322cb71ed7e5022263c96f061725448501d1377cac9bb5d78c8
Instruction ID: 292b9f0491dfda381eddb545d769fd3cd7607bf1e120862a1dc1db1c92475493
Opcode Fuzzy Hash: d3ce9b2ebf8fb322cb71ed7e5022263c96f061725448501d1377cac9bb5d78c8
Instruction Fuzzy Hash: 90E0BDF09292008FD78C8F18A8098057EE0BF08310B1A85FEA00ECF322C374C601DF9A

Function 070BE3A0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 6aeeca49e497f4778d6a957556b98712afc730e1bb14ee01db06e6ad3abf0078
Instruction ID: ad148666bdb7ade9e1cfd7e6fe15e8a2a49bbdb9f9cb016f4c04d5f2bead5170
Opcode Fuzzy Hash: 6aeeca49e497f4778d6a957556b98712afc730e1bb14ee01db06e6ad3abf0078
Instruction Fuzzy Hash: F6E099F09192008FDB8C8F18A8098057AE0AB08710B1A85FEA00ECF322C334C600DF9A

Function 070BE3E0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 40e711f3921df4dae38bb5fbe02f3012d38166f877eeb2e5505a5f68c25cbf29
Instruction ID: 5d70c367e95cb07945246579ebd2ee75afc4a5297a35c897edab72526cbb44ae
Opcode Fuzzy Hash: 40e711f3921df4dae38bb5fbe02f3012d38166f877eeb2e5505a5f68c25cbf29
Instruction Fuzzy Hash: 41E099F09192008FDB8C8F18A8098057AE0AB08310B1A85FEA10ECB322C374C601DF9A

Function 070BE2F0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: f8df7e20970e9ee7aadcebfdc4465a5303941f60ad7848d3f90821774aecfa35
Instruction ID: 98c63a44730e10f2a6f46c03ac3d97c4a8985995646a822d657197924672ad5a
Opcode Fuzzy Hash: f8df7e20970e9ee7aadcebfdc4465a5303941f60ad7848d3f90821774aecfa35
Instruction Fuzzy Hash: ABE0BDF09292008FD78C8F18A4098057EE0BF08311B1A85FEA10ECF322C335CA01DF9A

Function 070BE700 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 8996bea94ed3549af8886dba0fd146f28890c28ef48a7a8f568a182be07fa59e
Instruction ID: f929a18ef290d82c2a27d66be3b2b65f7cd4818befc4f7b160a7da5cde5d47dd
Opcode Fuzzy Hash: 8996bea94ed3549af8886dba0fd146f28890c28ef48a7a8f568a182be07fa59e
Instruction Fuzzy Hash: 19E02DF49592008ED79C8F58A4499557AE0AB18311B1A84FEA10ECB362C774D641DF9A

Function 070BE7A0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 5e833733b1cc70499e15452e38b4d378cffc46fdabb17bffd22cd563d75e6ac1
Instruction ID: 58f43ee4fcb621d32e55454c5e169ae8c6b2f46a440a17a0783413f76f393175
Opcode Fuzzy Hash: 5e833733b1cc70499e15452e38b4d378cffc46fdabb17bffd22cd563d75e6ac1
Instruction Fuzzy Hash: B2E02DF49592018FD79C8F18A4499557AE0AB08311B1A85FEA40ECB362C774CA41DF9A

Function 070BE6D0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 8b52cc3a7b18e525128d5a57e4ddb893c9d3d803a460516674afed481cf863c3
Instruction ID: 9029f53e3bcccd2594849fb758a1dbb74fcabb6d40f47d7a48633a997b14d9fb
Opcode Fuzzy Hash: 8b52cc3a7b18e525128d5a57e4ddb893c9d3d803a460516674afed481cf863c3
Instruction Fuzzy Hash: 78E02DF49692408ED79C8F18A9459557AE0AB18311B1A84FEA00ECB372D774C641DF9A

Function 070BE420 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 9e383a9a4b0a7863c114d0c64dd77909c7875480603da7c0f244217e557ca0d3
Instruction ID: 09548fcde229b9d9beed7c1c3243494bbbd1474f54ae0e0b9a028679c370f252
Opcode Fuzzy Hash: 9e383a9a4b0a7863c114d0c64dd77909c7875480603da7c0f244217e557ca0d3
Instruction Fuzzy Hash: 47E02DF4A593008ED79D8F18A8459567AE0AF08311B1A84FEA10ECB362D774C641DF9A

Function 070BE370 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 371da668cbf78d84e7e97e16197ad5ebe89328a4178a3da3571bb2d8af754405
Instruction ID: 7250a627dca3ec6a95e246005325775d3f84cf734855acd7d7be9976e004f922
Opcode Fuzzy Hash: 371da668cbf78d84e7e97e16197ad5ebe89328a4178a3da3571bb2d8af754405
Instruction Fuzzy Hash: F7E02DF49692009ED79C8F18A8499557EE0AB08711B1A84FEA00ECB362D778C645DF9A

Function 070BE9B0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92c53b59c935c8446f0f0b73aea86a09e5d2a8ead56228c2a1d38939137a7886
Instruction ID: 2759f9316f3175e46529f716de90f92b6dd63c7ed30831f5abf6be492a7b4439
Opcode Fuzzy Hash: 92c53b59c935c8446f0f0b73aea86a09e5d2a8ead56228c2a1d38939137a7886
Instruction Fuzzy Hash: C5D067752002099FCB44DF9CD880E6A73EDBB8C210F148554F909C7702C630FC11DBA0

Function 070BE730 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: c4cf505e1f9b5e94cdf50389d67c442fffa0f876312d75f69133b8f2cc3dbe5b
Instruction ID: 1625edf4df6ff2fac3e0ed8a095b9b6c4a0b567a271de8e1a26cef9cc4b599d9
Opcode Fuzzy Hash: c4cf505e1f9b5e94cdf50389d67c442fffa0f876312d75f69133b8f2cc3dbe5b
Instruction Fuzzy Hash: B9D092F4A662008FDB9C8F68A9058557AE0AF44311B1AC4FEA00ECF362D774C600DB5A

Function 070CC360 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa32850f1539a571a635dfc4542d8d7065f74ee2d6fc7f14876b377de9d5c81
Instruction ID: 764b4de45d26f5c4576a29f2f725329a7c1cefff4c6f196c5f4f56b8eee788dc
Opcode Fuzzy Hash: baa32850f1539a571a635dfc4542d8d7065f74ee2d6fc7f14876b377de9d5c81
Instruction Fuzzy Hash: F2D092392002089FCB44DF98C880E6AB3E9AB8C214B14C159FA098B702C630F8518BA0

Function 070C1F10 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 04c7cfc6f1ed5b91cdcdae693a7f14e3fc9fc56f6bcd14d2204c69e73fa61dd1
Instruction ID: 3ca76b53d6c98e98c0d1a05d4b0c2b15196fb4ac4fe0fc5e959989ab26bd732a
Opcode Fuzzy Hash: 04c7cfc6f1ed5b91cdcdae693a7f14e3fc9fc56f6bcd14d2204c69e73fa61dd1
Instruction Fuzzy Hash: 51D0C9F0A262018FDB8C8F1498069157AE0AF44311B5AC4FEA10ECF372C7B4C401DF56

Function 070BEB60 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ab1e7c04c4c286db2240b5d6fad542a88fdc90ec740c2e1a429fdb0a4c0efe
Instruction ID: 0be5348f053b865c82e1ba099889d87681a2c1a6299933a3c96e9f1c0cc6da8f
Opcode Fuzzy Hash: 16ab1e7c04c4c286db2240b5d6fad542a88fdc90ec740c2e1a429fdb0a4c0efe
Instruction Fuzzy Hash: B3D012392002089FC704DF58C480D6AB3EDBF8C310B14C154E9098B702C631FC16CBA0

Function 070BE450 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11ade58215f75382a52e060c025590530de48af1c9403ef38fc0482b8b49fa5a
Instruction ID: f9065c12ea8b7749e1d35cfcddf0437a0617abb76afdbd2a2644684812f677f1
Opcode Fuzzy Hash: 11ade58215f75382a52e060c025590530de48af1c9403ef38fc0482b8b49fa5a
Instruction Fuzzy Hash: 0AC08C753442084FD708DE95E480FA633989FC4F00F008058E6040B251C6B1F800C6E1

Function 070C0F10 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a1dcbeaf13b7a273b648a003e2620ad489835013dadf749094a0e0b013c31fe
Instruction ID: 3a74c35657d091c2a64a080cddeda01fcc8379cc22cf23aa9f7f7c5f7c36b4c2
Opcode Fuzzy Hash: 9a1dcbeaf13b7a273b648a003e2620ad489835013dadf749094a0e0b013c31fe
Instruction Fuzzy Hash: 6BC08CB53482088FD708EA86D890F6A33A89F84B00F00801CE6050BA61C6B1F880C6E0

Function 070C1F40 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 004ecd806b60f94557ac648035f94a42baee93ad06ae674c14136776a857b796
Instruction ID: 67f933c7737069ece631a3bd54e38abed3fae054234774b5de8cc959f3fa3c1f
Opcode Fuzzy Hash: 004ecd806b60f94557ac648035f94a42baee93ad06ae674c14136776a857b796
Instruction Fuzzy Hash: 6CC08CB534430C4FD708DF89C480F3A7399AF84B00F04C05CE7080B252C6B1F80086E0

Function 070BEC20 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 208c1046cf5be2143409d34dd79076be8bc9b5f17857e7cb47d217e628d68841
Instruction ID: 9b93a74af92b5c700d218ff48853ee5f5e4b1ef83a10c18a93a3b56a30d67c1b
Opcode Fuzzy Hash: 208c1046cf5be2143409d34dd79076be8bc9b5f17857e7cb47d217e628d68841
Instruction Fuzzy Hash: 1CC08C302002088FC304CB8CC880D65B3E8AF98300B048174A9088B702C630FC51CA80

Function 070BE800 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d9687ac692df87b71544f27beef82b832d0d47e4500950c8239434ebf8bd108
Instruction ID: c731d4f4fb8fdd60f6c5786367e6ef0a98c57d474b4a5c3ecfba435245932943
Opcode Fuzzy Hash: 1d9687ac692df87b71544f27beef82b832d0d47e4500950c8239434ebf8bd108
Instruction Fuzzy Hash: 72B0923510430CAB8700DE88D040855BBA8EB58620B00C01AAC484B301D632F911CA90

Function 070C1030 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37fbc3caece0a5a51edf19e4cb77f217088ed63ad55eb968684f17a82f87a15a
Instruction ID: 933affc9d46aaf04c26567170c511cd0e74395617ef769b587afea2a65f944eb
Opcode Fuzzy Hash: 37fbc3caece0a5a51edf19e4cb77f217088ed63ad55eb968684f17a82f87a15a
Instruction Fuzzy Hash: B8B0923610430C9B8700EE88D080855B7A8EB58660B10801AAD484B301E632F951CA90

Function 070B2260 Relevance: 64.8, APIs: 1, Strings: 36, Instructions: 17COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 070B2272

Part of subcall function 0724E76C: RaiseException.KERNEL32(?,?,07248693,?,?,?,?,?,07248693,?,0734D40C,0736C2A8), ref: 0724E7AE

Strings

HPE_CB_CHUNK_EXTENSION_NAME_COMPLETE, xrefs: 070B2356
HPE_PAUSED_UPGRADE, xrefs: 070B2320
HPE_CLOSED_CONNECTION, xrefs: 070B22BA
HPE_CB_CHUNK_COMPLETE, xrefs: 070B2314
HPE_CB_HEADER_FIELD_COMPLETE, xrefs: 070B234A
HPE_CB_HEADER_VALUE_COMPLETE, xrefs: 070B2350
HPE_CB_METHOD_COMPLETE, xrefs: 070B233E
HPE_STRICT, xrefs: 070B229C
HPE_INVALID_EOF_STATE, xrefs: 070B22F0
HPE_INVALID_STATUS, xrefs: 070B22EA
HPE_CB_MESSAGE_COMPLETE, xrefs: 070B2308
HPE_PAUSED, xrefs: 070B231A
HPE_INVALID_CONTENT_LENGTH, xrefs: 070B22DE
HPE_CB_STATUS_COMPLETE, xrefs: 070B2338
HPE_CB_URL_COMPLETE, xrefs: 070B2332
HPE_INTERNAL, xrefs: 070B2296
HPE_LF_EXPECTED, xrefs: 070B22A8
HPE_INVALID_METHOD, xrefs: 070B22C0
HPE_CB_MESSAGE_BEGIN, xrefs: 070B22FC
HPE_OK, xrefs: 070B2290
HPE_CB_CHUNK_EXTENSION_VALUE_COMPLETE, xrefs: 070B235C
HPE_UNEXPECTED_CONTENT_LENGTH, xrefs: 070B22AE
HPE_UNEXPECTED_SPACE, xrefs: 070B22B4
HPE_INVALID_CONSTANT, xrefs: 070B22CC
HPE_INVALID_VERSION, xrefs: 070B22D2
HPE_CB_VERSION_COMPLETE, xrefs: 070B2344
HPE_PAUSED_H2_UPGRADE, xrefs: 070B2326
HPE_CR_EXPECTED, xrefs: 070B22A2
HPE_CB_RESET, xrefs: 070B2362
HPE_INVALID_URL, xrefs: 070B22C6
HPE_CB_HEADERS_COMPLETE, xrefs: 070B2302
HPE_INVALID_CHUNK_SIZE, xrefs: 070B22E4
HPE_INVALID_TRANSFER_ENCODING, xrefs: 070B22F6
HPE_INVALID_HEADER_TOKEN, xrefs: 070B22D8
HPE_CB_CHUNK_HEADER, xrefs: 070B230E
HPE_USER, xrefs: 070B232C

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ExceptionException@8RaiseThrow
String ID: HPE_CB_CHUNK_COMPLETE$HPE_CB_CHUNK_EXTENSION_NAME_COMPLETE$HPE_CB_CHUNK_EXTENSION_VALUE_COMPLETE$HPE_CB_CHUNK_HEADER$HPE_CB_HEADERS_COMPLETE$HPE_CB_HEADER_FIELD_COMPLETE$HPE_CB_HEADER_VALUE_COMPLETE$HPE_CB_MESSAGE_BEGIN$HPE_CB_MESSAGE_COMPLETE$HPE_CB_METHOD_COMPLETE$HPE_CB_RESET$HPE_CB_STATUS_COMPLETE$HPE_CB_URL_COMPLETE$HPE_CB_VERSION_COMPLETE$HPE_CLOSED_CONNECTION$HPE_CR_EXPECTED$HPE_INTERNAL$HPE_INVALID_CHUNK_SIZE$HPE_INVALID_CONSTANT$HPE_INVALID_CONTENT_LENGTH$HPE_INVALID_EOF_STATE$HPE_INVALID_HEADER_TOKEN$HPE_INVALID_METHOD$HPE_INVALID_STATUS$HPE_INVALID_TRANSFER_ENCODING$HPE_INVALID_URL$HPE_INVALID_VERSION$HPE_LF_EXPECTED$HPE_OK$HPE_PAUSED$HPE_PAUSED_H2_UPGRADE$HPE_PAUSED_UPGRADE$HPE_STRICT$HPE_UNEXPECTED_CONTENT_LENGTH$HPE_UNEXPECTED_SPACE$HPE_USER
API String ID: 3976011213-3981678715
Opcode ID: 8242f79f6375f87c962ad7a6711ec904dd92a1855ab6406a58535b597ae77874
Instruction ID: 0e06c5416af25703289d84625f9b783a5f02575586c7ead49d8cd9697e83c799
Opcode Fuzzy Hash: 8242f79f6375f87c962ad7a6711ec904dd92a1855ab6406a58535b597ae77874
Instruction Fuzzy Hash: D0C04CB552430CA79B08EFA8C4458C93BD86A08A64B508414BA088B101D670F6408695

Function 071AF1E0 Relevance: 35.2, APIs: 11, Strings: 9, Instructions: 156COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 071AF1F9

Strings

DSA, xrefs: 071AF23A
PKEY, xrefs: 071AF30C
RAND, xrefs: 071AF2A3
PKEY_ASN1, xrefs: 071AF356
CIPHERS, xrefs: 071AF2C5
RSA, xrefs: 071AF218
ALL, xrefs: 071AF1F3
DIGESTS, xrefs: 071AF2E7
PKEY_CRYPTO, xrefs: 071AF331

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _strncmp
String ID: ALL$CIPHERS$DIGESTS$DSA$PKEY$PKEY_ASN1$PKEY_CRYPTO$RAND$RSA
API String ID: 909875538-3265945040
Opcode ID: 89fd987b123bc5dbfbd30b221b4997d3b49305461f169d4b7c59b9ebd193d54e
Instruction ID: a87590e675ac06f394c959bcfad871b51be0a76fc4f7951955265e84cb67d30b
Opcode Fuzzy Hash: 89fd987b123bc5dbfbd30b221b4997d3b49305461f169d4b7c59b9ebd193d54e
Instruction Fuzzy Hash: 6841B2B2A642126BE711991DFD42F8B73F89FC2760F068022F844DB294E394DD83C5A7

Function 071988E0 Relevance: 30.0, APIs: 10, Strings: 7, Instructions: 217COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 07198927
_strspn.LIBCMT ref: 07198959
_strspn.LIBCMT ref: 07198979
_strncmp.LIBCMT ref: 07198988
_strspn.LIBCMT ref: 071989A1
_strspn.LIBCMT ref: 071989B7

Strings

, xrefs: 0719899B
Proc-Type:, xrefs: 07198921
crypto\pem\pem_lib.c, xrefs: 07198938, 071989CF, 07198A00, 07198A69, 07198AA1, 07198ACC, 07198B13
,, xrefs: 07198A2A
, xrefs: 071989B1
DEK-Info:, xrefs: 071989E9
ENCRYPTED, xrefs: 07198982

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _strspn$_strncmp
String ID: $ $ ,$DEK-Info:$ENCRYPTED$Proc-Type:$crypto\pem\pem_lib.c
API String ID: 2057175535-2412464277
Opcode ID: af0c6538340917a0211bf5eecf89eba88ba80fb3cc0d9f7a45f520020ca19729
Instruction ID: 8e4a4c0097ef8b435e289ff7e2b1cc6888dca939daa1fca4156dc28999812fc1
Opcode Fuzzy Hash: af0c6538340917a0211bf5eecf89eba88ba80fb3cc0d9f7a45f520020ca19729
Instruction Fuzzy Hash: BD512CF2BD03116AE72276746C12FAB76D44B51B24F0C4875FB4CEA2C2F392911282E7

Function 070D83F0 Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 457stringsynchronizationCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000032), ref: 070D84A6
SetLastError.KERNEL32(00002739,?,?,?,?), ref: 070D8587
_free.LIBCMT ref: 070D8682
lstrcmpiA.KERNEL32(?,?), ref: 070D86B8
_free.LIBCMT ref: 070D86D4
WaitForSingleObject.KERNEL32(?,0000000A), ref: 070D8749
_memcpy_s.LIBCMT ref: 070D8794
lstrlen.KERNEL32(00000000,8007000E), ref: 070D87BA
_memcpy_s.LIBCMT ref: 070D87E6
WaitForSingleObject.KERNEL32(?,0000000A), ref: 070D8829
lstrlen.KERNEL32(?), ref: 070D8858
lstrlen.KERNEL32(?), ref: 070D8768

Part of subcall function 070D5CD0: __recalloc.LIBCMT ref: 070D5D0C
Part of subcall function 070D5CD0: _free.LIBCMT ref: 070D5D23
Part of subcall function 070D5CD0: _calloc.LIBCMT ref: 070D5D47

_memcpy_s.LIBCMT ref: 070D888E
_free.LIBCMT ref: 070D88F2

Strings

CHttpSyncClientT<class CSSLClient,443>::OpenUrl, xrefs: 070D8490, 070D856E, 070D85DD

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _free$_memcpy_slstrlen$ErrorLastObjectSingleWait$__recalloc_calloclstrcmpi
String ID: CHttpSyncClientT<class CSSLClient,443>::OpenUrl
API String ID: 2022437348-2780565540
Opcode ID: 33bc183ae33fd55557806f9f688cd2367263e326158c828c02739dffb722f4c5
Instruction ID: fcce6ed912c3d26c56ae22e2320041de30194704ec69437b738f82643aac775a
Opcode Fuzzy Hash: 33bc183ae33fd55557806f9f688cd2367263e326158c828c02739dffb722f4c5
Instruction Fuzzy Hash: 80027BB5A00319DFDB24DB68CC85B9AB3B5BF49314F148299E519A7381DB30AE81CF91

Function 070D7170 Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 457stringsynchronizationCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000032), ref: 070D7226
SetLastError.KERNEL32(00002739,?,?,?,?), ref: 070D7307
_free.LIBCMT ref: 070D7402
lstrcmpiA.KERNEL32(?,?), ref: 070D7438
_free.LIBCMT ref: 070D7454
WaitForSingleObject.KERNEL32(?,0000000A), ref: 070D74C9
_memcpy_s.LIBCMT ref: 070D7514
lstrlen.KERNEL32(00000000,8007000E), ref: 070D753A
_memcpy_s.LIBCMT ref: 070D7566
WaitForSingleObject.KERNEL32(?,0000000A,80004005), ref: 070D75A9
lstrlen.KERNEL32(?), ref: 070D75D8
lstrlen.KERNEL32(?), ref: 070D74E8

Part of subcall function 070D5CD0: __recalloc.LIBCMT ref: 070D5D0C
Part of subcall function 070D5CD0: _free.LIBCMT ref: 070D5D23
Part of subcall function 070D5CD0: _calloc.LIBCMT ref: 070D5D47

_memcpy_s.LIBCMT ref: 070D760E
_free.LIBCMT ref: 070D7672

Strings

CHttpSyncClientT<class CTcpClient,80>::OpenUrl, xrefs: 070D7210, 070D72EE, 070D735D

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _free$_memcpy_slstrlen$ErrorLastObjectSingleWait$__recalloc_calloclstrcmpi
String ID: CHttpSyncClientT<class CTcpClient,80>::OpenUrl
API String ID: 2022437348-142492691
Opcode ID: ff11a2c50d06243232fc681dfe68d1e58604e5dcb54801c6229c7649f85503ef
Instruction ID: 13d7861e651a95a233a08b8e6b600aa20e88d771fdbd62c88b943380084a74bf
Opcode Fuzzy Hash: ff11a2c50d06243232fc681dfe68d1e58604e5dcb54801c6229c7649f85503ef
Instruction Fuzzy Hash: 4E029AB1A00319DFDB25DB68CC85BDAB3B5BB49314F1482D9E909A7391DB30AE41CF91

Function 070DB120 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 276synchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000001), ref: 070DB141
__wfopen_s.LIBCMT ref: 070DB16A
SetLastError.KERNEL32(00000002), ref: 070DB186

Part of subcall function 070DAC00: __wfopen_s.LIBCMT ref: 070DAC5D
Part of subcall function 070DAC00: SetLastError.KERNEL32(00000002), ref: 070DAC79

SetLastError.KERNEL32(?), ref: 070DB1A6
__time64.LIBCMT ref: 070DB1B2
WaitForSingleObject.KERNEL32(?,000000FF), ref: 070DB1F7
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 070DB477

Strings

%s %s, xrefs: 070DB267
%s;%s;%I64d;%d;%d;%d, xrefs: 070DB2C8

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLast$__wfopen_s$ObjectReleaseSemaphoreSingleWait__time64
String ID: %s;%s;%I64d;%d;%d;%d$%s %s
API String ID: 2191005652-4092843171
Opcode ID: 8eeebb76a61163ec6a3884c0d7903642569ea23cec5a9ff9f6f6ab3433de1b59
Instruction ID: 05041e918b9fe088d19ff1507ca82defeeffd3d650df18214ff4b29d22326b68
Opcode Fuzzy Hash: 8eeebb76a61163ec6a3884c0d7903642569ea23cec5a9ff9f6f6ab3433de1b59
Instruction Fuzzy Hash: 8BA1B0F6724341DFEB20EF25D88952A77E9AB89310F01872AE459D7341E374EC52CB52

Function 070EEE10 Relevance: 22.7, APIs: 15, Instructions: 229timememoryCOMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 070EEE50
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 070EEE5D
InterlockedDecrement.KERNEL32(?), ref: 070EEE80
RtlDeleteCriticalSection.NTDLL(?), ref: 070EEECD
RtlDeleteCriticalSection.NTDLL(?), ref: 070EEED3
HeapFree.KERNEL32(?,00000000), ref: 070EEEDF
timeGetTime.WINMM(?), ref: 070EEF38
InterlockedCompareExchange.KERNEL32 ref: 070EEF6C
timeGetTime.WINMM(?,00000000,73AF47A0), ref: 070EEF91
timeGetTime.WINMM(?,00000000,73AF47A0), ref: 070EEF9B
InterlockedDecrement.KERNEL32(?), ref: 070EEFCD
RtlDeleteCriticalSection.NTDLL(73AF4810), ref: 070EF055
RtlDeleteCriticalSection.NTDLL(73AF47F8), ref: 070EF05B
HeapFree.KERNEL32(?,00000000,73AF47A0), ref: 070EF067
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 070EF076

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Interlocked$CompareCriticalDeleteExchangeSection$Timetime$DecrementFreeHeap
String ID:
API String ID: 517897276-0
Opcode ID: 7cbd452ca453653c3d2d6072a9892a9a24d9f6adf66d553d729f6c6377d0a828
Instruction ID: dae8e01cac27beea6d2b76ffdf9b48bb5543480cbde95a13719cf4df5c5a65d3
Opcode Fuzzy Hash: 7cbd452ca453653c3d2d6072a9892a9a24d9f6adf66d553d729f6c6377d0a828
Instruction Fuzzy Hash: 7B818AB1614702DFD750CF28D884B2ABBE9FB89724F108B5AF459DB290D735E840CB92

Function 070FE560 Relevance: 21.2, APIs: 14, Instructions: 215timememoryCOMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 070FE5A4
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 070FE5B7
InterlockedDecrement.KERNEL32(?), ref: 070FE5E2
RtlDeleteCriticalSection.NTDLL(?), ref: 070FE607
CloseHandle.KERNEL32(?), ref: 070FE621
CloseHandle.KERNEL32(?), ref: 070FE63C
HeapFree.KERNEL32(?,00000000,?), ref: 070FE650
timeGetTime.WINMM(00000000), ref: 070FE6B3
InterlockedCompareExchange.KERNEL32 ref: 070FE6E7
timeGetTime.WINMM(?,00000000,73AF47A0), ref: 070FE710
timeGetTime.WINMM(?,00000000,73AF47A0), ref: 070FE71A
InterlockedDecrement.KERNEL32(?), ref: 070FE74C
HeapFree.KERNEL32(?,00000000,73AF47A0), ref: 070FE7A2
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 070FE7B1

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Interlocked$CompareExchange$Timetime$CloseDecrementFreeHandleHeap$CriticalDeleteSection
String ID:
API String ID: 1801204590-0
Opcode ID: f038528a4c8d9103078583b0f9efe7eb8572b8d147ff1cb2d71c6fd5fd709b0b
Instruction ID: e80f6749125df56cb1d0490345a148f7d8723fa84c6cfcf2bccc0f5b2c9917ef
Opcode Fuzzy Hash: f038528a4c8d9103078583b0f9efe7eb8572b8d147ff1cb2d71c6fd5fd709b0b
Instruction Fuzzy Hash: B2817BB06143429FD720CF24D884B1ABBE8FF85714F148B2EF659976A0D778E544CB92

Function 070F62F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 201COMMON

Download Yara Rule

APIs

Part of subcall function 07248614: _malloc.LIBCMT ref: 0724862E

std::exception::exception.LIBCMT ref: 070F6334
__CxxThrowException@8.LIBCMT ref: 070F6349
SetLastError.KERNEL32(00000000,?,?,?,?,?), ref: 070F63F3
ResetEvent.KERNEL32(0000000B,?,?,?,?,?,?), ref: 070F6446

Strings

CUdpCast::Start, xrefs: 070F645F, 070F6488, 070F64B3, 070F64D5, 070F64F3

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorEventException@8LastResetThrow_mallocstd::exception::exception
String ID: CUdpCast::Start
API String ID: 3711864853-3828262324
Opcode ID: 0e4165f981f5ca307106eda99c78735e018f55a81fa42c78957ab1961c0d4f62
Instruction ID: ea16253215c1a3e48a0f4b59e3390cb391eed457c4dfa4ef7a4b9bfff4d2454f
Opcode Fuzzy Hash: 0e4165f981f5ca307106eda99c78735e018f55a81fa42c78957ab1961c0d4f62
Instruction Fuzzy Hash: B36162F1A00205AFD714EF65D845B9AB7E4BF48710F008266EA08D7740EB75E915CBE1

Function 07148250 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 97COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 0714825D
_strncmp.LIBCMT ref: 0714828B

Strings

SUITEB128C2, xrefs: 07148285
ECDHE-ECDSA-AES128-GCM-SHA256, xrefs: 07148371
ssl\ssl_ciph.c, xrefs: 07148323
SUITEB128, xrefs: 071482B3
SUITEB192, xrefs: 071482DE
SUITEB128ONLY, xrefs: 07148255
ECDHE-ECDSA-AES256-GCM-SHA384, xrefs: 07148364
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384, xrefs: 0714835C

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _strncmp
String ID: ECDHE-ECDSA-AES128-GCM-SHA256$ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384$ECDHE-ECDSA-AES256-GCM-SHA384$SUITEB128$SUITEB128C2$SUITEB128ONLY$SUITEB192$ssl\ssl_ciph.c
API String ID: 909875538-1868743464
Opcode ID: b1a1d3baa0175706c364d1cae0140b486a3e0ce41019fb39128af5fa0340795e
Instruction ID: 53f43c76024618e899938bd42b8c12d1a68ea6906501436fc221acbac1604af5
Opcode Fuzzy Hash: b1a1d3baa0175706c364d1cae0140b486a3e0ce41019fb39128af5fa0340795e
Instruction Fuzzy Hash: E731E5F1B603029FDB29DE24DC91B2636E4EF40710F154A29FC65DB2C9E7B4D082C680

Function 070E0340 Relevance: 19.6, APIs: 2, Strings: 9, Instructions: 389COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 070E04C6
std::_Xinvalid_argument.LIBCPMT ref: 070E058A

Strings

list<T> too long, xrefs: 070E0585
Connection, xrefs: 070E053B, 070E055D
Content-Length, xrefs: 070E048F, 070E04A6, 070E04CE
keep-alive, xrefs: 070E0558
close, xrefs: 070E054F, 070E059D
Transfer-Encoding, xrefs: 070E04AB
Cookie, xrefs: 070E067D
Host, xrefs: 070E05E6, 070E062C
:%u, xrefs: 070E0614

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Xinvalid_argument__itowstd::_
String ID: :%u$Connection$Content-Length$Cookie$Host$Transfer-Encoding$close$keep-alive$list<T> too long
API String ID: 1801132792-3748922724
Opcode ID: 956c920f716fb609c89b89cc13ee172eebf3196fdaff7f2f445f74b4a93e6352
Instruction ID: 47d0efb6ce254263b35d3b1de3d8e871466efc1da60850771c3dc894935d4089
Opcode Fuzzy Hash: 956c920f716fb609c89b89cc13ee172eebf3196fdaff7f2f445f74b4a93e6352
Instruction Fuzzy Hash: 27E141F1E00319DFDB15DFA8C884AEEB7F9EF48310F148659E419AB240D7B5A905CB91

Function 070E9020 Relevance: 18.2, APIs: 12, Instructions: 163COMMON

Download Yara Rule

APIs

PathFileExistsA.SHLWAPI(?,?,?,00000000,?,070E900C,?,00000000,?,?,?,?,?,?,?,070E8F1F), ref: 070E903E
SetLastError.KERNEL32(00000002,?,070E900C,?,00000000,?,?,?,?,?,?,?,070E8F1F,?,?,?), ref: 070E904A
PathIsDirectoryA.SHLWAPI(?), ref: 070E905A
SetLastError.KERNEL32(0000000D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 070E907E
PathFileExistsA.SHLWAPI(?,?,?,00000000,?,070E900C,?,00000000,?,?,?,?,?,?,?,070E8F1F), ref: 070E910C
PathIsDirectoryA.SHLWAPI(?), ref: 070E9117
PathFileExistsA.SHLWAPI(?,?,070E900C,?,00000000,?,?,?,?,?,?,?,070E8F1F,?,?,?), ref: 070E9139
PathIsDirectoryA.SHLWAPI(?), ref: 070E9144
SetLastError.KERNEL32(00000056,?,?,?,?,?,?,?,?,?,?), ref: 070E917C
SetLastError.KERNEL32(0000000C,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 070E91AF

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Path$ErrorLast$DirectoryExistsFile
String ID:
API String ID: 2610712681-0
Opcode ID: 53e5faa17ee29c2ba0c0aa32dde36966440adad354714c209341d80f4cf349ff
Instruction ID: c2742d24c587b36877091046582f7895b0d562ce247dd8a86d908e6b1ee1289b
Opcode Fuzzy Hash: 53e5faa17ee29c2ba0c0aa32dde36966440adad354714c209341d80f4cf349ff
Instruction Fuzzy Hash: 464102F371020AAFE7706A357C49BAB238CAB41769F444227FD05D2242E726E41586B3

Function 070C82C0 Relevance: 18.1, APIs: 12, Instructions: 117threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 070C8D6D
SetEvent.KERNEL32(?), ref: 070C8D81
GetQueuedCompletionStatus.KERNEL32(?,?,?,00000000,000000FF), ref: 070C8D99
InterlockedExchange.KERNEL32(?,00000000), ref: 070C8DB3
InterlockedDecrement.KERNEL32(?), ref: 070C8DCA
InterlockedIncrement.KERNEL32(?), ref: 070C8DE2
InterlockedDecrement.KERNEL32(?), ref: 070C8DED
_free.LIBCMT ref: 070C8E0B

Part of subcall function 07248728: HeapFree.KERNEL32(00000000,00000000,?,07250575,00000000,?,?,0724AA58,0724871D), ref: 0724873E
Part of subcall function 07248728: GetLastError.KERNEL32(00000000,?,07250575,00000000,?,?,0724AA58,0724871D), ref: 07248750

GetQueuedCompletionStatus.KERNEL32(?,?,?,000000FF,000000FF), ref: 070C8E3D
GetCurrentThreadId.KERNEL32 ref: 070C8E56
GetCurrentThreadId.KERNEL32 ref: 070C8E66
SetEvent.KERNEL32(?), ref: 070C8E73

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Interlocked$CurrentThread$CompletionDecrementEventQueuedStatus$ErrorExchangeFreeHeapIncrementLast_free
String ID:
API String ID: 2220408391-0
Opcode ID: e6daa7bf583c0c0ab3213760829b86bb36c005761909ff2cbf00e26b4d475fb3
Instruction ID: 2e2aa06e176a3a4c4bedb2502082123c0502b73fc5cc3078c04bcc2c7f1b6508
Opcode Fuzzy Hash: e6daa7bf583c0c0ab3213760829b86bb36c005761909ff2cbf00e26b4d475fb3
Instruction Fuzzy Hash: 77414FF5510206EFCB10DFA4E888AAEB7B8FF44319B00C65AE91593681D738E905CBA5

Function 070EA2E0 Relevance: 16.7, APIs: 11, Instructions: 184timeCOMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 070EA31C
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 070EA329
InterlockedDecrement.KERNEL32(?), ref: 070EA34C
RtlDeleteCriticalSection.NTDLL(75914D38), ref: 070EA368
timeGetTime.WINMM ref: 070EA3C7
InterlockedCompareExchange.KERNEL32 ref: 070EA3FB
timeGetTime.WINMM(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,18B52151), ref: 070EA420
timeGetTime.WINMM(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,18B52151), ref: 070EA42A
InterlockedDecrement.KERNEL32(?), ref: 070EA45C
RtlDeleteCriticalSection.NTDLL(73AF47A8), ref: 070EA4A3
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 070EA4BB

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Interlocked$CompareExchange$Timetime$CriticalDecrementDeleteSection
String ID:
API String ID: 1970098243-0
Opcode ID: d90df769667c34889edb2e0453b8ead4ef6e2b1e88b5317a0525512e614bddcf
Instruction ID: cd703a7ae71d7ebf1adea7a720955910ee67fe43eff65eb068923d398b7060d1
Opcode Fuzzy Hash: d90df769667c34889edb2e0453b8ead4ef6e2b1e88b5317a0525512e614bddcf
Instruction Fuzzy Hash: F8617BF1614302DFD710DF24D885B2ABBE8FB89714F108B2AF59997290D774E944CB92

Function 070FCAA0 Relevance: 15.3, APIs: 10, Instructions: 286threadnetworkCOMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000), ref: 070FCAD8
_memmove.LIBCMT ref: 070FCB10
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 070FCB7A
CloseHandle.KERNEL32(00000000,?,00000001,000000FF,?,00000001,000000FF), ref: 070FCB94
GetCurrentThreadId.KERNEL32 ref: 070FCBDD
GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 070FCC05
GetLastError.KERNEL32(?), ref: 070FCCC3
WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 070FCCEA
WSAGetLastError.WS2_32 ref: 070FCCF4

Part of subcall function 070FD210: InterlockedIncrement.KERNEL32(?), ref: 070FD29E
Part of subcall function 070FD210: timeGetTime.WINMM(?,070FCD4F,?,?), ref: 070FD2B4
Part of subcall function 070FD210: InterlockedDecrement.KERNEL32(?), ref: 070FD303

Part of subcall function 070FD320: InterlockedDecrement.KERNEL32(?), ref: 070FD37B
Part of subcall function 070FD320: HeapFree.KERNEL32(00000000,00000000,00000000,00000000), ref: 070FD396

Part of subcall function 070FD0F0: InterlockedIncrement.KERNEL32(?), ref: 070FD165
Part of subcall function 070FD0F0: InterlockedExchangeAdd.KERNEL32(?,?), ref: 070FD18A
Part of subcall function 070FD0F0: InterlockedDecrement.KERNEL32(?), ref: 070FD1C9
Part of subcall function 070FD0F0: InterlockedDecrement.KERNEL32(?), ref: 070FD1D3
Part of subcall function 070FD0F0: HeapFree.KERNEL32(00000000,00000000,?,?,?,070FCD6E,00000000,?), ref: 070FD1F2

GetCurrentThreadId.KERNEL32 ref: 070FCD89

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Interlocked$Decrement$CompletionCurrentErrorFreeHeapIncrementLastQueuedStatusThread$CloseExchangeHandleMultipleObjectsOverlappedPostResultTimeWait_memmovetime
String ID:
API String ID: 1364948684-0
Opcode ID: 5d0d294c498fed1d3e3cdf8ae3ecb6044a685cde28d10fb5c56634d5b93271d8
Instruction ID: 6bee4a3659cee32ea914eb6525fbbea9d5a259c9e37e78e9b85adaf42a53afe9
Opcode Fuzzy Hash: 5d0d294c498fed1d3e3cdf8ae3ecb6044a685cde28d10fb5c56634d5b93271d8
Instruction Fuzzy Hash: 5D91A4F5A00519ABEB14DF68D895BAFB7A9BF44710F10431AEA15D7780DB30E901CBE1

Function 070ECDF0 Relevance: 15.2, APIs: 10, Instructions: 210COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000), ref: 070ECE22
_memmove.LIBCMT ref: 070ECE57

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CompletionPostQueuedStatus_memmove
String ID:
API String ID: 1171552072-0
Opcode ID: fe20420383746eb202a9023e8072cc3a851b0f891fce6fbbe333a96b1c7d151a
Instruction ID: ba594ee7df21d01574c668a4ba6b62bd2da9787f19b83daccb91a5e8a8973502
Opcode Fuzzy Hash: fe20420383746eb202a9023e8072cc3a851b0f891fce6fbbe333a96b1c7d151a
Instruction Fuzzy Hash: 726180F5A00219AFEB14DFA8D884AAFB7B9FB48304F10425AE915E7340D731AD01CBE1

Function 070E2650 Relevance: 15.2, APIs: 10, Instructions: 169filestringCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 070E2707

Part of subcall function 07248728: HeapFree.KERNEL32(00000000,00000000,?,07250575,00000000,?,?,0724AA58,0724871D), ref: 0724873E
Part of subcall function 07248728: GetLastError.KERNEL32(00000000,?,07250575,00000000,?,?,0724AA58,0724871D), ref: 07248750

Part of subcall function 070B2260: __CxxThrowException@8.LIBCMT ref: 070B2272

SetLastError.KERNEL32(?,?,?,18B52151), ref: 070E271B
UnmapViewOfFile.KERNEL32(?,?,?,?,18B52151), ref: 070E272C
CloseHandle.KERNEL32(?,?,?,?,18B52151), ref: 070E274C
CloseHandle.KERNEL32(?,?,?,?,18B52151), ref: 070E2764
lstrlen.KERNEL32(?), ref: 070E278F
_memcpy_s.LIBCMT ref: 070E27B3

Part of subcall function 070E6170: GetFileSize.KERNEL32(?,?), ref: 070E61B6

UnmapViewOfFile.KERNEL32(?,?,?,18B52151), ref: 070E281A
CloseHandle.KERNEL32(?,?,?,18B52151), ref: 070E283A
CloseHandle.KERNEL32(?,?,?,18B52151), ref: 070E2852

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CloseHandle$File$ErrorLastUnmapView$Exception@8FreeHeapSizeThrow_free_memcpy_slstrlen
String ID:
API String ID: 3220566326-0
Opcode ID: 68154e08d588f0ff96498fcbfefcf9d55c7446029f1bf241164773ad45e2e1a5
Instruction ID: ff353e47837f0b5b012caf508938aca45c7e54dd0dbcaecf157478622179c9d2
Opcode Fuzzy Hash: 68154e08d588f0ff96498fcbfefcf9d55c7446029f1bf241164773ad45e2e1a5
Instruction Fuzzy Hash: A8516FF16097459FC760DF64D980A5BB7ECBF88654F008A2DF859E7340E634D9058BA2

Function 070F3080 Relevance: 15.2, APIs: 10, Instructions: 155memorynetworkCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 070F30F2
_memmove.LIBCMT ref: 070F313D
InterlockedExchangeAdd.KERNEL32(?,?), ref: 070F314A
InterlockedIncrement.KERNEL32(?), ref: 070F3173
WSASend.WS2_32(?,0000001C,00000001,?,00000000,00000000,00000000), ref: 070F3189
WSAGetLastError.WS2_32(?,?,?,?,?,070BA727,?,?,?), ref: 070F3194
InterlockedDecrement.KERNEL32(?), ref: 070F31A8
InterlockedDecrement.KERNEL32(00000028), ref: 070F31C9
HeapFree.KERNEL32(00000000,00000000,00000000,00000000), ref: 070F31F4
InterlockedExchangeAdd.KERNEL32(?,?), ref: 070F3226

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Interlocked$DecrementExchangeHeap$AllocateErrorFreeIncrementLastSend_memmove
String ID:
API String ID: 728682284-0
Opcode ID: 614d5382186390d3d6205b95ecc1fe3530a082dfc27ff81d754701cb17f52edf
Instruction ID: 96a198b79b5e5645c343397b912d41f0d6ed1d0cadc51f678ff633228e9b803e
Opcode Fuzzy Hash: 614d5382186390d3d6205b95ecc1fe3530a082dfc27ff81d754701cb17f52edf
Instruction Fuzzy Hash: 20512FB1A00209EFDB44DF68D984B9EBBB9FF48324F108256E909DB341D774DA40CBA1

Function 070EDFA0 Relevance: 15.2, APIs: 10, Instructions: 155memorynetworkCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 070EE012
_memmove.LIBCMT ref: 070EE05D
InterlockedExchangeAdd.KERNEL32(00000000,?), ref: 070EE06A
InterlockedIncrement.KERNEL32(00000000), ref: 070EE093
WSASend.WS2_32(?,0000001C,00000001,?,00000000,00000000,00000000), ref: 070EE0A9
WSAGetLastError.WS2_32(?,?,?,?,?,070BB527,?,?,?), ref: 070EE0B4
InterlockedDecrement.KERNEL32(00000000), ref: 070EE0C8
InterlockedDecrement.KERNEL32(00000028), ref: 070EE0E9
HeapFree.KERNEL32(00000000,00000000,00000000,00000000), ref: 070EE114
InterlockedExchangeAdd.KERNEL32(00000000,?), ref: 070EE146

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Interlocked$DecrementExchangeHeap$AllocateErrorFreeIncrementLastSend_memmove
String ID:
API String ID: 728682284-0
Opcode ID: 5677da60b91288917e7ba9717255a3bf107651a62071d216ba35a57aebfe01b6
Instruction ID: 7132fae4c020d6902d663037982d6ce7cc302484c02d57e1f167f80726bf1922
Opcode Fuzzy Hash: 5677da60b91288917e7ba9717255a3bf107651a62071d216ba35a57aebfe01b6
Instruction Fuzzy Hash: 855121B1A00209EFDB44DF68D984B9EBBB9FF48314F108696E909DB345D774D940CBA1

Function 070E8310 Relevance: 15.1, APIs: 10, Instructions: 148COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 070E8347
InterlockedIncrement.KERNEL32(?), ref: 070E83BD
RtlEnterCriticalSection.NTDLL(?), ref: 070E83C7
RtlLeaveCriticalSection.NTDLL(?), ref: 070E843F
InterlockedDecrement.KERNEL32(?), ref: 070E8446
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,00000000), ref: 070E8469
SetLastError.KERNEL32(00000000), ref: 070E8470
SetLastError.KERNEL32(0000000D), ref: 070E848B
SetLastError.KERNEL32(0000139F), ref: 070E84A0
RtlLeaveCriticalSection.NTDLL(?), ref: 070E84B1

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalSection$ErrorLast$EnterInterlockedLeave$CompletionDecrementIncrementPostQueuedStatus
String ID:
API String ID: 3194838562-0
Opcode ID: 5a128762009eee43267328349657e51cbbef8a7c0accae54c38233453939c3f0
Instruction ID: 70374c0c3aa18762a510046a17815d5be9a9094367f7a6f1ddb192617e8223f6
Opcode Fuzzy Hash: 5a128762009eee43267328349657e51cbbef8a7c0accae54c38233453939c3f0
Instruction Fuzzy Hash: 27519EF1600206EFDB54DF64E989B6A77BCFF08304F00D659EA069B281DB74E401CB61

Function 070E2390 Relevance: 15.1, APIs: 10, Instructions: 100windowthreadCOMMON

Download Yara Rule

APIs

GetExitCodeThread.KERNEL32(?,?), ref: 070E23AE
SetEvent.KERNEL32(?), ref: 070E23D8
MsgWaitForMultipleObjects.USER32(00000001,00000103,00000000,000000FF,000004FF), ref: 070E240F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 070E2425
TranslateMessage.USER32(?), ref: 070E2434
DispatchMessageA.USER32(?), ref: 070E243A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 070E2448
SetLastError.KERNEL32(000005B4), ref: 070E2470
CloseHandle.KERNEL32(?), ref: 070E248D
ResetEvent.KERNEL32(?), ref: 070E24B5

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Message$EventPeek$CloseCodeDispatchErrorExitHandleLastMultipleObjectsResetThreadTranslateWait
String ID:
API String ID: 4040881216-0
Opcode ID: 63ce3e895f7b425615fcbaca0673e81feb4e8eb21d09ff3477d897b1337f056c
Instruction ID: a6a2a8e1f9a484505756145e176eb71d40c80fb113dc847bbf657933f4e7c812
Opcode Fuzzy Hash: 63ce3e895f7b425615fcbaca0673e81feb4e8eb21d09ff3477d897b1337f056c
Instruction Fuzzy Hash: 2C318FF5600706AFEB25DB60EC49FAA73ADFB44714F14431AFA55E7280DBB4E5008B61

Function 070E3710 Relevance: 15.1, APIs: 10, Instructions: 100windowthreadCOMMON

Download Yara Rule

APIs

GetExitCodeThread.KERNEL32(?,?), ref: 070E372E
SetEvent.KERNEL32(?), ref: 070E3758
MsgWaitForMultipleObjects.USER32(00000001,00000103,00000000,000000FF,000004FF), ref: 070E378F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 070E37A5
TranslateMessage.USER32(?), ref: 070E37B4
DispatchMessageA.USER32(?), ref: 070E37BA
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 070E37C8
SetLastError.KERNEL32(000005B4), ref: 070E37F0
CloseHandle.KERNEL32(?), ref: 070E380D
ResetEvent.KERNEL32(?), ref: 070E3835

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Message$EventPeek$CloseCodeDispatchErrorExitHandleLastMultipleObjectsResetThreadTranslateWait
String ID:
API String ID: 4040881216-0
Opcode ID: b4d1b9f5f05c30dfc70a6d4c066f8d3b51b17740c0135a2763009f46c9f0eadb
Instruction ID: a655f9ffbb2f3bfbd868ce6d07ca2eafaae1da636ae4a797be10922ec99ba6db
Opcode Fuzzy Hash: b4d1b9f5f05c30dfc70a6d4c066f8d3b51b17740c0135a2763009f46c9f0eadb
Instruction Fuzzy Hash: 203184F5600306AFEB20DA70ED49FAABBADEB44710F144269FA15E72C0DB74E500CA60

Function 070F6760 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 201networkCOMMON

Download Yara Rule

APIs

Part of subcall function 070D6740: StrChrA.SHLWAPI(?,0000005E,?,070EF454,?,070EF829,?,18B52151,00000000,?,0736D060,?,?,?,?,07265268), ref: 070D674B

htons.WS2_32(?), ref: 070F6828
WSASetLastError.WS2_32(0000273B), ref: 070F685C
WSASetLastError.WS2_32(0000273F), ref: 070F6897
socket.WS2_32(00000000,00000002,00000011), ref: 070F68CE
WSAIoctl.WS2_32(00000000,9800000C,00000000,00000004), ref: 070F68FB
WSAGetLastError.WS2_32 ref: 070F6906
WSACreateEvent.WS2_32 ref: 070F693A

Strings

255.255.255.255, xrefs: 070F67B0, 070F67CB

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLast$CreateEventIoctlhtonssocket
String ID: 255.255.255.255
API String ID: 2120161073-2422070025
Opcode ID: bfde27d2b4eac29ff4b46b3a7df08ea281314da48da57756c03b5122c45b9a66
Instruction ID: 61b1799e7ee78360bb43d0256167bea9e25c6195e05ec860573a047bb4aaa6b7
Opcode Fuzzy Hash: bfde27d2b4eac29ff4b46b3a7df08ea281314da48da57756c03b5122c45b9a66
Instruction Fuzzy Hash: 4B6106F6A04306EBDB24DF64D845BAA77A4FF04310F00476AEE1597780DB32A951CBD1

Function 071ACEF0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 102encryptionCOMMON

Download Yara Rule

APIs

CertCloseStore.CRYPT32(00000000,00000000), ref: 071ACF5D
CertFreeCRLContext.CRYPT32(00000000), ref: 071ACF7D
CertCloseStore.CRYPT32(00000000,00000000), ref: 071ACF86
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 071ACF98
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 071ACFC6
CertCloseStore.CRYPT32(00000000,00000000), ref: 071ACFD5

Strings

Listing certs for store %s, xrefs: 071ACF19
Certificate %d, xrefs: 071ACFA9

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Cert$Store$Close$CertificatesEnum$ContextFree
String ID: Certificate %d$Listing certs for store %s
API String ID: 3370098959-3674431298
Opcode ID: e68162c7f068100d2933ea9042b6332dc02019ebe9166bd1121dff42a1308715
Instruction ID: 17e9546bd66701d3aa3e6cb698e744a63a0517ae55e9f5490aa8c175ab985709
Opcode Fuzzy Hash: e68162c7f068100d2933ea9042b6332dc02019ebe9166bd1121dff42a1308715
Instruction Fuzzy Hash: 50212CF7705216AFD6107E58BC44A6FB398EF85536F14052AF90A933C0CB259C0546F2

Function 070D0FA0 Relevance: 13.7, APIs: 9, Instructions: 205COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 070D1020
_free.LIBCMT ref: 070D1130
std::exception::exception.LIBCMT ref: 070D115F
__CxxThrowException@8.LIBCMT ref: 070D1174
SetLastError.KERNEL32(0000000D,?,?,00000000,?,?,?,?), ref: 070D117B
_free.LIBCMT ref: 070D1182
SetLastError.KERNEL32(00000018,?,?,00000000,?,?,?,?), ref: 070D11A3
_free.LIBCMT ref: 070D11AA

Part of subcall function 07248728: HeapFree.KERNEL32(00000000,00000000,?,07250575,00000000,?,?,0724AA58,0724871D), ref: 0724873E
Part of subcall function 07248728: GetLastError.KERNEL32(00000000,?,07250575,00000000,?,?,0724AA58,0724871D), ref: 07248750

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLast_free$Exception@8FreeHeapThrow_mallocstd::exception::exception
String ID:
API String ID: 3837565262-0
Opcode ID: ba5584826d04ace9b859f11e1f72139c0b43b599e291c93fd9084b32d8dceb43
Instruction ID: eee6b343d633174194390f8a50b011b2a133fdccd17d8232a21b789ff4fc6ff3
Opcode Fuzzy Hash: ba5584826d04ace9b859f11e1f72139c0b43b599e291c93fd9084b32d8dceb43
Instruction Fuzzy Hash: 2661CEF6E003599BDB18DF98D881BAEBBF4FB48710F14426AE819E7340DB759940CB91

Function 070D11F0 Relevance: 13.7, APIs: 9, Instructions: 205COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 070D1270
_free.LIBCMT ref: 070D1380
std::exception::exception.LIBCMT ref: 070D13AF
__CxxThrowException@8.LIBCMT ref: 070D13C4
SetLastError.KERNEL32(0000000D,?,?,00000000,?,?,?,?), ref: 070D13CB
_free.LIBCMT ref: 070D13D2
SetLastError.KERNEL32(00000018,?,?,00000000,?,?,?,?), ref: 070D13F3
_free.LIBCMT ref: 070D13FA

Part of subcall function 07248728: HeapFree.KERNEL32(00000000,00000000,?,07250575,00000000,?,?,0724AA58,0724871D), ref: 0724873E
Part of subcall function 07248728: GetLastError.KERNEL32(00000000,?,07250575,00000000,?,?,0724AA58,0724871D), ref: 07248750

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLast_free$Exception@8FreeHeapThrow_mallocstd::exception::exception
String ID:
API String ID: 3837565262-0
Opcode ID: af7f5ea5e721bf1c475f1635358bf5277109662c962a4713b4677d08e5db2fe0
Instruction ID: 3aba03b7ce4f37e337e6d77c9df51bb099131a53c51ea8e60427f060764d8d42
Opcode Fuzzy Hash: af7f5ea5e721bf1c475f1635358bf5277109662c962a4713b4677d08e5db2fe0
Instruction Fuzzy Hash: 0A619CF2E103199BDB18CF99D881BAEB7F4FB48710F15426AE815E7340DB759940CBA1

Function 070BC1C0 Relevance: 13.7, APIs: 9, Instructions: 189memorytimeCOMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?,18B52151,00000008,00000000), ref: 070BC223
GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,07263250,000000FF), ref: 070BC238
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,18B52151,00000008,00000000), ref: 070BC2AD
HeapCreate.KERNEL32(?,?,?,?,00000004,00000000,00000000), ref: 070BC330
InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,?,?,?,00000004,00000000,00000000), ref: 070BC363
CreateTimerQueue.KERNEL32(?,?,?,?,00000004,00000000,00000000), ref: 070BC37F
CreateSemaphoreA.KERNEL32(00000000,00000000,7FFFFFFF,00000000), ref: 070BC3D6
CreateSemaphoreA.KERNEL32(00000000,00000000,00000001,00000000), ref: 070BC3E3
_free.LIBCMT ref: 070BC422

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Create$InfoNativeSemaphoreSystem$CountCriticalEventHeapInitializeQueueSectionSpinTimer_free
String ID:
API String ID: 3783933424-0
Opcode ID: c0bea7d0baee1687136ea482b95d03a90a7215a9bf57cbcf9ec005ccef120ddf
Instruction ID: 232be3915a9d1013b8abcc43da27436ba3448740035dc7685df3a378edcd21d4
Opcode Fuzzy Hash: c0bea7d0baee1687136ea482b95d03a90a7215a9bf57cbcf9ec005ccef120ddf
Instruction Fuzzy Hash: DE8103F0A11A46AFE759DF79D9847CAFBE8FB08304F50822EE12C97240D77466648F91

Function 070C9440 Relevance: 13.7, APIs: 9, Instructions: 171timeCOMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 070C9480
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 070C948D
InterlockedDecrement.KERNEL32(?), ref: 070C94B8
timeGetTime.WINMM(?), ref: 070C9526
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 070C955A
timeGetTime.WINMM ref: 070C9582
timeGetTime.WINMM ref: 070C958C
InterlockedDecrement.KERNEL32(?), ref: 070C95BE
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 070C9619

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Interlocked$CompareExchange$Timetime$Decrement
String ID:
API String ID: 1774158691-0
Opcode ID: f45f4fc848188137cbeb1205a21c46a007dba576a16d403c30fe77f71018cbab
Instruction ID: 1389d2a4775321fb1218712b4a8e13ffcd961b9d4f5c97d002a7e914f6b201da
Opcode Fuzzy Hash: f45f4fc848188137cbeb1205a21c46a007dba576a16d403c30fe77f71018cbab
Instruction Fuzzy Hash: 22515CF0224702AFD720CF29C884B1EB7E9BB85714F108B2EF5A99B290D774E541CB52

Function 070E8860 Relevance: 13.7, APIs: 9, Instructions: 156COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F), ref: 070E8892
RtlEnterCriticalSection.NTDLL(?), ref: 070E88B2
SetLastError.KERNEL32(0000139F), ref: 070E88C8
RtlLeaveCriticalSection.NTDLL(?), ref: 070E89D9

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: f2ada898cf20ead78ec73709d67ba511330f1bc44ef5037ffa17bdc4e862a130
Instruction ID: 0ad7088552a987e0e3e4c9d425944dd2db162afc817931857b0cd13c0dfeeeef
Opcode Fuzzy Hash: f2ada898cf20ead78ec73709d67ba511330f1bc44ef5037ffa17bdc4e862a130
Instruction Fuzzy Hash: C351C0B1A00605DFD750CF64E985A6AB3E8FF48714F04966EE91AD7780D774F900CB62

Function 070EB160 Relevance: 13.6, APIs: 9, Instructions: 147COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00000008), ref: 070EB195
InterlockedIncrement.KERNEL32(?), ref: 070EB1F7
RtlEnterCriticalSection.NTDLL(?), ref: 070EB201
RtlLeaveCriticalSection.NTDLL(?), ref: 070EB27E
InterlockedDecrement.KERNEL32(?), ref: 070EB285
SetLastError.KERNEL32(0000000D), ref: 070EB296
PostQueuedCompletionStatus.KERNEL32(?,000010D8,?,00000000), ref: 070EB2CA
SetLastError.KERNEL32(000010D8), ref: 070EB2D1
RtlLeaveCriticalSection.NTDLL(?), ref: 070EB2DE

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalSection$EnterErrorInterlockedLastLeave$CompletionDecrementIncrementPostQueuedStatus
String ID:
API String ID: 1309742492-0
Opcode ID: 3ca7972c7bb8ae014e027f277b98ac741aff5cc18a851a15225bbfd7f3d75888
Instruction ID: fe8bb35d8901eed9a995018f274195cb216eb1b761b38455e149cf8d11f2130a
Opcode Fuzzy Hash: 3ca7972c7bb8ae014e027f277b98ac741aff5cc18a851a15225bbfd7f3d75888
Instruction Fuzzy Hash: AB5160F160064AAFDB14DFA4D984E6EB7ADFF48314F00866EEA1697740DB34E900CB91

Function 070C9660 Relevance: 13.6, APIs: 9, Instructions: 146timeCOMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 070C969C
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 070C96A9
InterlockedDecrement.KERNEL32(?), ref: 070C96CC
timeGetTime.WINMM(?), ref: 070C973F
InterlockedCompareExchange.KERNEL32 ref: 070C9772
timeGetTime.WINMM(?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 070C9796
timeGetTime.WINMM(?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 070C97A0
InterlockedDecrement.KERNEL32(?), ref: 070C97CD
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 070C97F9

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Interlocked$CompareExchange$Timetime$Decrement
String ID:
API String ID: 1774158691-0
Opcode ID: 391cd20f41d8a3b378257b71df431b902c93ff412d97a951796618de8f811627
Instruction ID: 992f2748a129bc067474131fd0c3362d39070d85f6fb67e8ef667a0378af374e
Opcode Fuzzy Hash: 391cd20f41d8a3b378257b71df431b902c93ff412d97a951796618de8f811627
Instruction Fuzzy Hash: DD51AAF0A24702AFD710CF25D985B5EB7E8BB45724F10872EE4A997280DB78F544CB92

Function 070BC4A0 Relevance: 13.6, APIs: 9, Instructions: 132memorysynchronizationtimeCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 070BC4F1
SetLastError.KERNEL32(00000000), ref: 070BC4FF
_free.LIBCMT ref: 070BC529
CloseHandle.KERNEL32(?), ref: 070BC569
CloseHandle.KERNEL32(?), ref: 070BC58D
DeleteTimerQueueEx.KERNEL32(?,000000FF,?), ref: 070BC5C6
RtlDeleteCriticalSection.NTDLL(?), ref: 070BC5EB
HeapDestroy.KERNEL32(?), ref: 070BC5FC
CloseHandle.KERNEL32(?), ref: 070BC636

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CloseHandle$Delete$CriticalDestroyErrorHeapLastObjectQueueSectionSingleTimerWait_free
String ID:
API String ID: 3983045855-0
Opcode ID: c5e8758f8e5bcb94fcdabe7deff269d271953231b93fad0c2d474d145395217f
Instruction ID: c8968a5721159c16b1e1067645451d73a39e806051ca143cdfe9f9f73d68cc50
Opcode Fuzzy Hash: c5e8758f8e5bcb94fcdabe7deff269d271953231b93fad0c2d474d145395217f
Instruction Fuzzy Hash: 9C41A3F1A14647FBDB25DFB4D888ADAF7E8FB04304F50476AE529E3240D73466148BA1

Function 070F0290 Relevance: 13.6, APIs: 9, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 070F02A3
_free.LIBCMT ref: 070F02B3

Part of subcall function 07248728: HeapFree.KERNEL32(00000000,00000000,?,07250575,00000000,?,?,0724AA58,0724871D), ref: 0724873E
Part of subcall function 07248728: GetLastError.KERNEL32(00000000,?,07250575,00000000,?,?,0724AA58,0724871D), ref: 07248750

ResetEvent.KERNEL32(?), ref: 070F02D1
ResetEvent.KERNEL32(?), ref: 070F02DA
ResetEvent.KERNEL32(?), ref: 070F02E3
HeapDestroy.KERNEL32(?), ref: 070F0303
HeapCreate.KERNEL32(?,?,?), ref: 070F0318
SetEvent.KERNEL32 ref: 070F0392
RtlLeaveCriticalSection.NTDLL(?), ref: 070F039C

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Event$HeapReset$CriticalSection$CreateDestroyEnterErrorFreeLastLeave_free
String ID:
API String ID: 465610239-0
Opcode ID: 1379156bfaa75291cc9c9cb137444907c91264eba7174ac2f83bc0c65ce8b6a4
Instruction ID: 511805cd254adb7000359c7672506690212301fb5189487f49cf4088849b0c63
Opcode Fuzzy Hash: 1379156bfaa75291cc9c9cb137444907c91264eba7174ac2f83bc0c65ce8b6a4
Instruction Fuzzy Hash: 133138B5A00A06EFCB09DF69D98899AF7E8FF48314B10866AE519C7710DB35B911CFD0

Function 070B1210 Relevance: 13.6, APIs: 9, Instructions: 92COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 070B1223

Part of subcall function 07248728: HeapFree.KERNEL32(00000000,00000000,?,07250575,00000000,?,?,0724AA58,0724871D), ref: 0724873E
Part of subcall function 07248728: GetLastError.KERNEL32(00000000,?,07250575,00000000,?,?,0724AA58,0724871D), ref: 07248750

_malloc.LIBCMT ref: 070B1255
_memset.LIBCMT ref: 070B1260
_free.LIBCMT ref: 070B1287
_malloc.LIBCMT ref: 070B12C8
_memset.LIBCMT ref: 070B12D6
_free.LIBCMT ref: 070B12EC
_malloc.LIBCMT ref: 070B1327
_memset.LIBCMT ref: 070B1335

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _free_malloc_memset$ErrorFreeHeapLast
String ID:
API String ID: 3649356292-0
Opcode ID: 0b834a7b4b2b77e435e6cf9b4b4d3cd5ff8eed0d87c9feacd153d8c1b50fc9b9
Instruction ID: 420e773a992ac96178274ca6f676a25fdebae1af7c7087869785850b8dcb9030
Opcode Fuzzy Hash: 0b834a7b4b2b77e435e6cf9b4b4d3cd5ff8eed0d87c9feacd153d8c1b50fc9b9
Instruction Fuzzy Hash: 233135F5E12A26BBC758EF7998946D6FBA8FF04204F40472ED96C93200D735B9208BD1

Function 070C7090 Relevance: 13.6, APIs: 9, Instructions: 79threadCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00000014), ref: 070C70AB
GetExitCodeThread.KERNEL32(00000000,?,00000000), ref: 070C70DD
TerminateThread.KERNEL32(00000000,00000000), ref: 070C70F0
CloseHandle.KERNEL32(00000000), ref: 070C70F7
CloseHandle.KERNEL32(?,00000000), ref: 070C710A
RtlLeaveCriticalSection.NTDLL(00000014), ref: 070C7117
RtlDeleteCriticalSection.NTDLL(00000014), ref: 070C711E
CloseHandle.KERNEL32(?), ref: 070C7128
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,00000000), ref: 070C713B

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CloseCriticalHandleSection$Thread$CodeDeleteEnterExceptionExitLeaveRaiseTerminate
String ID:
API String ID: 664006054-0
Opcode ID: c925f546dc7a6521d6a0a12d031831a9eed2bdc282e5ecb4e18ba4e815f02911
Instruction ID: 754e0ea4359e0059ff683192f2f6f63f8312b854ac507b69b2df7cb60092f7ac
Opcode Fuzzy Hash: c925f546dc7a6521d6a0a12d031831a9eed2bdc282e5ecb4e18ba4e815f02911
Instruction Fuzzy Hash: 091151B2600611BFDB20EB64FD49B9AB3A8FB04315F40964AFA1593780DB74F8148BE1

Function 070B9100 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 301COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 070B92EC

Part of subcall function 07248694: __FF_MSGBANNER.LIBCMT ref: 072486AD
Part of subcall function 07248694: __NMSG_WRITE.LIBCMT ref: 072486B4
Part of subcall function 07248694: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 072486D9

_memmove.LIBCMT ref: 070B9332

Part of subcall function 070B8590: __vswprintf.LIBCMT ref: 070B85CA

Strings

input ack: sn=%lu rtt=%ld rto=%ld, xrefs: 070B926A
[RI] %d bytes, xrefs: 070B912A
input wins: %lu, xrefs: 070B938A
input psh: sn=%lu ts=%lu, xrefs: 070B929F
input probe, xrefs: 070B935D

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: AllocateHeap__vswprintf_malloc_memmove
String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
API String ID: 1438150933-868042568
Opcode ID: eac261d4f20c9479dc8b0ef9c0b54fef8f4fb8c975afe8dc6f0ccb1da7fc9159
Instruction ID: 0f0ca792d803a4ea9e2c8aba270bad5408f5083f77f4938803ab6f1db2edb4b3
Opcode Fuzzy Hash: eac261d4f20c9479dc8b0ef9c0b54fef8f4fb8c975afe8dc6f0ccb1da7fc9159
Instruction Fuzzy Hash: 86B180F1A10205DFCB28CF68C890AEE7BB5AF45310F0586AEDD199B346D770EA45CB91

Function 070EA7E0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 142COMMON

Download Yara Rule

APIs

Part of subcall function 07248614: _malloc.LIBCMT ref: 0724862E

std::exception::exception.LIBCMT ref: 070EA88B
__CxxThrowException@8.LIBCMT ref: 070EA8A0
SetLastError.KERNEL32(00000015), ref: 070EA8C2

Strings

@KL, xrefs: 070F0B03
CSSLServer::CheckParams, xrefs: 070EA8CC
CTcpServer::CheckParams, xrefs: 070F0B80

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorException@8LastThrow_mallocstd::exception::exception
String ID: @KL$CSSLServer::CheckParams$CTcpServer::CheckParams
API String ID: 1046406530-2915301922
Opcode ID: 54fdf84ab8537458ad583dde2a239942a11106baa20e95a105e12db1d530b932
Instruction ID: 5f5834a88ad0439fc25439787e55e61bed02828ea1fdbe2adf12f1d31c65949c
Opcode Fuzzy Hash: 54fdf84ab8537458ad583dde2a239942a11106baa20e95a105e12db1d530b932
Instruction Fuzzy Hash: 0D419EF1A00309DFEB60CF54C848B9977E4EB04B1CF1046BDEA18CAA82D776D446CB56

Function 070DAC00 Relevance: 12.4, APIs: 8, Instructions: 367COMMON

Download Yara Rule

APIs

__wfopen_s.LIBCMT ref: 070DAC5D
__time64.LIBCMT ref: 070DAE04

Part of subcall function 0724AA53: __getptd_noexit.LIBCMT ref: 0724AA53

SetLastError.KERNEL32(00000002), ref: 070DAC79
SetLastError.KERNEL32(?), ref: 070DAC99

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLast$__getptd_noexit__time64__wfopen_s
String ID:
API String ID: 3797449301-0
Opcode ID: 4fc44bc0aa292fb0a1d906381750d06447ce6bc68dfee4c0fa1e1a70baf7f56f
Instruction ID: 82f8f8d1845da97c5eed4816a856f70aec0456481da261f69dd5b428e34c4881
Opcode Fuzzy Hash: 4fc44bc0aa292fb0a1d906381750d06447ce6bc68dfee4c0fa1e1a70baf7f56f
Instruction Fuzzy Hash: 25E1BFF1A08341CFD750DF68C885A9AB7E5BF85324F048B5DE5A987291DB34ED01CB92

Function 070D6D30 Relevance: 12.1, APIs: 8, Instructions: 123COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(000010DD,?,?,?,?,?,07262698,000000FF), ref: 070D6D68
SetLastError.KERNEL32(0000139F,?,?,?,?,?,07262698,000000FF), ref: 070D6D96

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: b000e5430833b194384aa44c2e65f2f70921fb35cabd9482126bae485437714b
Instruction ID: 2be5aee7a18406c06789d84af5f3db18d57bef9c76e04c7b1d8b21ff53a4ec11
Opcode Fuzzy Hash: b000e5430833b194384aa44c2e65f2f70921fb35cabd9482126bae485437714b
Instruction Fuzzy Hash: D24161B1704606DFE704DF58F995BAAF7E4FB48755F0082AAE919C7740EB36A810CB90

Function 070D7FC0 Relevance: 12.1, APIs: 8, Instructions: 123COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(000010DD,?,?,?,?,?,07262698,000000FF), ref: 070D7FF8
SetLastError.KERNEL32(0000139F,?,?,?,?,?,07262698,000000FF), ref: 070D8026

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: d4c77535a2b0358fb72dec9df3544f0afada384053dca860e9e47a0e51edc040
Instruction ID: 304637f990ee3d92ba43a9b01c600794d84c8af3e074607773c69604cc19c75b
Opcode Fuzzy Hash: d4c77535a2b0358fb72dec9df3544f0afada384053dca860e9e47a0e51edc040
Instruction Fuzzy Hash: 034173B1604606DFD354DF58E989B9AF7E4FB48315F1082AAD919C3780EB36A810CB90

Function 070BCB10 Relevance: 12.1, APIs: 8, Instructions: 119synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000009,000000FF,18B52151), ref: 070BCB5D
SetLastError.KERNEL32(00000000), ref: 070BCB6B
CloseHandle.KERNEL32(?), ref: 070BCB88
CloseHandle.KERNEL32(?), ref: 070BCBAB
CloseHandle.KERNEL32(?), ref: 070BCBCE
RtlDeleteCriticalSection.NTDLL(?), ref: 070BCBF4
_free.LIBCMT ref: 070BCC2D
CloseHandle.KERNEL32(00000002), ref: 070BCC49

Part of subcall function 070F89E0: GetCurrentThreadId.KERNEL32 ref: 070F89E4

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CloseHandle$CriticalCurrentDeleteErrorLastObjectSectionSingleThreadWait_free
String ID:
API String ID: 3924219484-0
Opcode ID: c33bb00fa9cb67ed35a1c925f42566d1f0dc10803e9bac79d29561cee42c46af
Instruction ID: 4f40366d008636fcf767608275d8152e51e4bd2a826be110039d3a2c7eb96d9e
Opcode Fuzzy Hash: c33bb00fa9cb67ed35a1c925f42566d1f0dc10803e9bac79d29561cee42c46af
Instruction Fuzzy Hash: 084181F160464BEBDB10DFB8D984EDAB7E8FB04314F10876AE514D7240DB34AA14CBA1

Function 070BB310 Relevance: 12.1, APIs: 8, Instructions: 119synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000009,000000FF,18B52151), ref: 070BB35D
SetLastError.KERNEL32(00000000), ref: 070BB36B
CloseHandle.KERNEL32(?), ref: 070BB388
CloseHandle.KERNEL32(?), ref: 070BB3AB
CloseHandle.KERNEL32(?), ref: 070BB3CE
RtlDeleteCriticalSection.NTDLL(?), ref: 070BB3F4
_free.LIBCMT ref: 070BB42D
CloseHandle.KERNEL32(00000002), ref: 070BB449

Part of subcall function 070F0200: GetCurrentThreadId.KERNEL32 ref: 070F0204

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CloseHandle$CriticalCurrentDeleteErrorLastObjectSectionSingleThreadWait_free
String ID:
API String ID: 3924219484-0
Opcode ID: 70675766f06deb5f8dec04d9b5402fde17081a452b66328dde73ff59a806ddad
Instruction ID: 63415d25b45411e6693a428f55b7d83cc5bdc7b01ac48581eeab915379931866
Opcode Fuzzy Hash: 70675766f06deb5f8dec04d9b5402fde17081a452b66328dde73ff59a806ddad
Instruction Fuzzy Hash: F041BDF160064BFBDB20DFB8DC84A99B7E8FB04314F54876AE515D7680DB34AA18CB90

Function 070BD110 Relevance: 12.1, APIs: 8, Instructions: 119synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000009,000000FF,18B52151), ref: 070BD15D
SetLastError.KERNEL32(00000000), ref: 070BD16B
CloseHandle.KERNEL32(?), ref: 070BD188
CloseHandle.KERNEL32(?), ref: 070BD1AB
CloseHandle.KERNEL32(?), ref: 070BD1CE
RtlDeleteCriticalSection.NTDLL(?), ref: 070BD1F4
_free.LIBCMT ref: 070BD236
CloseHandle.KERNEL32(00000002), ref: 070BD25B

Part of subcall function 070F7110: GetCurrentThreadId.KERNEL32 ref: 070F7114

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CloseHandle$CriticalCurrentDeleteErrorLastObjectSectionSingleThreadWait_free
String ID:
API String ID: 3924219484-0
Opcode ID: f6a69bfc69cb3374d1aae149599910a9c453b6b607c567f7fcbe33da831a914a
Instruction ID: 6650f58f2f5976a7bc5ea2b1a5124d43005bbb918e8b49d6047494af6f68d77f
Opcode Fuzzy Hash: f6a69bfc69cb3374d1aae149599910a9c453b6b607c567f7fcbe33da831a914a
Instruction Fuzzy Hash: 50418CF170064AFFDB24DBB8D884B99F7E9FB45314F504B6AE518D7240CB34AA148B91

Function 070F20A0 Relevance: 12.1, APIs: 8, Instructions: 81windowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 070F20D9
timeGetTime.WINMM ref: 070F20EA
MsgWaitForMultipleObjects.USER32(00000001,00000007,00000000,-00000032,000004FF), ref: 070F2109
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 070F211F
TranslateMessage.USER32(?), ref: 070F2129
DispatchMessageA.USER32(?), ref: 070F212F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 070F2141
SetLastError.KERNEL32(000005B4), ref: 070F2168

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Message$PeekTimetime$DispatchErrorLastMultipleObjectsTranslateWait
String ID:
API String ID: 4242711932-0
Opcode ID: 9bf1d1faf2585a36432e36951958f1e6f8b36910dbf1fe8805d5869214de2fac
Instruction ID: 12c897487bd838fb4cbc132db1ffd2fa172bc6743d6bfe9563f4dd19e448dc8a
Opcode Fuzzy Hash: 9bf1d1faf2585a36432e36951958f1e6f8b36910dbf1fe8805d5869214de2fac
Instruction Fuzzy Hash: 1521FBB1340205ABEB1496A4ED89FBE77ADFB48710F00431AFF05D62C0DA74D440C764

Function 070FC8C0 Relevance: 12.1, APIs: 8, Instructions: 81windowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(?,?,?,?,?,?,?,18B52151), ref: 070FC8F9
timeGetTime.WINMM(?,?,?,?,?,?,?,18B52151), ref: 070FC90A
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,-00000032,000004FF), ref: 070FC929
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 070FC93F
TranslateMessage.USER32(?), ref: 070FC949
DispatchMessageA.USER32(?), ref: 070FC94F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 070FC961
SetLastError.KERNEL32(000005B4,?,?,?,?,?,?,?,18B52151), ref: 070FC988

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Message$PeekTimetime$DispatchErrorLastMultipleObjectsTranslateWait
String ID:
API String ID: 4242711932-0
Opcode ID: ee63763e2e557194ba1391021dd5f54ad53372f6ed06fe5fe000a1272d74491f
Instruction ID: 2c6a7e18997aa5a6e4a53a3bb9ed1eed077f405986db0f077f26203197892d64
Opcode Fuzzy Hash: ee63763e2e557194ba1391021dd5f54ad53372f6ed06fe5fe000a1272d74491f
Instruction Fuzzy Hash: E821A4B1744209ABFB1496B4ED4FFAE73A9AB44710F14432AFF01E62C0EA74D5418671

Function 070F03B0 Relevance: 12.1, APIs: 8, Instructions: 79windowCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000), ref: 070F03D6
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 070F0403
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 070F0419
TranslateMessage.USER32(?), ref: 070F0424
DispatchMessageA.USER32(?), ref: 070F042A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 070F0438
SetLastError.KERNEL32(000005B4), ref: 070F0461
CloseHandle.KERNEL32(00000000), ref: 070F0478

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Message$Peek$CloseDispatchErrorEventHandleLastMultipleObjectsTranslateWait
String ID:
API String ID: 1713936993-0
Opcode ID: ddda6f9cb057d7b64d97846e206adf22e556480d454e8c166af43f2a5ef15c94
Instruction ID: d9b23415cca2b78dd32ef79c1d5ccf02275ecc35c4cdea0c02a63ac9597eb9b1
Opcode Fuzzy Hash: ddda6f9cb057d7b64d97846e206adf22e556480d454e8c166af43f2a5ef15c94
Instruction Fuzzy Hash: 5E2190F1500215AFEB20DBA4ED45FAA73A8EB48710F10461AFB11A66C1DAB4F940CB61

Function 070F2190 Relevance: 12.1, APIs: 8, Instructions: 79windowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 070F21C9
timeGetTime.WINMM ref: 070F21DA
MsgWaitForMultipleObjects.USER32(00000001,00000007,00000000,-00000032,000004FF), ref: 070F21F9
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 070F220F
TranslateMessage.USER32(?), ref: 070F2219
DispatchMessageA.USER32(?), ref: 070F221F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 070F2231
SetLastError.KERNEL32(000005B4), ref: 070F2258

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Message$PeekTimetime$DispatchErrorLastMultipleObjectsTranslateWait
String ID:
API String ID: 4242711932-0
Opcode ID: c19370c7c0249cb411b675a28b0693902255d11208bf22e2f66b82cf9c97e95a
Instruction ID: dfa175b10f869e5d01d7fd26931d5b5c918bde1b60357d6fb7594294ead8e542
Opcode Fuzzy Hash: c19370c7c0249cb411b675a28b0693902255d11208bf22e2f66b82cf9c97e95a
Instruction Fuzzy Hash: 7821C5B1640205BBEF6496A4ED8AFED33A9FB44714F14831AFF01E62C0DAB494818665

Function 070ECD00 Relevance: 12.1, APIs: 8, Instructions: 79windowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 070ECD39
timeGetTime.WINMM ref: 070ECD4A
MsgWaitForMultipleObjects.USER32(00000001,00000007,00000000,-00000032,000004FF), ref: 070ECD69
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 070ECD7F
TranslateMessage.USER32(?), ref: 070ECD89
DispatchMessageA.USER32(?), ref: 070ECD8F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 070ECDA1
SetLastError.KERNEL32(000005B4), ref: 070ECDC8

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Message$PeekTimetime$DispatchErrorLastMultipleObjectsTranslateWait
String ID:
API String ID: 4242711932-0
Opcode ID: 29973bd776538237a4826bec9c557f867747c8328d3a2c6af17be16e17382208
Instruction ID: 136debb0378b0cc609d83cf17f029f8cc5991cd06cd73127e307aadcea4679a2
Opcode Fuzzy Hash: 29973bd776538237a4826bec9c557f867747c8328d3a2c6af17be16e17382208
Instruction Fuzzy Hash: 1321C5F2744205AFFB1496A4ED4AFEE7BADEB44714F04421AFA11EA2C0DAB79440C671

Function 070F8BB0 Relevance: 12.1, APIs: 8, Instructions: 79windowCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000), ref: 070F8BD6
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 070F8C03
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 070F8C19
TranslateMessage.USER32(?), ref: 070F8C24
DispatchMessageA.USER32(?), ref: 070F8C2A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 070F8C38
SetLastError.KERNEL32(000005B4,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 070F8C61
CloseHandle.KERNEL32(00000000), ref: 070F8C78

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Message$Peek$CloseDispatchErrorEventHandleLastMultipleObjectsTranslateWait
String ID:
API String ID: 1713936993-0
Opcode ID: 299c40ee9f3a90f7bcf4d55a57e2538f6a9759f6e446c6c20a68f4b3b2a3337c
Instruction ID: f7e045f4a6a5da06ebb9aa034654a9be4ca35bb98b4c6028b5c8f6326cb80ff5
Opcode Fuzzy Hash: 299c40ee9f3a90f7bcf4d55a57e2538f6a9759f6e446c6c20a68f4b3b2a3337c
Instruction Fuzzy Hash: DB2160F1541315ABEB20DBA4EC45FEA77A8EB48710F14861AEB11A66C0DB74E940CBA1

Function 070FC9B0 Relevance: 12.1, APIs: 8, Instructions: 79windowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 070FC9E9
timeGetTime.WINMM ref: 070FC9FA
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,-00000032,000004FF), ref: 070FCA19
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 070FCA2F
TranslateMessage.USER32(?), ref: 070FCA39
DispatchMessageA.USER32(?), ref: 070FCA3F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 070FCA51
SetLastError.KERNEL32(000005B4), ref: 070FCA78

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Message$PeekTimetime$DispatchErrorLastMultipleObjectsTranslateWait
String ID:
API String ID: 4242711932-0
Opcode ID: 6a9db1c16153d6de7b926a80b896174b66c2967a2ad1f5ff68b16d77b98aefce
Instruction ID: 47025a30728a46a4829610de71a620f19869645abe993a3d591fb30ef778fe3a
Opcode Fuzzy Hash: 6a9db1c16153d6de7b926a80b896174b66c2967a2ad1f5ff68b16d77b98aefce
Instruction Fuzzy Hash: 4F21C5B1641209ABFB14D6A4ED4FFBE73A9EB48718F04471AFB01E65C0DBB4A440C671

Function 070F7320 Relevance: 12.1, APIs: 8, Instructions: 79windowCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000), ref: 070F7346
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 070F7373
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 070F7389
TranslateMessage.USER32(?), ref: 070F7394
DispatchMessageA.USER32(?), ref: 070F739A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 070F73A8
SetLastError.KERNEL32(000005B4), ref: 070F73D1
CloseHandle.KERNEL32(00000000), ref: 070F73E8

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Message$Peek$CloseDispatchErrorEventHandleLastMultipleObjectsTranslateWait
String ID:
API String ID: 1713936993-0
Opcode ID: e5b8d0043938f5a186dfba507cdfc248fdb83c70ef15f57baeab573ba49ad464
Instruction ID: bed14a06785b6806548d75e84eb440ee86fa0dd5295adf9db9343516ccc6865e
Opcode Fuzzy Hash: e5b8d0043938f5a186dfba507cdfc248fdb83c70ef15f57baeab573ba49ad464
Instruction Fuzzy Hash: BC216DB1500315BBEB20DBA4EC85FAA73A9EB48B10F50465AFF11E66C0D774E940CB62

Function 070B87B0 Relevance: 10.7, APIs: 7, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 070B87F8
_free.LIBCMT ref: 070B8836
_free.LIBCMT ref: 070B8875
_free.LIBCMT ref: 070B88B5
_free.LIBCMT ref: 070B88DD
_free.LIBCMT ref: 070B8901
_free.LIBCMT ref: 070B8939

Part of subcall function 07248728: HeapFree.KERNEL32(00000000,00000000,?,07250575,00000000,?,?,0724AA58,0724871D), ref: 0724873E
Part of subcall function 07248728: GetLastError.KERNEL32(00000000,?,07250575,00000000,?,?,0724AA58,0724871D), ref: 07248750

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 85a5b4fe57a6f300aabb891f70312eef1c0ceebf0d8a10fe7fa0e560a7f8f288
Instruction ID: 8f9258e74e0d37033a9fb25f5f5da7c26b72af798679dac806af23e3ab1f3d05
Opcode Fuzzy Hash: 85a5b4fe57a6f300aabb891f70312eef1c0ceebf0d8a10fe7fa0e560a7f8f288
Instruction Fuzzy Hash: 185129F6A10111DFCB24DF58C484899BBEABF89354B29C1A9D9095F361C732AD42CBD2

Function 070FCF60 Relevance: 10.6, APIs: 7, Instructions: 140COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 070FCF94

Part of subcall function 070FBF80: WaitForSingleObject.KERNEL32(?,000000FF), ref: 070FBFC3

RtlLeaveCriticalSection.NTDLL(?), ref: 070FCFBF
RtlLeaveCriticalSection.NTDLL(?), ref: 070FCFEC

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalSection$Leave$EnterObjectSingleWait
String ID:
API String ID: 3156609256-0
Opcode ID: 0d916b19d4a3feff4bd30d2ce1977d500b1cd1ec3785d4acd1fffe848354b65d
Instruction ID: 74c05e2cd407b5b74e2b55e41bab5ad45397fb6a1e41bb8af7a0c774a38f68a7
Opcode Fuzzy Hash: 0d916b19d4a3feff4bd30d2ce1977d500b1cd1ec3785d4acd1fffe848354b65d
Instruction Fuzzy Hash: DE4185B2700208AFD710DF64EC85BAEB7B8FB48750F10866BFA15D7740D775A9008B91

Function 070EAF30 Relevance: 10.6, APIs: 7, Instructions: 130COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 070EAF70
SetLastError.KERNEL32(0000139F,?,00000000,00000000,07262BB8,000000FF,?,070EAA53,?,?,070CD429,?,?,?,07262BE8,000000FF), ref: 070EAF88
RtlLeaveCriticalSection.NTDLL(?), ref: 070EAF8F
SetLastError.KERNEL32(0000000D,?,?,?,?,?,?,?,?,00000000,070CD429,?,00000000), ref: 070EB037
RtlLeaveCriticalSection.NTDLL(?), ref: 070EB048
SetLastError.KERNEL32(0000139F,18B52151,00000000,?,00000000,00000000,07262BB8,000000FF,?,070EAA53,?,?,070CD429,?,?,?), ref: 070EB086

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalErrorLastSection$Leave$Enter
String ID:
API String ID: 3650451384-0
Opcode ID: bf5bf8c0bd8eaa25769ca7d394eaa048a039d7e7d2ea532ca4a1e776683f44b7
Instruction ID: 83f8aaffe600d24b1cdd3d1294fd0cd252aa41c5abda34727b28ffffd6b833cb
Opcode Fuzzy Hash: bf5bf8c0bd8eaa25769ca7d394eaa048a039d7e7d2ea532ca4a1e776683f44b7
Instruction Fuzzy Hash: 584191F6604704EFE724CB64E845F6AB3E8FF48715F00866AEE1AD6780E775A500CA61

Function 070F0700 Relevance: 10.6, APIs: 7, Instructions: 118fileCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?), ref: 070F077E
UnmapViewOfFile.KERNEL32(?), ref: 070F078F

Part of subcall function 070CB420: GetLastError.KERNEL32(070C736C), ref: 070CB420

CloseHandle.KERNEL32(?), ref: 070F07AF
CloseHandle.KERNEL32(?), ref: 070F07C7
UnmapViewOfFile.KERNEL32(?), ref: 070F07EC
CloseHandle.KERNEL32(?), ref: 070F080C
CloseHandle.KERNEL32(?), ref: 070F0824

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CloseHandle$ErrorFileLastUnmapView
String ID:
API String ID: 4017539725-0
Opcode ID: e950eb0f1a11bbee4993d72afcb727a457a2a8e81199f8d0471bc60889820127
Instruction ID: 91bd6d0b9be55947be78ec091046f95ff20c2431f856eee1ec88cec1a8e1a328
Opcode Fuzzy Hash: e950eb0f1a11bbee4993d72afcb727a457a2a8e81199f8d0471bc60889820127
Instruction Fuzzy Hash: A1414CF1A083069FD750DF35D845B2BB7E8EF88A54F014A69F954D7341EB34E8058AE2

Function 070B1350 Relevance: 10.6, APIs: 7, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

RtlDeleteCriticalSection.NTDLL(?), ref: 070B13BF
HeapFree.KERNEL32(?,00000000,?), ref: 070B13CE
_free.LIBCMT ref: 070B13FC
HeapDestroy.KERNEL32(?), ref: 070B146F
HeapCreate.KERNEL32(?,?,?), ref: 070B1483
HeapDestroy.KERNEL32(?), ref: 070B1490
HeapCreate.KERNEL32(?,?,?), ref: 070B149E

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Heap$CreateDestroy$CriticalDeleteFreeSection_free
String ID:
API String ID: 1764084169-0
Opcode ID: 5a944e46b487ee47d5efbd2e293ea6ae6f1053af801632da697c77aa14c37400
Instruction ID: 8f464e2afeb8f6dafb8f2f8d00d238df394745fc40c6493d0f5df52902752129
Opcode Fuzzy Hash: 5a944e46b487ee47d5efbd2e293ea6ae6f1053af801632da697c77aa14c37400
Instruction Fuzzy Hash: 88412EF5A002059FCB24DF64D994ADA73F9BF48700F1586B9DD04DB249EB70EA44CBA0

Function 070EE380 Relevance: 10.6, APIs: 7, Instructions: 108COMMON

Download Yara Rule

APIs

getsockopt.WS2_32(?,0000FFFF,00001001,?,?), ref: 070EE3AA
RtlEnterCriticalSection.NTDLL(?), ref: 070EE3D5
RtlLeaveCriticalSection.NTDLL(?), ref: 070EE3E4
RtlLeaveCriticalSection.NTDLL(?), ref: 070EE407
RtlEnterCriticalSection.NTDLL(?), ref: 070EE42A
RtlLeaveCriticalSection.NTDLL(?), ref: 070EE439
RtlLeaveCriticalSection.NTDLL(?), ref: 070EE475

Part of subcall function 070EE4C0: InterlockedExchangeAdd.KERNEL32(?,?), ref: 070EE52C
Part of subcall function 070EE4C0: InterlockedIncrement.KERNEL32(?), ref: 070EE552
Part of subcall function 070EE4C0: WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 070EE568
Part of subcall function 070EE4C0: WSAGetLastError.WS2_32 ref: 070EE573
Part of subcall function 070EE4C0: InterlockedDecrement.KERNEL32(?), ref: 070EE584
Part of subcall function 070EE4C0: InterlockedDecrement.KERNEL32(00000002), ref: 070EE58E
Part of subcall function 070EE4C0: HeapFree.KERNEL32(?,00000000,?,?), ref: 070EE5C1

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalSection$InterlockedLeave$DecrementEnter$ErrorExchangeFreeHeapIncrementLastSendgetsockopt
String ID:
API String ID: 152964496-0
Opcode ID: 055ab96db36be9e87459c0c619ffb5c9136d31621ccd17b216644993671ed8d8
Instruction ID: aa8f0a28a654df44ea3fd572b355a848687f9b05aaf8c119a096c63869a5a064
Opcode Fuzzy Hash: 055ab96db36be9e87459c0c619ffb5c9136d31621ccd17b216644993671ed8d8
Instruction Fuzzy Hash: 8D31C5F2600109DFEB24DE58E4CCAAA77ADFF44710F1082AAED049B245E7B5DA41C791

Function 070D2B30 Relevance: 10.6, APIs: 7, Instructions: 107COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F,18B52151,?,?,?,?,07262BB8,000000FF), ref: 070D2B65
RtlEnterCriticalSection.NTDLL(?), ref: 070D2B85
SetLastError.KERNEL32(000004DF,?,?,?,?,?,?,?,?,?,07262BB8,000000FF), ref: 070D2B9F
RtlLeaveCriticalSection.NTDLL(?), ref: 070D2BA9

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: 4b2a0f6505a91f8527c8905d1a6fbcffe12b334e386b3de8f0308d033eb1a044
Instruction ID: ca0a02ccf31f65229e100a0f1acdcdc2ea1b40e2597ce91bc5b3548d407848db
Opcode Fuzzy Hash: 4b2a0f6505a91f8527c8905d1a6fbcffe12b334e386b3de8f0308d033eb1a044
Instruction Fuzzy Hash: 20318EB17047059FD714CF68E849BAAB3E9FF88314F0086AAE91AC3740DB75A800CB50

Function 070E2950 Relevance: 10.6, APIs: 7, Instructions: 107COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F,18B52151,?,?,?,?,07262BB8,000000FF), ref: 070E2985
RtlEnterCriticalSection.NTDLL(?), ref: 070E29A5
SetLastError.KERNEL32(000004DF,?,?,?,?,?,?,?,?,?,07262BB8,000000FF), ref: 070E29BF
RtlLeaveCriticalSection.NTDLL(?), ref: 070E29C9

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: 36cf59c3ab1768928b0ab2c5c3e429f09aae447de5e8b252ad9167c07057e4f5
Instruction ID: 376f23110f5461f76b941d033c934eed14f7a6c7938e6f0983c2b78a10f03edd
Opcode Fuzzy Hash: 36cf59c3ab1768928b0ab2c5c3e429f09aae447de5e8b252ad9167c07057e4f5
Instruction Fuzzy Hash: FA31A3B5704604DFD714CB68E849BAAB3EDFB88724F0486ABE919D7740DB35A800CB50

Function 070E1590 Relevance: 10.6, APIs: 7, Instructions: 107COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F,18B52151,?,?,?,?,07262BB8,000000FF), ref: 070E15C5
RtlEnterCriticalSection.NTDLL(?), ref: 070E15E5
SetLastError.KERNEL32(000004DF,?,?,?,?,?,?,?,?,?,07262BB8,000000FF), ref: 070E15FF
RtlLeaveCriticalSection.NTDLL(?), ref: 070E1609

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: d9c5351948892cfef6990f1d36bc9d0ce1c875b5b246aa24e27cb6c397f7a83e
Instruction ID: 46511e33b348777ab9a5f73b0d462fbfede84bffea4414b9d66381719004cf9e
Opcode Fuzzy Hash: d9c5351948892cfef6990f1d36bc9d0ce1c875b5b246aa24e27cb6c397f7a83e
Instruction Fuzzy Hash: B23183B57046099FD714CF59E849BAAB3F9FB88714F0486ABE916C7740DB35A801CB50

Function 070D24C0 Relevance: 10.6, APIs: 7, Instructions: 106COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F,?,?,070D23F7,?,?,00000000,?,?,?,070D23B9,?,?,?), ref: 070D24D1
InterlockedIncrement.KERNEL32(?), ref: 070D24EE
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000), ref: 070D25AE
InterlockedDecrement.KERNEL32(?), ref: 070D25B9

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Interlocked$CompletionDecrementErrorIncrementLastPostQueuedStatus
String ID:
API String ID: 2216264528-0
Opcode ID: f6bcb51cef5e086b1721742bb03d3c1e823db8be373ec035034549b61551fd26
Instruction ID: 6e4d8b207e128166a47bbb0366f3124c4f0b1d677e7099eb5a4a4577ccb69451
Opcode Fuzzy Hash: f6bcb51cef5e086b1721742bb03d3c1e823db8be373ec035034549b61551fd26
Instruction Fuzzy Hash: BC31C1F2A10315ABD720CF58E849FAAB3A9FB48320F108296E81997644D675ED60C7E1

Function 070FD0F0 Relevance: 10.6, APIs: 7, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(?), ref: 070FD165
InterlockedExchangeAdd.KERNEL32(?,?), ref: 070FD18A

Part of subcall function 070FAC70: SetLastError.KERNEL32(00000000,18B52151,?,?,00000000,07262808,000000FF,?,070FD1C2,?,?,070FCD6E,00000000,?), ref: 070FACA1

InterlockedExchangeAdd.KERNEL32(?,?), ref: 070FD19D
InterlockedExchangeAdd.KERNEL32(?,?), ref: 070FD1B6
InterlockedDecrement.KERNEL32(?), ref: 070FD1C9
InterlockedDecrement.KERNEL32(?), ref: 070FD1D3
HeapFree.KERNEL32(00000000,00000000,?,?,?,070FCD6E,00000000,?), ref: 070FD1F2

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Interlocked$Exchange$Decrement$ErrorFreeHeapIncrementLast
String ID:
API String ID: 3447357669-0
Opcode ID: 4c8d01ffd1d85e92e5ccc2ad0474d59ce1a20ac2bd71213d3d53e3e6d9582c6e
Instruction ID: 4833c6042f075efbdf3e65a040e49a1f4d1a7dc0f6408584ef85260543a7a9ff
Opcode Fuzzy Hash: 4c8d01ffd1d85e92e5ccc2ad0474d59ce1a20ac2bd71213d3d53e3e6d9582c6e
Instruction Fuzzy Hash: 5B31A6F1750A05BBC7149F34DC98BAAB7ADFB45610F00871AFA16C7B40DB34E4008BA0

Function 070EE4C0 Relevance: 10.6, APIs: 7, Instructions: 93networkmemoryCOMMON

Download Yara Rule

APIs

InterlockedExchangeAdd.KERNEL32(?,?), ref: 070EE52C
InterlockedIncrement.KERNEL32(?), ref: 070EE552
WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 070EE568
WSAGetLastError.WS2_32 ref: 070EE573
InterlockedDecrement.KERNEL32(?), ref: 070EE584
InterlockedDecrement.KERNEL32(00000002), ref: 070EE58E
HeapFree.KERNEL32(?,00000000,?,?), ref: 070EE5C1

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Interlocked$Decrement$ErrorExchangeFreeHeapIncrementLastSend
String ID:
API String ID: 941312861-0
Opcode ID: cf3be59a2e44dffce59cb3f307748b430f2d0c79e2d838dcf53d84288ad5b8e6
Instruction ID: f91cf0e4688895dd7639cabca85938272f20bf30c8818546d41ea90a4f4fbe5c
Opcode Fuzzy Hash: cf3be59a2e44dffce59cb3f307748b430f2d0c79e2d838dcf53d84288ad5b8e6
Instruction Fuzzy Hash: A6315BF15102059FEB64DF78E989B9A7BECAF08304F14467AE90ADB641EB70E540CB60

Function 070EAD00 Relevance: 10.6, APIs: 7, Instructions: 86COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F,18B52151,?,?,?,072647C8,000000FF), ref: 070EAD35
RtlEnterCriticalSection.NTDLL(?), ref: 070EAD57
SetLastError.KERNEL32(000004DF,?,?,?,?,?,?,?,?,?,?,072647C8,000000FF), ref: 070EAD71
RtlLeaveCriticalSection.NTDLL(?), ref: 070EAD7B

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: ae0d73c1187281307607641c205e7a649762dad7525b6a972d6444c22698e163
Instruction ID: a36239d7a1105dea0d7d49908b3b0b1606d7b37b9306c32a4dbd9b690410e239
Opcode Fuzzy Hash: ae0d73c1187281307607641c205e7a649762dad7525b6a972d6444c22698e163
Instruction Fuzzy Hash: C8216FB6608604DFD714CF54F449BAAB7E8FB08715F40866BEA16C7740D73AA900CB94

Function 070E86F0 Relevance: 10.6, APIs: 7, Instructions: 83COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F,?,?,?,?,07262BB8,000000FF), ref: 070E8727
RtlEnterCriticalSection.NTDLL(?), ref: 070E874A
SetLastError.KERNEL32(0000139F,?,?,?,?,07262BB8,000000FF), ref: 070E8769
RtlLeaveCriticalSection.NTDLL(?), ref: 070E8770

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: aa9dd5cd6f7255612fceb633d87668b7e00bb894de39590551ccc50fe7bb4c7b
Instruction ID: e5330e8b6f868c0b255600fed50324526e0c793bae98ee609fc8f277729549b6
Opcode Fuzzy Hash: aa9dd5cd6f7255612fceb633d87668b7e00bb894de39590551ccc50fe7bb4c7b
Instruction Fuzzy Hash: FD21A776604604DFD314DF58F849BAAB7F8FB88715F0086AFE915D3780EB796801C694

Function 070EF0E0 Relevance: 9.2, APIs: 6, Instructions: 161networkmemoryCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,?,00000001,?,?,00000000,00000000), ref: 070EF165
WSAGetLastError.WS2_32 ref: 070EF170
RtlEnterCriticalSection.NTDLL(?), ref: 070EF1A8
SetLastError.KERNEL32(00000000), ref: 070EF1C2
RtlLeaveCriticalSection.NTDLL(?), ref: 070EF1EF
HeapFree.KERNEL32(?,00000000,?,?,18B52151,?,?,070ECFF0,?,?,?), ref: 070EF270

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterFreeHeapLeaveRecv
String ID:
API String ID: 4219686125-0
Opcode ID: a4cc3730b44c673fded5d4d77dc1125b6ec9b7f4d95bf85427b69b40c1036730
Instruction ID: 52abb7a24efcbaabb76d64427c0d3fe50fdecf6c9cd4568cf4eec51d850f4f7e
Opcode Fuzzy Hash: a4cc3730b44c673fded5d4d77dc1125b6ec9b7f4d95bf85427b69b40c1036730
Instruction Fuzzy Hash: 8A5161B5A0020AAFDB94CF58D895BAE77F9FF49710F10866AE915D7380D734E9018B60

Function 070E8AE0 Relevance: 9.1, APIs: 6, Instructions: 134COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 070E8B13
SetLastError.KERNEL32(0000000D), ref: 070E8B7C
RtlEnterCriticalSection.NTDLL(?), ref: 070E8BB4
RtlLeaveCriticalSection.NTDLL(?), ref: 070E8BE4
SetLastError.KERNEL32(0000139F), ref: 070E8BFB
RtlLeaveCriticalSection.NTDLL(?), ref: 070E8C0C

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: 87f1f8bf61ececd6f1d8f9b9d43a63182ac9bc87eb606754292182b58bd786e6
Instruction ID: 752a4f659039f8dbace3b9a9d738794aeb56d884e8121d4b2b6cb18f4f9ffb7c
Opcode Fuzzy Hash: 87f1f8bf61ececd6f1d8f9b9d43a63182ac9bc87eb606754292182b58bd786e6
Instruction Fuzzy Hash: A341BAF1A00205EFD750DFA8D984B6AB7FCFB48314F149A2AEA56D7780D774E9008B61

Function 071ABE30 Relevance: 9.1, APIs: 6, Instructions: 126COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,?,?,?,?,071AC712,00000000), ref: 071ABE85
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000000,?,?,?,071AC712,00000000), ref: 071ABEAA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,00000000,?,?,?,071AC712,00000000), ref: 071ABEC2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000,?,00000000,?,?,?,071AC712,00000000), ref: 071ABEE7

Part of subcall function 071ABBC0: CryptAcquireContextW.ADVAPI32(00000004,?,?,00000001,?), ref: 071ABCE2

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ByteCharMultiWide$AcquireContextCrypt
String ID:
API String ID: 3149279148-0
Opcode ID: 5c26a08ee88693981c97a200095acd6066f2d91defe088d7aa6d03d769f2d394
Instruction ID: 6c0be65ffc2cd8e6aba094b68971ca2c712039859e822afd2d4a766f8334c363
Opcode Fuzzy Hash: 5c26a08ee88693981c97a200095acd6066f2d91defe088d7aa6d03d769f2d394
Instruction Fuzzy Hash: 9C4147F570420ABBDB20DA68DC42F6EB3A8DB44720F244219F919972C4DB71E9048B95

Function 070E65B0 Relevance: 9.1, APIs: 6, Instructions: 119COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000000,0000000A,?,00000004), ref: 070E65DE
setsockopt.WS2_32(?,00000000,0000000B,?,00000004), ref: 070E65FA
setsockopt.WS2_32(?,00000000,0000000C,7591DFA0,00000008), ref: 070E662D

Part of subcall function 070B2260: __CxxThrowException@8.LIBCMT ref: 070B2272

setsockopt.WS2_32(?,00000029,0000000A,?,00000004), ref: 070E664C
setsockopt.WS2_32(?,00000029,0000000B,?,00000004), ref: 070E6668
setsockopt.WS2_32(?,00000029,0000000C,070F6418,00000014), ref: 070E66B6

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: setsockopt$Exception@8Throw
String ID:
API String ID: 549783214-0
Opcode ID: 54d6c3d1365929867946499c1dd719535e9f9742070917ed5f34402c9557c77e
Instruction ID: 1c3233a9bcf97d26177cfd4f8f09f57bd982c412169041f0d6a54c8e32eb2d9f
Opcode Fuzzy Hash: 54d6c3d1365929867946499c1dd719535e9f9742070917ed5f34402c9557c77e
Instruction Fuzzy Hash: 70412DB5A10208AEDB64DFB4DC81BAEB7F4EB48720F20471DE625EB2C0D67196409B95

Function 070E8100 Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 070E8140
SetLastError.KERNEL32(0000139F,?,00000000,00000000,07262BB8,000000FF,?,070E7C13,?,?,070CDA89,?,?,?,07262BE8,000000FF), ref: 070E8158
RtlLeaveCriticalSection.NTDLL(?), ref: 070E815F
SetLastError.KERNEL32(0000000D,?,?,?,?,?,070CDA89,?,00000000), ref: 070E8204
RtlLeaveCriticalSection.NTDLL(?), ref: 070E8215
SetLastError.KERNEL32(0000139F,18B52151,00000000,?,00000000,00000000,07262BB8,000000FF,?,070E7C13,?,?,070CDA89,?,?,?), ref: 070E8236

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalErrorLastSection$Leave$Enter
String ID:
API String ID: 3650451384-0
Opcode ID: 88a402f3dd894403dd4d28cad3b3f7628b8843688dfdd3e33081860c6d45cb71
Instruction ID: 7daa386dcc825b4e835cfa676866c2bcb24e9029ec537b7b51e63c250d874c08
Opcode Fuzzy Hash: 88a402f3dd894403dd4d28cad3b3f7628b8843688dfdd3e33081860c6d45cb71
Instruction Fuzzy Hash: BB41D5F5604704EFE724CB64ED45B6AB3ECFB48711F0086AEED1A97780D775A500C661

Function 070EE250 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

getsockopt.WS2_32(?,0000FFFF,00001001,?,?), ref: 070EE279
InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 070EE2B8
RtlEnterCriticalSection.NTDLL(?), ref: 070EE2CE
RtlLeaveCriticalSection.NTDLL(?), ref: 070EE2E0
RtlLeaveCriticalSection.NTDLL(?), ref: 070EE310
PostQueuedCompletionStatus.KERNEL32(?,000000F3,?,00000000), ref: 070EE333

Part of subcall function 070EE4C0: InterlockedExchangeAdd.KERNEL32(?,?), ref: 070EE52C
Part of subcall function 070EE4C0: InterlockedIncrement.KERNEL32(?), ref: 070EE552
Part of subcall function 070EE4C0: WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 070EE568
Part of subcall function 070EE4C0: WSAGetLastError.WS2_32 ref: 070EE573
Part of subcall function 070EE4C0: InterlockedDecrement.KERNEL32(?), ref: 070EE584
Part of subcall function 070EE4C0: InterlockedDecrement.KERNEL32(00000002), ref: 070EE58E
Part of subcall function 070EE4C0: HeapFree.KERNEL32(?,00000000,?,?), ref: 070EE5C1

Part of subcall function 070EC1A0: RtlEnterCriticalSection.NTDLL(?), ref: 070EC1C9
Part of subcall function 070EC1A0: RtlEnterCriticalSection.NTDLL(?), ref: 070EC1D3
Part of subcall function 070EC1A0: RtlLeaveCriticalSection.NTDLL(?), ref: 070EC1F2
Part of subcall function 070EC1A0: RtlLeaveCriticalSection.NTDLL(?), ref: 070EC1F5
Part of subcall function 070EC1A0: timeGetTime.WINMM(?,00000000,?,?,?,?,?,070ED2A7,?,00000000,00000000,00000000), ref: 070EC224

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalSection$Interlocked$Leave$Enter$DecrementExchange$CompareCompletionErrorFreeHeapIncrementLastPostQueuedSendStatusTimegetsockopttime
String ID:
API String ID: 1633786011-0
Opcode ID: e3411034ba6636f34f26000242048b9ff9fc8472b08136553359ff4a0e02f621
Instruction ID: 5ad58e69aa4e566f39e74034ab9d845b517a0ca4bd01b1a67779e6bf18bc3716
Opcode Fuzzy Hash: e3411034ba6636f34f26000242048b9ff9fc8472b08136553359ff4a0e02f621
Instruction Fuzzy Hash: 4E318BF2600209AFFB54DEA8E888EAEB7ADFF44711F50426AF904DB284D775D940C791

Function 070BDF20 Relevance: 9.1, APIs: 6, Instructions: 81synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,18B52151), ref: 070BDF76
SetLastError.KERNEL32(00000000), ref: 070BDF84
RtlDeleteCriticalSection.NTDLL(?), ref: 070BDFAE
RtlDeleteCriticalSection.NTDLL(?), ref: 070BDFB4
CloseHandle.KERNEL32(?), ref: 070BDFC7
_free.LIBCMT ref: 070BDFEA

Part of subcall function 070F89E0: GetCurrentThreadId.KERNEL32 ref: 070F89E4

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalDeleteSection$CloseCurrentErrorHandleLastObjectSingleThreadWait_free
String ID:
API String ID: 2652704522-0
Opcode ID: 952724b0db1a7bc812cc49e218cba9f920f2ee8cb8109186367526e091b3b178
Instruction ID: b7730d336b408c608b49ba66ef7660df3fc30d468950c1964b17824d7a8d325b
Opcode Fuzzy Hash: 952724b0db1a7bc812cc49e218cba9f920f2ee8cb8109186367526e091b3b178
Instruction Fuzzy Hash: B731C1F5605646EBDB20DF68D884ADAFBE8FF04310F104A2EE95AD7340C735AA04CB51

Function 070C7580 Relevance: 9.1, APIs: 6, Instructions: 74COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 070C75B8
RtlEnterCriticalSection.NTDLL(?), ref: 070C75CC
RtlLeaveCriticalSection.NTDLL(?), ref: 070C75E3
RtlLeaveCriticalSection.NTDLL(?), ref: 070C75E6
RtlLeaveCriticalSection.NTDLL(?), ref: 070C7621
RtlLeaveCriticalSection.NTDLL(?), ref: 070C762B

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: 1f291238b2409874fc2b362472e725725d156b2c5025e0b913d74c231de00391
Instruction ID: 8a63597d6db1a630cea6fdafec258ae88405e17570c77c99405e447ce749c411
Opcode Fuzzy Hash: 1f291238b2409874fc2b362472e725725d156b2c5025e0b913d74c231de00391
Instruction Fuzzy Hash: A72183B1A047489FD720CF59E984B5AF7F8FB48724F10466EE909D3740D779A9048A64

Function 070F2EE0 Relevance: 9.1, APIs: 6, Instructions: 58COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(?), ref: 070F2EF3
RtlEnterCriticalSection.NTDLL(?), ref: 070F2EFD
RtlLeaveCriticalSection.NTDLL(?), ref: 070F2F27
InterlockedDecrement.KERNEL32(?), ref: 070F2F2E
PostQueuedCompletionStatus.KERNEL32(?,00000057,00000002,00000000,?,?,070BA727,?,?,?), ref: 070F2F58
SetLastError.KERNEL32(00000057,?,?,070BA727,?,?,?), ref: 070F2F5F

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalInterlockedSection$CompletionDecrementEnterErrorIncrementLastLeavePostQueuedStatus
String ID:
API String ID: 249042461-0
Opcode ID: 30e6dfce3107e3b1cd24df17b41cc06716c107ba7b9a7f3b3125619637dd24de
Instruction ID: a1b5a05694e0e7d5712a2118a89eb9fdbe6696841d8ab05b47cf561d973c6b1a
Opcode Fuzzy Hash: 30e6dfce3107e3b1cd24df17b41cc06716c107ba7b9a7f3b3125619637dd24de
Instruction Fuzzy Hash: 3E1108F2920526FBC7218A64E94D96F77ACBF05710B498276FB0997A00C735DC0987E0

Function 07251104 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 07251110

Part of subcall function 07250584: __getptd_noexit.LIBCMT ref: 07250587
Part of subcall function 07250584: __amsg_exit.LIBCMT ref: 07250594

__amsg_exit.LIBCMT ref: 07251130
__lock.LIBCMT ref: 07251140
InterlockedDecrement.KERNEL32(?), ref: 0725115D
_free.LIBCMT ref: 07251170
InterlockedIncrement.KERNEL32(06EE1668), ref: 07251188

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 7cb7f8513c534696ca24b7e0ba2775d4aca3e8f26c1cd7db6e88129983a260f5
Instruction ID: 77e2c9d5d7157cdc314f80da62ad1b484627a7d5f9c706bc722e88734c72f28e
Opcode Fuzzy Hash: 7cb7f8513c534696ca24b7e0ba2775d4aca3e8f26c1cd7db6e88129983a260f5
Instruction Fuzzy Hash: 4A01C4F1E22717EBEB25AF24944675D73B4BF04B60F05D095DC1067684C738A8A1CBD6

Function 0718C080 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 280COMMON

Download Yara Rule

Strings

assertion failed: ctx->cipher->block_size == 1 || ctx->cipher->block_size == 8 || ctx->cipher->block_size == 16, xrefs: 0718C241
assertion failed: EVP_CIPHER_CTX_iv_length(ctx) <= (int)sizeof(ctx->iv), xrefs: 0718C2EB
crypto\evp\evp_enc.c, xrefs: 0718C119, 0718C161, 0718C196, 0718C1B0, 0718C206, 0718C23C, 0718C274, 0718C2E6

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID: assertion failed: EVP_CIPHER_CTX_iv_length(ctx) <= (int)sizeof(ctx->iv)$assertion failed: ctx->cipher->block_size == 1 || ctx->cipher->block_size == 8 || ctx->cipher->block_size == 16$crypto\evp\evp_enc.c
API String ID: 0-1817456405
Opcode ID: d79a66fae5c0fa6ebd8a91dccc3945cd55a7428a3939159c7396748785af7121
Instruction ID: 8737153a25d0a13c093231a4c65c4d7d6f3e5d9731d3d5f92bf6714d664bb7db
Opcode Fuzzy Hash: d79a66fae5c0fa6ebd8a91dccc3945cd55a7428a3939159c7396748785af7121
Instruction Fuzzy Hash: F681F4F2A00305ABD731BE78DCC1A6BB3E5AB40614F14496DFA85966C1E771E5408FF2

Function 07145010 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 274COMMON

Download Yara Rule

Strings

gfff, xrefs: 0714506A
ssl\ssl_cert.c, xrefs: 0714501D, 07145037, 07145096, 071450AB, 0714514A, 071451A8, 071451ED, 0714523A, 0714529C, 0714536E

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _memset
String ID: gfff$ssl\ssl_cert.c
API String ID: 2102423945-1949360726
Opcode ID: 26e7d4585a348c6161d16f189b61eca1d5a73898bd9f25fc7a2f46b2808bc8e5
Instruction ID: 77fc4263d412c27220b8e1c8537c505c5d0837dfa60deefa405c37f93df46dbf
Opcode Fuzzy Hash: 26e7d4585a348c6161d16f189b61eca1d5a73898bd9f25fc7a2f46b2808bc8e5
Instruction Fuzzy Hash: 8DA15EF4B00B02ABE728DF75DC81B96B3A5BB44704F048529E95D9B281E7B0F564CBA1

Function 0718B6A0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 253COMMON

Download Yara Rule

Strings

assertion failed: bl <= (int)sizeof(ctx->buf), xrefs: 0718B820
crypto\evp\evp_enc.c, xrefs: 0718B73F, 0718B81B, 0718B887

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID: assertion failed: bl <= (int)sizeof(ctx->buf)$crypto\evp\evp_enc.c
API String ID: 0-1593849690
Opcode ID: 438de8b296d8525c6264fb9f0c78eceb272fcdd0a8f03c91a78fb9b925ea7601
Instruction ID: 05a5abc9a8903b11db5ec9bc0655f1cff7d1beba537232c7340c33ad14b5f0f0
Opcode Fuzzy Hash: 438de8b296d8525c6264fb9f0c78eceb272fcdd0a8f03c91a78fb9b925ea7601
Instruction Fuzzy Hash: EA71DEF57043029FD725DE2DCC81A6BB3E5EBC4710F58892DE94987280DB39E9098A62

Function 070D0AC0 Relevance: 7.8, APIs: 5, Instructions: 284COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 070D0B21

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: a07632d84c85d6e3c874bfa4da2439d56d1af863f0b0c5df64c1f1da6915d969
Instruction ID: 029568e9ec2101d869549fbb33b2029414dab3c3198fb3b064cafc2b584fcfd2
Opcode Fuzzy Hash: a07632d84c85d6e3c874bfa4da2439d56d1af863f0b0c5df64c1f1da6915d969
Instruction Fuzzy Hash: FEB136B56087028FC368CF29C590A2AB7E5FF88214F148A6EE89EC7751D730E945CF52

Function 070C88E0 Relevance: 7.8, APIs: 5, Instructions: 284COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 070C8941

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: c6444135614153bb4b852846f9749e419aa22eb3887beaa04d75701a7dec444f
Instruction ID: dbdbe2a61a5ab8512902daa4339ce0d172924a05591621b84a9e023179c71de8
Opcode Fuzzy Hash: c6444135614153bb4b852846f9749e419aa22eb3887beaa04d75701a7dec444f
Instruction Fuzzy Hash: 8FB14AB56047029FC368CF69C580A2BB7E1FF88214F148A6EE99AC7790D730E905CF56

Function 070E4390 Relevance: 7.8, APIs: 5, Instructions: 259networkCOMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 070E43E0
htons.WS2_32(?), ref: 070E4487
htonl.WS2_32(?), ref: 070E449C
htonl.WS2_32(?), ref: 070E44A7
SetLastError.KERNEL32(0000000D,?,?), ref: 070E4658

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: htonl$ErrorLast_memmovehtons
String ID:
API String ID: 3641409196-0
Opcode ID: 3d9db08eadf668d25b7eb47680881b27c9189571b451f88643cdd94713f84b0e
Instruction ID: c4044f86f370d896d7dae6cb5db72683b1ce50cb41fb797086c85e840bc4fb6d
Opcode Fuzzy Hash: 3d9db08eadf668d25b7eb47680881b27c9189571b451f88643cdd94713f84b0e
Instruction Fuzzy Hash: B2A136F16047428FC368CF69C584A2BB7E9FF88214F148A6EF89A87751D770E845CB52

Function 070E40B0 Relevance: 7.8, APIs: 5, Instructions: 259networkCOMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 070E4100
htons.WS2_32(?), ref: 070E41A7
htonl.WS2_32(?), ref: 070E41BC
htonl.WS2_32(?), ref: 070E41C7
SetLastError.KERNEL32(0000000D,?,?), ref: 070E4378

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: htonl$ErrorLast_memmovehtons
String ID:
API String ID: 3641409196-0
Opcode ID: 30437d27d475b4e23988b5c317a3ad855b459b1349dbe788d623396f1335081f
Instruction ID: f11a88e4acb1425e66d06ff9def631188c7239405a7e498e8085be662c6081ed
Opcode Fuzzy Hash: 30437d27d475b4e23988b5c317a3ad855b459b1349dbe788d623396f1335081f
Instruction Fuzzy Hash: 5EA143B16147428FC768CF69C484A2AF7EABFD8204F148A6EF89A87711D730E805CB51

Function 070D5400 Relevance: 7.8, APIs: 5, Instructions: 259networkCOMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 070D5450
htons.WS2_32(?), ref: 070D54F7
htonl.WS2_32(?), ref: 070D550C
htonl.WS2_32(?), ref: 070D5517
SetLastError.KERNEL32(0000000D,?,?), ref: 070D56C8

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: htonl$ErrorLast_memmovehtons
String ID:
API String ID: 3641409196-0
Opcode ID: d2a17e0f961393c07a443710d9abc2859821859c0ab7634c65044b707471f40f
Instruction ID: f1206de195c22f41fbab6a1162d1a95349d7a0a2567d666a17806ce719d361ad
Opcode Fuzzy Hash: d2a17e0f961393c07a443710d9abc2859821859c0ab7634c65044b707471f40f
Instruction Fuzzy Hash: 6AA149B16057028FC368CF69C994A2BB7E6FF88204F148A2EE89AC7751D770E855CF51

Function 070D5120 Relevance: 7.8, APIs: 5, Instructions: 259networkCOMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 070D5170
htons.WS2_32(?), ref: 070D5217
htonl.WS2_32(?), ref: 070D522C
htonl.WS2_32(?), ref: 070D5237
SetLastError.KERNEL32(0000000D,?,?), ref: 070D53E8

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: htonl$ErrorLast_memmovehtons
String ID:
API String ID: 3641409196-0
Opcode ID: 567278663369b588eba26564f7cf853ef9d7d850c22b2067a155fabbd7288d31
Instruction ID: 9aed1926036f5dd6837a14f73354faa204f05d2a49959cece2ef301b98f55768
Opcode Fuzzy Hash: 567278663369b588eba26564f7cf853ef9d7d850c22b2067a155fabbd7288d31
Instruction Fuzzy Hash: F3A16BB56047018FC368CF69C984A2BB7E5FF88204F148A2EE89AC7751E7B0E855CF51

Function 070D28A0 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 218COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(000010D8,18B52151), ref: 070D2916
SetLastError.KERNEL32(000010D8), ref: 070D2921
SetLastError.KERNEL32(000010D8,?,18B52151), ref: 070D294E

Strings

P, xrefs: 070D29BB
CONNECT, xrefs: 070D2989

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLast
String ID: CONNECT$P
API String ID: 1452528299-944343233
Opcode ID: dd66efe581f92cb1d40a8bd5fcf41087f3190a9875d824331e06d6b4d21a5763
Instruction ID: 433d7e08f2ee259c9139f222931ad8c949a1c5545aba9d07ea6163f4c60be6dc
Opcode Fuzzy Hash: dd66efe581f92cb1d40a8bd5fcf41087f3190a9875d824331e06d6b4d21a5763
Instruction Fuzzy Hash: 27819CB56083428FD311CF18D880A6AB7E5FBC9724F14872EE99997381DB31E901CB92

Function 070B8B50 Relevance: 7.7, APIs: 5, Instructions: 177COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 070B8BF4
_memmove.LIBCMT ref: 070B8C10

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 1f806fe4b1c63d3660c1003aa71aaf07c6485605ef231c1f63cab34e72339ff2
Instruction ID: 34b80b585c20aaae7d90e547bd2c838c87c9fa1e786eccbf643f7832cc9cffb7
Opcode Fuzzy Hash: 1f806fe4b1c63d3660c1003aa71aaf07c6485605ef231c1f63cab34e72339ff2
Instruction Fuzzy Hash: 37611CF1A11606EFCB68DF69C580AD9B7E9BF48310F54C669D85AC7690E730EA44CBC0

Function 070BCEE0 Relevance: 7.7, APIs: 5, Instructions: 160COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,18B52151,00000008,00000000,?,?,07263071,000000FF,?,070BE542,00000008,?), ref: 070BCF1C
InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 070BD041
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 070BD07F
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 070BD0C9
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 070BD0A4

Part of subcall function 070B2260: __CxxThrowException@8.LIBCMT ref: 070B2272

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CreateEvent$CountCriticalException@8InitializeSectionSpinThrow
String ID:
API String ID: 2324559976-0
Opcode ID: 364c1033432366e997385b32aa90a7788882261c286fd0e2d93a6a5ab1ec527a
Instruction ID: 30c947751216c84a2b75427bf2364bc15f24aeeb06924a6d5dae964c58331398
Opcode Fuzzy Hash: 364c1033432366e997385b32aa90a7788882261c286fd0e2d93a6a5ab1ec527a
Instruction Fuzzy Hash: EE61F2B1A15A56FED354CF79C88078AFBE8FB08704F10822EE118D3A40D770AA64CBD1

Function 070FB670 Relevance: 7.7, APIs: 5, Instructions: 154timeCOMMON

Download Yara Rule

APIs

Part of subcall function 070FDF50: WaitForSingleObject.KERNEL32(?,000000FF), ref: 070FDFAC

sendto.WS2_32(000000FF,0733E4D4,00000010,00000000,?,-0000001D), ref: 070FB750
timeGetTime.WINMM(?,?,?), ref: 070FB76D
timeGetTime.WINMM ref: 070FB77A
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,-0000001E,000004FF), ref: 070FB794
SetLastError.KERNEL32(000005B4), ref: 070FB7C5

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: TimeWaittime$ErrorLastMultipleObjectObjectsSinglesendto
String ID:
API String ID: 2424163294-0
Opcode ID: 5012200437da181ed37a20b2f7acdaffb960a2269a478fbbe4eb49b09940badf
Instruction ID: 0fd12a9f33ace657dec6878454b00b797c06c97dd69900ddf04e5cf50e014b49
Opcode Fuzzy Hash: 5012200437da181ed37a20b2f7acdaffb960a2269a478fbbe4eb49b09940badf
Instruction Fuzzy Hash: AD5193F5A00215DFDB24DB78DC80AAEB7B5EF89710F24432EE62697680DB74A901CF51

Function 070BC940 Relevance: 7.6, APIs: 5, Instructions: 145COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,18B52151,00000008,00000000,?,?,07263199,000000FF,?,070BE4F2,00000008,?), ref: 070BC97C
InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 070BCA4A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 070BCA88
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 070BCAAD
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 070BCAD2

Part of subcall function 070B2260: __CxxThrowException@8.LIBCMT ref: 070B2272

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CreateEvent$CountCriticalException@8InitializeSectionSpinThrow
String ID:
API String ID: 2324559976-0
Opcode ID: a24a94b5814abc0bd731b2c5042965612a7b51d6169da331cda41b542d95b8d5
Instruction ID: 62b437ab755d07ee224693caa6a6b912b76fc4711a9f5d6bfa8c9f7ce6d9916a
Opcode Fuzzy Hash: a24a94b5814abc0bd731b2c5042965612a7b51d6169da331cda41b542d95b8d5
Instruction Fuzzy Hash: C2512EF1A10A5AFFD714DF69C88469AFBA8FB08714F50862EE118D3640D774A920CFD0

Function 070BB140 Relevance: 7.6, APIs: 5, Instructions: 144COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,18B52151,00000008,00000000,?,?,07263419,000000FF,?,070BE182,00000008,?), ref: 070BB17C
InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 070BB250
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 070BB28E
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 070BB2B3
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 070BB2D8

Part of subcall function 070B2260: __CxxThrowException@8.LIBCMT ref: 070B2272

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CreateEvent$CountCriticalException@8InitializeSectionSpinThrow
String ID:
API String ID: 2324559976-0
Opcode ID: fbbd6933ebbe1cac8aea42e0fbe6465f63d10715a80d8dfbd2e72ef26be10141
Instruction ID: 8cbfd71fe7348e913060ccf09a73f91639e14dff4adf0ef6183146f8b575fff8
Opcode Fuzzy Hash: fbbd6933ebbe1cac8aea42e0fbe6465f63d10715a80d8dfbd2e72ef26be10141
Instruction Fuzzy Hash: F5514DF1A11A5AFFD314DF69C884689FBA8FB08714F50822EE518D7A40C774A524CFD0

Function 070E2140 Relevance: 7.6, APIs: 5, Instructions: 143timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 070E214D
InterlockedDecrement.KERNEL32(?), ref: 070E21B1
InterlockedCompareExchange.KERNEL32(?,00000000,?), ref: 070E223F
InterlockedIncrement.KERNEL32(?), ref: 070E2253
InterlockedDecrement.KERNEL32(?), ref: 070E22B7

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Interlocked$Decrement$CompareExchangeIncrementTimetime
String ID:
API String ID: 2820668962-0
Opcode ID: 98d776294782c42d800f96933b05a6d5228b497797d362b8c4d3b2f53a6f5a0d
Instruction ID: 1f30d8b925268b45c09226889f29c845d6fe0ed6376e8f7d3cc1a9bed91c5311
Opcode Fuzzy Hash: 98d776294782c42d800f96933b05a6d5228b497797d362b8c4d3b2f53a6f5a0d
Instruction Fuzzy Hash: F9413DF1600A06EFD715DFA4D9D4AAEB7ECFF08200F04826EE61A97250D770EA14CB91

Function 070E34C0 Relevance: 7.6, APIs: 5, Instructions: 143timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 070E34CD
InterlockedDecrement.KERNEL32(?), ref: 070E3531
InterlockedCompareExchange.KERNEL32(?,00000000,?), ref: 070E35BF
InterlockedIncrement.KERNEL32(?), ref: 070E35D3
InterlockedDecrement.KERNEL32(?), ref: 070E3637

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Interlocked$Decrement$CompareExchangeIncrementTimetime
String ID:
API String ID: 2820668962-0
Opcode ID: 699b490c1664e8d4b3bbc9b74a74b89197bd7d65421d3f6973a2a511b1f71f67
Instruction ID: f73a5a2ccd731dd4ed4f5bd4296ceb6396234ccae6d7fe1fe07451e30df6e868
Opcode Fuzzy Hash: 699b490c1664e8d4b3bbc9b74a74b89197bd7d65421d3f6973a2a511b1f71f67
Instruction Fuzzy Hash: C2413CF5600A07EFD715DF65DD85BAAFBA8BF04204F0582AAE92A87300D734E914CF91

Function 070ED110 Relevance: 7.6, APIs: 5, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

InterlockedDecrement.KERNEL32(?), ref: 070ED147
HeapFree.KERNEL32(?,00000000,?,?,?,00000001,?,?,?,?,00000000,?,070ECFF0,?,?,?), ref: 070ED169
InterlockedDecrement.KERNEL32(?), ref: 070ED178
InterlockedDecrement.KERNEL32(?), ref: 070ED1D8
InterlockedDecrement.KERNEL32(?), ref: 070ED1F3

Part of subcall function 070EC1A0: RtlEnterCriticalSection.NTDLL(?), ref: 070EC1C9
Part of subcall function 070EC1A0: RtlEnterCriticalSection.NTDLL(?), ref: 070EC1D3
Part of subcall function 070EC1A0: RtlLeaveCriticalSection.NTDLL(?), ref: 070EC1F2
Part of subcall function 070EC1A0: RtlLeaveCriticalSection.NTDLL(?), ref: 070EC1F5
Part of subcall function 070EC1A0: timeGetTime.WINMM(?,00000000,?,?,?,?,?,070ED2A7,?,00000000,00000000,00000000), ref: 070EC224

Part of subcall function 070ED220: InterlockedIncrement.KERNEL32(?), ref: 070ED24D
Part of subcall function 070ED220: setsockopt.WS2_32(?,0000FFFF,00007010,?,00000004), ref: 070ED272
Part of subcall function 070ED220: InterlockedDecrement.KERNEL32(?), ref: 070ED2C9

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Interlocked$Decrement$CriticalSection$EnterLeave$FreeHeapIncrementTimesetsockopttime
String ID:
API String ID: 3832054917-0
Opcode ID: 7d8327989792cdceb9afda57b3512aca9db73b520efbb1742e3065b8231fc582
Instruction ID: 330572743950567e54eeaeed02192c2b02cf5445959c1eff8468d37bba0284d2
Opcode Fuzzy Hash: 7d8327989792cdceb9afda57b3512aca9db73b520efbb1742e3065b8231fc582
Instruction Fuzzy Hash: 87317CF2300206AFEB14DFA9EC88EBF73ADEB85254B0446AAFA14C7300C634D811C761

Function 070FDFF0 Relevance: 7.6, APIs: 5, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 070FE0C6

Part of subcall function 070EE890: HeapFree.KERNEL32(00000007,00000000,?,?,00000000,070EE806), ref: 070EE8D1

RtlDeleteCriticalSection.NTDLL(0000007C), ref: 070FE053
CloseHandle.KERNEL32(?,?,?,?,18B52151), ref: 070FE06E
CloseHandle.KERNEL32(?,?,?,?,18B52151), ref: 070FE08B
HeapFree.KERNEL32(?,00000000,00000000,?,?,?,18B52151), ref: 070FE09E

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CloseFreeHandleHeap$CriticalDeleteSection_free
String ID:
API String ID: 104725616-0
Opcode ID: 0290036985797824ceb9283c1be5ed614cf5c874803855099d125158f965b233
Instruction ID: 2c92a9fc2c5624f53f00a730f42dba515576e5684d1dd97bbe9941ac004d9891
Opcode Fuzzy Hash: 0290036985797824ceb9283c1be5ed614cf5c874803855099d125158f965b233
Instruction Fuzzy Hash: 3031BEF1A0061AEFCB20DF68D884B9ABBF9FF44714F104A1AE965E7750C731A940CB90

Function 070EAAE0 Relevance: 7.6, APIs: 5, Instructions: 94COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(000010D8,18B52151,?,?,?,?,07262BE8,000000FF), ref: 070EAB13
InterlockedIncrement.KERNEL32(?), ref: 070EAB4D
SetLastError.KERNEL32(0000000D), ref: 070EAB86
InterlockedDecrement.KERNEL32(?), ref: 070EAB92

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorInterlockedLast$DecrementIncrement
String ID:
API String ID: 1362034426-0
Opcode ID: e2ac8d7a7e72ab39e08ed9f62f2e1a990b141a538af0e9f952dee944b3b1bfd6
Instruction ID: 6706f716ce8acb1697ca0072dfacf027ff2aebb02c2cbe560e7234f717e1e617
Opcode Fuzzy Hash: e2ac8d7a7e72ab39e08ed9f62f2e1a990b141a538af0e9f952dee944b3b1bfd6
Instruction Fuzzy Hash: 66316FB6B44604AFD710DF59EC45FAAF7ADFB89621F00826BFD15D3740E775A80086A0

Function 070BACF0 Relevance: 7.6, APIs: 5, Instructions: 87memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 070BAD39
SetLastError.KERNEL32(00000000), ref: 070BAD47
_free.LIBCMT ref: 070BAD71
HeapDestroy.KERNEL32(?,?), ref: 070BADB7
CloseHandle.KERNEL32(?,?), ref: 070BADE1

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CloseDestroyErrorHandleHeapLastObjectSingleWait_free
String ID:
API String ID: 3688918489-0
Opcode ID: ab0e482d61ad84780cea75bbb8f3e7107b82afbcaa32648c74886b5b7799ada3
Instruction ID: 9d9f5c40ea0ee38753b0923a5fe549d39888372c71221f944c1a95a3ae852be3
Opcode Fuzzy Hash: ab0e482d61ad84780cea75bbb8f3e7107b82afbcaa32648c74886b5b7799ada3
Instruction Fuzzy Hash: 5C316FF1A10646EFDB15DFA5D888ACAF7E8FB04311F50462AE52AD3640DB34A5148B91

Function 070D22C0 Relevance: 7.6, APIs: 5, Instructions: 80timeCOMMON

Download Yara Rule

APIs

Part of subcall function 070D26F0: InterlockedCompareExchange.KERNEL32(?,00000002,00000001), ref: 070D2700
Part of subcall function 070D26F0: InterlockedCompareExchange.KERNEL32(?,00000002,00000000), ref: 070D270C
Part of subcall function 070D26F0: WaitForSingleObject.KERNEL32(?,00000005,?,?,070D22CE,?,?,?,070BBDB7,000000FF,18B52151), ref: 070D2729
Part of subcall function 070D26F0: SetLastError.KERNEL32(0000139F,?,?,070D22CE,?,?,?,070BBDB7,000000FF,18B52151,?,?,?,?,?,07263F5E), ref: 070D2737

timeGetTime.WINMM(?,?,?,?,?,070BBDB7,000000FF,18B52151,?,?,?,?,?,07263F5E,000000FF), ref: 070D22E3
timeGetTime.WINMM(?,?,?,?,?,070BBDB7,000000FF,18B52151,?,?,?,?,?,07263F5E,000000FF), ref: 070D22FA
MsgWaitForMultipleObjects.USER32(00000001,00000002,00000000,-0000000F,000004FF), ref: 070D2319
SetLastError.KERNEL32(000005B4,?,?,?,?,?,070BBDB7,000000FF,18B52151,?,?,?,?,?,07263F5E,000000FF), ref: 070D2346
SetEvent.KERNEL32(?,?,?,?,?,?,070BBDB7,000000FF,18B52151,?,?,?,?,?,07263F5E,000000FF), ref: 070D2386

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CompareErrorExchangeInterlockedLastTimeWaittime$EventMultipleObjectObjectsSingle
String ID:
API String ID: 96278755-0
Opcode ID: df75820e04a325b7583643ac7857a1804b32ac6df8c229ccfb7d45366fef3157
Instruction ID: 1d7dea10ac35adbd93740fcae1b7f27d95ca229c0225e0ba7ed46fc56655fbc8
Opcode Fuzzy Hash: df75820e04a325b7583643ac7857a1804b32ac6df8c229ccfb7d45366fef3157
Instruction Fuzzy Hash: 4821B6F1610301DBDB14AF69E98566AB7D8FF48720F10435AFD15CB281D6B0DC41CBA1

Function 070F6A00 Relevance: 7.6, APIs: 5, Instructions: 76networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000020,?,00000004), ref: 070F6A46
WSAEventSelect.WS2_32(?,?,00000023), ref: 070F6A6C
SetLastError.KERNEL32(00000000,?,7591DFA0,?,?,070F6418,?,?,?,?,?), ref: 070F6A7E
GetLastError.KERNEL32(?,7591DFA0,?,?,070F6418,?,?,?,?,?), ref: 070F6A95
WSASetLastError.WS2_32(00000000,?,7591DFA0,?,?,070F6418,?,?,?,?,?), ref: 070F6AA5

Part of subcall function 070E65B0: setsockopt.WS2_32(?,00000000,0000000A,?,00000004), ref: 070E65DE
Part of subcall function 070E65B0: setsockopt.WS2_32(?,00000000,0000000B,?,00000004), ref: 070E65FA
Part of subcall function 070E65B0: setsockopt.WS2_32(?,00000000,0000000C,7591DFA0,00000008), ref: 070E662D

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: setsockopt$ErrorLast$EventSelect
String ID:
API String ID: 4116459464-0
Opcode ID: 464dfe333c51cef498ab3002496608f6b5a06d9783c6e3549c6fe0621931020b
Instruction ID: d6c245b2cc886dffbb011ab4dc815d44a6f2498c13fce50eb9d8074179040d26
Opcode Fuzzy Hash: 464dfe333c51cef498ab3002496608f6b5a06d9783c6e3549c6fe0621931020b
Instruction Fuzzy Hash: 5521D5B27011009BDB14DF68EC89BAA77ACEB84724F108396FE18CB785D775D8528B90

Function 070EC1A0 Relevance: 7.6, APIs: 5, Instructions: 75timeCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 070EC1C9
RtlEnterCriticalSection.NTDLL(?), ref: 070EC1D3
RtlLeaveCriticalSection.NTDLL(?), ref: 070EC1F2
RtlLeaveCriticalSection.NTDLL(?), ref: 070EC1F5
timeGetTime.WINMM(?,00000000,?,?,?,?,?,070ED2A7,?,00000000,00000000,00000000), ref: 070EC224

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Timetime
String ID:
API String ID: 2979242471-0
Opcode ID: a6026193bf14441483c3d8a038ae2184f48cbd5a58c903a0032e77d30f14d48b
Instruction ID: b3d3656d07b28af0e369057a1c8160b3141d1988a59750349f7057a0d8c51971
Opcode Fuzzy Hash: a6026193bf14441483c3d8a038ae2184f48cbd5a58c903a0032e77d30f14d48b
Instruction Fuzzy Hash: 63217CB1601609AFE724EF64DD84AABB7FDFF84614F108619E90687740DA31F901CBB1

Function 070F1660 Relevance: 7.6, APIs: 5, Instructions: 75timeCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 070F1689
RtlEnterCriticalSection.NTDLL(?), ref: 070F1693
RtlLeaveCriticalSection.NTDLL(?), ref: 070F16B2
RtlLeaveCriticalSection.NTDLL(?), ref: 070F16B5
timeGetTime.WINMM(?,00000000,?,?,?), ref: 070F16E4

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Timetime
String ID:
API String ID: 2979242471-0
Opcode ID: 6723c066fc2fc793d07baf69a58389d53bd059847c1729b9d408a7b1cd6f5f29
Instruction ID: 2684f22e0f8600e9bca519c8f739428d2951e40527f8af2ca6a82378f65be310
Opcode Fuzzy Hash: 6723c066fc2fc793d07baf69a58389d53bd059847c1729b9d408a7b1cd6f5f29
Instruction Fuzzy Hash: 99216DB5600709EFD714DF24DD84AABB7F9FF84254F108619EA0A97A40DB70BD01CBA1

Function 070F89E0 Relevance: 7.6, APIs: 5, Instructions: 64networkthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 070F89E4
send.WS2_32(070BCB57,0733E4D4,00000010,00000000), ref: 070F8A20
WSACloseEvent.WS2_32(?), ref: 070F8A4A
shutdown.WS2_32(070BCB57,00000001), ref: 070F8A5E
closesocket.WS2_32(070BCB57), ref: 070F8A68

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CloseCurrentEventThreadclosesocketsendshutdown
String ID:
API String ID: 4251041364-0
Opcode ID: a19c7161f06ddab84f5899ee2026a51dfdac2871dc55dff3d9404ff2cfd67178
Instruction ID: c1cebe62f0de69d0640051e600b7ce990a2f708769fcd025bba120c782828bb6
Opcode Fuzzy Hash: a19c7161f06ddab84f5899ee2026a51dfdac2871dc55dff3d9404ff2cfd67178
Instruction Fuzzy Hash: 5F114FB52007019FD630DF29E84899AB3F9EF88710B148B1AF695C7B90DB35E8428B90

Function 070EC340 Relevance: 7.6, APIs: 5, Instructions: 63COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 070EC375
RtlEnterCriticalSection.NTDLL(?), ref: 070EC3A1
RtlLeaveCriticalSection.NTDLL(?), ref: 070EC3C4
shutdown.WS2_32(?,00000001), ref: 070EC3DD
closesocket.WS2_32(?), ref: 070EC3E4

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalSection$Enter$Leaveclosesocketshutdown
String ID:
API String ID: 3384241815-0
Opcode ID: 07d391e271dfbeab7a2aa3f9abb38cd382477c8e69e4ce8573ae27d8ac83001e
Instruction ID: c6b5369583d62cb53bd051f116c608ddcfa03d378a1e8ce2668ed0ccc287ebde
Opcode Fuzzy Hash: 07d391e271dfbeab7a2aa3f9abb38cd382477c8e69e4ce8573ae27d8ac83001e
Instruction Fuzzy Hash: B3211FB6600704EFD710CF55E889FAEB7B9FB89724F10865AF916C7380DB75A9408B60

Function 070F17D0 Relevance: 7.6, APIs: 5, Instructions: 63COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 070F1805
RtlEnterCriticalSection.NTDLL(?), ref: 070F1831
RtlLeaveCriticalSection.NTDLL(?), ref: 070F1854
shutdown.WS2_32 ref: 070F186D
closesocket.WS2_32(?), ref: 070F1874

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalSection$Enter$Leaveclosesocketshutdown
String ID:
API String ID: 3384241815-0
Opcode ID: 4ec71d8be306747c9c805329f07785880c3cd964688b635f1ff7bd27e097f954
Instruction ID: 709b6b3acc02b9a4d59335b028ba04ec28ca4d3e28b5835b956d2ea4430d5f5c
Opcode Fuzzy Hash: 4ec71d8be306747c9c805329f07785880c3cd964688b635f1ff7bd27e097f954
Instruction Fuzzy Hash: 642181B6200208EFD710CF54E889FAAB7F9FF48720F10865AF915C7380CB74A9018B60

Function 070ED2F0 Relevance: 7.6, APIs: 5, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

InterlockedExchangeAdd.KERNEL32(?,?), ref: 070ED31A

Part of subcall function 070EB650: SetLastError.KERNEL32(00000000,18B52151,?,?), ref: 070EB683

InterlockedExchangeAdd.KERNEL32(070ED1EF,?), ref: 070ED32D
InterlockedExchangeAdd.KERNEL32(070ED1EF,?), ref: 070ED348
InterlockedDecrement.KERNEL32(?), ref: 070ED360
HeapFree.KERNEL32(00000000,00000000,?,?,?,070ECFF0,?,?,?), ref: 070ED382

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Interlocked$Exchange$DecrementErrorFreeHeapLast
String ID:
API String ID: 532140803-0
Opcode ID: f6e5fd16d8ae81bacc19d1cf0e303b8ef7345a5a8c1d454cbd8a6adbc0ed9a0e
Instruction ID: c193101bd964c25ba96729d4204b880c33be4388961a16d9d078db5712d64741
Opcode Fuzzy Hash: f6e5fd16d8ae81bacc19d1cf0e303b8ef7345a5a8c1d454cbd8a6adbc0ed9a0e
Instruction Fuzzy Hash: 261161F2210612AFCB64AF78FC88DAB77ACEF456057044B0AF602D6681DA39E800C771

Function 070D25E0 Relevance: 7.6, APIs: 5, Instructions: 59timesynchronizationthreadCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 070D25F0
timeGetTime.WINMM(00000000,?,?), ref: 070D2619
WaitForSingleObject.KERNEL32(?,00000001), ref: 070D263A
SwitchToThread.KERNEL32 ref: 070D2642
SetLastError.KERNEL32(000005B4), ref: 070D266C

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Timetime$ErrorLastObjectSingleSwitchThreadWait
String ID:
API String ID: 410572411-0
Opcode ID: 9c0d5509d092ae8783246f55218d9b0af5c33d8217e72f9d2f0989df37b997be
Instruction ID: fb25efd535675a74d71bd315a0e87229efccbe478ed831d0702d2eb02823c455
Opcode Fuzzy Hash: 9c0d5509d092ae8783246f55218d9b0af5c33d8217e72f9d2f0989df37b997be
Instruction Fuzzy Hash: 6711C2F2900309EBDB209FE8E889BAEB7B8FB54314F10835AEC10D7280C7759D51CA60

Function 070F13A0 Relevance: 7.6, APIs: 5, Instructions: 57timeCOMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 070F13B6
timeGetTime.WINMM(?,?,?,?,?,070F125A,?,?,?,070BAD33), ref: 070F13D1
timeGetTime.WINMM(?,?,?,?,?,070F125A,?,?,?,070BAD33), ref: 070F13E9
MsgWaitForMultipleObjects.USER32(00000001,00000007,00000000,-00000064,000004FF), ref: 070F1404
SetLastError.KERNEL32(000005B4,?,?,?,?,?,070F125A,?,?,?,070BAD33), ref: 070F1431

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Timetime$ErrorLastMultipleObjectsWaitclosesocket
String ID:
API String ID: 413038252-0
Opcode ID: 345b32abb39c95ed94f2a6d428333c5e6ceb74aea23b9b768b2a04a0ccc10225
Instruction ID: d28daab212e0b8467668521206d9e09106d64e5b7cd75b4e5ac40e17572f4f26
Opcode Fuzzy Hash: 345b32abb39c95ed94f2a6d428333c5e6ceb74aea23b9b768b2a04a0ccc10225
Instruction Fuzzy Hash: AC01DBF5610209EBD624B7B8AC49AAD72DCDB45334F10431AFB72D3AC0E7B0A8418661

Function 07190F20 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 251COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 07191008

Strings

, xrefs: 07190FB4
0123456789ABCDEF, xrefs: 07190FF0
0123456789abcdef, xrefs: 07190FFB

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: __aulldvrm
String ID: $0123456789ABCDEF$0123456789abcdef
API String ID: 1302938615-30751140
Opcode ID: 1b612522fe1fac3bb9fb74e9d47b2a3ed9f82ceb4bb6971d3d28fc23599c51c8
Instruction ID: 1f8e8c1a887a60e32c10d38755c931fe8ba105f31c3dff1557936b584f6fc4a7
Opcode Fuzzy Hash: 1b612522fe1fac3bb9fb74e9d47b2a3ed9f82ceb4bb6971d3d28fc23599c51c8
Instruction Fuzzy Hash: 68918EF5908347ABCF14DE29C48462BB7E1BBC8644F18093DF98493381E731E9868B93

Function 070DC730 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 218COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 070DC76C
__time64.LIBCMT ref: 070DC8E2
std::_Xinvalid_argument.LIBCPMT ref: 070DC956

Part of subcall function 07248530: std::exception::exception.LIBCMT ref: 07248545
Part of subcall function 07248530: __CxxThrowException@8.LIBCMT ref: 0724855A
Part of subcall function 07248530: std::exception::exception.LIBCMT ref: 0724856B

Strings

list<T> too long, xrefs: 070DC951

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: __time64std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: list<T> too long
API String ID: 2963633919-4027344264
Opcode ID: 20f0dd3392af1291cc196b08ae48bb6b93927274ae4be4c51f9b27b07f9b3e01
Instruction ID: ea97d6cbb1d690b8fb54e225f02ba26f55c824b6c20f0fac65951aaa404784ca
Opcode Fuzzy Hash: 20f0dd3392af1291cc196b08ae48bb6b93927274ae4be4c51f9b27b07f9b3e01
Instruction Fuzzy Hash: 23813EF6900709DFDB14DF94D884ADFF7B9FB44210F14872AE516A7240E734AA48CBA6

Function 070DCDA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

_strtok_s.LIBCMT ref: 070DCE0D
SetLastError.KERNEL32(0000000B,070DAF65,?,?), ref: 070DCF0C
SetLastError.KERNEL32(0000000D,070DAF65,?,?), ref: 070DCF1C

Part of subcall function 07249FE2: __wcstoi64.LIBCMT ref: 07249FEE

Strings

;, xrefs: 070DCE07

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLast$__wcstoi64_strtok_s
String ID: ;
API String ID: 3540786700-4029419216
Opcode ID: 1cc33a6d2c258f5ca837f7ec9561536a7f7a7722fb639b3e58eb8c598ae03e5d
Instruction ID: ea4f1813c83458580e478ab241d0027973b13825233752eb9a2f23f01f5cee49
Opcode Fuzzy Hash: 1cc33a6d2c258f5ca837f7ec9561536a7f7a7722fb639b3e58eb8c598ae03e5d
Instruction Fuzzy Hash: 1141F6F2600306DFEB249F24C4547EFB7E9EB85258F10871ED84A87600DB719949CBA1

Function 070D61F0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 070D627E

Part of subcall function 07248530: std::exception::exception.LIBCMT ref: 07248545
Part of subcall function 07248530: __CxxThrowException@8.LIBCMT ref: 0724855A
Part of subcall function 07248530: std::exception::exception.LIBCMT ref: 0724856B

Strings

list<T> too long, xrefs: 070D6279
Set-Cookie, xrefs: 070D6358
Cookie, xrefs: 070D6333

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: Cookie$Set-Cookie$list<T> too long
API String ID: 1823113695-1139602500
Opcode ID: 9ca16b12b1030c4900f83f70979c66453cb779be732a1af11534d10a551ac174
Instruction ID: fe45f9f5eaac79d3aec7c87da5f5b875d60c805d428f0dc4240775276f140076
Opcode Fuzzy Hash: 9ca16b12b1030c4900f83f70979c66453cb779be732a1af11534d10a551ac174
Instruction Fuzzy Hash: 5D514CB1600701DFD304DF68C880B9AB3E5FF89264F148759E469872A5DB31ED15CB92

Function 070E4F30 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 137COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 070E4FBE

Part of subcall function 07248530: std::exception::exception.LIBCMT ref: 07248545
Part of subcall function 07248530: __CxxThrowException@8.LIBCMT ref: 0724855A
Part of subcall function 07248530: std::exception::exception.LIBCMT ref: 0724856B

Strings

list<T> too long, xrefs: 070E4FB9
Set-Cookie, xrefs: 070E509A
Cookie, xrefs: 070E5073

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: Cookie$Set-Cookie$list<T> too long
API String ID: 1823113695-1139602500
Opcode ID: 07510db13473ba0b73fca1130a9c3565fe00cddf3df6f7e92487df5f71d2fcf8
Instruction ID: c63f01877bd6e24983636403b6ef5e998dc34e9bc526c22d538627ec0cc2ede7
Opcode Fuzzy Hash: 07510db13473ba0b73fca1130a9c3565fe00cddf3df6f7e92487df5f71d2fcf8
Instruction Fuzzy Hash: DC512BB5200702AFD354DF68CC84B96B3E9FF89224F148769F429CB2A5E731E915CB91

Function 070E4BC0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 137COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 070E4C4E

Part of subcall function 07248530: std::exception::exception.LIBCMT ref: 07248545
Part of subcall function 07248530: __CxxThrowException@8.LIBCMT ref: 0724855A
Part of subcall function 07248530: std::exception::exception.LIBCMT ref: 0724856B

Strings

list<T> too long, xrefs: 070E4C49
Set-Cookie, xrefs: 070E4D2A
Cookie, xrefs: 070E4D03

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: Cookie$Set-Cookie$list<T> too long
API String ID: 1823113695-1139602500
Opcode ID: 1495199beca065e9ba32dfe94c9f0c48bb92663e08fe86556e49f5f80d1fcf0a
Instruction ID: ee7df0a70cb0380ce13060af93517dd962d2122c96d6834979ebc5e256c08f2d
Opcode Fuzzy Hash: 1495199beca065e9ba32dfe94c9f0c48bb92663e08fe86556e49f5f80d1fcf0a
Instruction Fuzzy Hash: D8514BB5204702AFC354DF68C880B96B3E9FF89324F148769F4298B3A5D730E945CB92

Function 0718F690 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0718F6AF
_memset.LIBCMT ref: 0718F6D2

Strings

crypto\buffer\buffer.c, xrefs: 0718F6EE, 0718F732, 0718F74B

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _memset
String ID: crypto\buffer\buffer.c
API String ID: 2102423945-2193715570
Opcode ID: c8d99dd2f706095c848c890618cc2641c95027c063b9ef4993b12fc984ca611a
Instruction ID: 20279115e36aba0502040091058269b99c458d8bd79a7a194264df8a3dbb0403
Opcode Fuzzy Hash: c8d99dd2f706095c848c890618cc2641c95027c063b9ef4993b12fc984ca611a
Instruction Fuzzy Hash: E12128F67403006BE2246E29FC92B56B3D99BD0711F18453DF68AC76C0E6A4E8468661

Function 071AB6E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 76encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(?,0000000B,00000000,?), ref: 071AB70B
CertGetCertificateContextProperty.CRYPT32(?,0000000B,00000000,?), ref: 071AB73C

Strings

engines\e_capi.c, xrefs: 071AB71F, 071AB74D, 071AB77C, 071AB795
capi_cert_get_fname, xrefs: 071AB6EC

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CertCertificateContextProperty
String ID: capi_cert_get_fname$engines\e_capi.c
API String ID: 665277682-4048789269
Opcode ID: 50f5a1070e29ef2b7b6b2f0f103cc781dd5ee8fe8e369109d99cca807e81350e
Instruction ID: e57042bd42edaa813dcf4ffe837e145dcbfa5b56e60dd57516225bfd36b142e1
Opcode Fuzzy Hash: 50f5a1070e29ef2b7b6b2f0f103cc781dd5ee8fe8e369109d99cca807e81350e
Instruction Fuzzy Hash: 9611ECF5385311B6F120B2B5BC92F5B229C9F81A65F104425F709DA1C1EBE4D61486FA

Function 070E07E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

_sprintf.LIBCMT ref: 070E07FA
_sprintf.LIBCMT ref: 070E083B

Strings

%x, xrefs: 070E07F4
%x%s, xrefs: 070E0835

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _sprintf
String ID: %x$%x%s
API String ID: 1467051239-1227228288
Opcode ID: ed4b1e29609d40632b9e894940e62f29886bba79c4a2f353ff80e08c026dc536
Instruction ID: fa26d1543435e568a4a0687876630cd9e4c2d832ffed2f93780e2b75822f643b
Opcode Fuzzy Hash: ed4b1e29609d40632b9e894940e62f29886bba79c4a2f353ff80e08c026dc536
Instruction Fuzzy Hash: B4219FF06107469FD729CF5CC9946A27BE8EF45344F248668E8DE8B215D7B1E5098B80

Function 071970F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0719711C
_memset.LIBCMT ref: 07197171

Strings

crypto\pem\pem_lib.c, xrefs: 0719715D
Enter PEM pass phrase:, xrefs: 07197132, 07197146

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _memmove_memset
String ID: Enter PEM pass phrase:$crypto\pem\pem_lib.c
API String ID: 3555123492-1506836375
Opcode ID: c72f71427eaf001756b0ed4bc37cf1fb18520edaa21420f9fe0fc7e5bfb5b8f4
Instruction ID: fa1c22d8e12aed1afd5bca5ba54109b581824f312e095109f6b921b8aa7a3e61
Opcode Fuzzy Hash: c72f71427eaf001756b0ed4bc37cf1fb18520edaa21420f9fe0fc7e5bfb5b8f4
Instruction Fuzzy Hash: 8E112CF2714212ABD6159A3CBC14F9B67D98FC1660F094674F954DB2C4E760DC06C3D2

Function 070F0FE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000,070F0A87,?,?,?,?,070E1319,?,?), ref: 070F0FE8
GetLastError.KERNEL32(?,?,?,?,070E1319,?,?), ref: 070F0FF6
SetLastError.KERNEL32 ref: 070F1006

Strings

CTcpServer::CreateCompletePort, xrefs: 070F100F

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLast$CompletionCreatePort
String ID: CTcpServer::CreateCompletePort
API String ID: 3924628623-733961914
Opcode ID: 3d95a1696cf7fc65f294a766da159e6def139ae2203f7002991fb12e9fb65f56
Instruction ID: 9453f51a17cc402f1bc64d949de13bbf2d3bbc823c23a9dd5e4c8623cfc9bbf5
Opcode Fuzzy Hash: 3d95a1696cf7fc65f294a766da159e6def139ae2203f7002991fb12e9fb65f56
Instruction Fuzzy Hash: E0E086B1541712FBE3202B34BD0EB4A3A94BF05774F104266F618D56D0E7A8A050CB91

Function 07139670 Relevance: 6.2, APIs: 4, Instructions: 209COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 071396AC
_memmove.LIBCMT ref: 0713974E
_memset.LIBCMT ref: 0713985D
_memset.LIBCMT ref: 07139896

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _memmove_memset
String ID:
API String ID: 3555123492-0
Opcode ID: 3bfb78a08916b7bc390d27a3c5e247f19ef49631a4d421081418d5a5a11f96ea
Instruction ID: aca8e2a38901298ffa2e10bd94cb40a1e76f1635d32b02598967e4510cd206db
Opcode Fuzzy Hash: 3bfb78a08916b7bc390d27a3c5e247f19ef49631a4d421081418d5a5a11f96ea
Instruction Fuzzy Hash: B1818AB5A00B018FC724CF29C9919AAF7F6FF84309B144A6DD88687B91D7B0F884CB40

Function 07116460 Relevance: 6.2, APIs: 4, Instructions: 193COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 071164B1
_memset.LIBCMT ref: 071164C8
_memset.LIBCMT ref: 071164E3
_memset.LIBCMT ref: 07116500

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 232ed90f7fb96caac338e04390b9a4b865acafc32eece739db02b8ca2e0fd9d5
Instruction ID: e7116de6104ffc024b552a8f99d8d1d085f8f7f89b27844ddbaa444e5803b958
Opcode Fuzzy Hash: 232ed90f7fb96caac338e04390b9a4b865acafc32eece739db02b8ca2e0fd9d5
Instruction Fuzzy Hash: 0F8162B1B0031A9BCB64CF64DC50BA9B7F1BB8A310F1480E9E94D97680DF759A91CF51

Function 07249534 Relevance: 6.2, APIs: 4, Instructions: 173COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 07249542

Part of subcall function 072494AD: __getptd.LIBCMT ref: 072494C0

Part of subcall function 0724AA53: __getptd_noexit.LIBCMT ref: 0724AA53

__stricmp_l.LIBCMT ref: 072495AF

Part of subcall function 07249B11: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 07249B20

___crtLCMapStringA.LIBCMT ref: 07249605
___crtLCMapStringA.LIBCMT ref: 07249686

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Locale$StringUpdateUpdate::____crt$__getptd__getptd_noexit__stricmp_l
String ID:
API String ID: 2544346105-0
Opcode ID: 1beb76004a4f566d7e889f70affe2f7202e5ead0011055ea486a616b107482ba
Instruction ID: 2adc10e15cd8089ec21564e1ed7c5c44458c34f21844311bea85e13f5291302f
Opcode Fuzzy Hash: 1beb76004a4f566d7e889f70affe2f7202e5ead0011055ea486a616b107482ba
Instruction Fuzzy Hash: 7151F7F0D3415AABDB2D8B68C485BFB7BB4AB02324F28419DE4E15A1D1D270AA81CB50

Function 070EBF10 Relevance: 6.1, APIs: 4, Instructions: 117timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(18B52151), ref: 070EBF3F
timeGetTime.WINMM ref: 070EBF59
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,-00000064,000004FF), ref: 070EBF78
SetLastError.KERNEL32(000005B4), ref: 070EBFA5

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Timetime$ErrorLastMultipleObjectsWait
String ID:
API String ID: 3474523637-0
Opcode ID: a05acbb69309a7fadaffca810b286a0ed40adbf8b340ce707b87ce51d855cffe
Instruction ID: 26e7ce17ef53ec68e5b439ac77cae7a7f37baeb399442c0fed4903835b98023e
Opcode Fuzzy Hash: a05acbb69309a7fadaffca810b286a0ed40adbf8b340ce707b87ce51d855cffe
Instruction Fuzzy Hash: 6141A5F1A10215EFDB18DBA8D885BADB7F9EF08710F04422AF925E7380D770A944CB91

Function 070E08B0 Relevance: 6.1, APIs: 4, Instructions: 115networkCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000057,00000000,?,?,070D3E5B,?,?,?,?,00000000,?,?,?,?,00000000,?), ref: 070E092C
htons.WS2_32(?), ref: 070E094D
htonl.WS2_32(?), ref: 070E096F
htonl.WS2_32(?), ref: 070E0975

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: htonl$ErrorLasthtons
String ID:
API String ID: 543333157-0
Opcode ID: 49f491ffb0dbb93ff4c18050e493b58b9df39b6dc46126f5385d0be48176b36e
Instruction ID: 4db892783f3cdb0548c60a3ca150330407677c60bb1d261f89d3127359c13c67
Opcode Fuzzy Hash: 49f491ffb0dbb93ff4c18050e493b58b9df39b6dc46126f5385d0be48176b36e
Instruction Fuzzy Hash: 1B41D7F16142068FEB18CF35D88565AB7EAFFD8214B29C57EE49AC7311E2B8D441CB50

Function 0717C490 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 111COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,0717C660,073645A0,071ADA3C), ref: 0717C4A3

Part of subcall function 07186460: RtlEnterCriticalSection.NTDLL(?), ref: 07186465

SetLastError.KERNEL32(?,?,0717C660,073645A0,071ADA3C), ref: 0717C595

Part of subcall function 07186480: RtlLeaveCriticalSection.NTDLL(?), ref: 07186485

Strings

unknown, xrefs: 0717C560
Operation not permitted, xrefs: 0717C49C, 0717C508, 0717C530, 0717C54D

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID: Operation not permitted$unknown
API String ID: 2124651672-31098287
Opcode ID: cbe2dfc108871cfae4643e1d4c7d288eef3732d814bd994fc87c950310198062
Instruction ID: 81331b3eebbb4788b5f993cc023f127e5a822340dc1cb0a03324c191d2ef3433
Opcode Fuzzy Hash: cbe2dfc108871cfae4643e1d4c7d288eef3732d814bd994fc87c950310198062
Instruction Fuzzy Hash: A331E8F6A002119BF7109F24FC8877A77BDEB40319F288029E94A87282E7369544CFE1

Function 070ED390 Relevance: 6.1, APIs: 4, Instructions: 107memorytimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(?,?,?,?,070ED1D4,?,?,?,?,00000000,?,070ECFF0,?,?,?), ref: 070ED3BF
HeapFree.KERNEL32(?,00000000,?,?,?,?,?,?,070ED1D4,?,?,?,?,00000000,?,070ECFF0), ref: 070ED442
GetLastError.KERNEL32 ref: 070ED461
HeapFree.KERNEL32(?,00000000,00000004,00000004,?,00000002,00000004,00000000), ref: 070ED49C

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: FreeHeap$ErrorLastTimetime
String ID:
API String ID: 3989459056-0
Opcode ID: f04c0f6e448e6bb3ea5e35e2d222066f783258742a6cbd9a6514aa5b494b5fde
Instruction ID: 6848b0bd2ce9fa57ef86e25ba38f0eb64658d69946279722001533879329f8c1
Opcode Fuzzy Hash: f04c0f6e448e6bb3ea5e35e2d222066f783258742a6cbd9a6514aa5b494b5fde
Instruction Fuzzy Hash: 493184F1710206AFD760AA68DD85FAA73ECEF95624F108666F905C7640E774E9008761

Function 0725C2E3 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0725C317
__isleadbyte_l.LIBCMT ref: 0725C34A
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,50036AD0,00BFBBEF,00000000,?,?,?,07258970,00000109,00BFBBEF,00000003), ref: 0725C37B
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,00000001,00BFBBEF,00000000,?,?,?,07258970,00000109,00BFBBEF,00000003), ref: 0725C3E9

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 71b7bdeed807a9672d5cb3063a38f6e66e20d4906ba7ab82ed2f7b867cc18415
Instruction ID: 5c14804d43ef3420754e430ee5e8e4b91b6cf9a87b78098ab5c62f695eb5e3ac
Opcode Fuzzy Hash: 71b7bdeed807a9672d5cb3063a38f6e66e20d4906ba7ab82ed2f7b867cc18415
Instruction Fuzzy Hash: 3F318EF1A2435BFFDB20DF64C8849BE3BA5BF01220F148569E8A19B190E770D980CB61

Function 070FD210 Relevance: 6.1, APIs: 4, Instructions: 92timeCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(?), ref: 070FD29E
timeGetTime.WINMM(?,070FCD4F,?,?), ref: 070FD2B4
InterlockedDecrement.KERNEL32(?), ref: 070FD303

Part of subcall function 070FCF60: RtlEnterCriticalSection.NTDLL(?), ref: 070FCF94
Part of subcall function 070FCF60: RtlLeaveCriticalSection.NTDLL(?), ref: 070FCFBF

GetLastError.KERNEL32 ref: 070FD2E5

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalInterlockedSection$DecrementEnterErrorIncrementLastLeaveTimetime
String ID:
API String ID: 1282575898-0
Opcode ID: 56b0bfa57624d87bbe378c2ce7e482a1a7680fca648f82d576830e671e862e9c
Instruction ID: 2d1ba80d462628039a13f26bc0b4537f97a92bb2e48e724e665c5ce79d463ecc
Opcode Fuzzy Hash: 56b0bfa57624d87bbe378c2ce7e482a1a7680fca648f82d576830e671e862e9c
Instruction Fuzzy Hash: CF31B6F5700206AFDBA1CF64DCD5F6A73E9EB49714F14863AEB05C7680EB74E4408661

Function 071A88F0 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 071A893E
_memmove.LIBCMT ref: 071A8960
_memset.LIBCMT ref: 071A8987
_memmove.LIBCMT ref: 071A89BB

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _memmove$_memset
String ID:
API String ID: 1357608183-0
Opcode ID: 00f8a9ab7e023347ffd56c6377bf01a2f595b2e3e67909ec1733f64737f5ca56
Instruction ID: 00ee152d6f52b2ccaa039aaa43ebca212a000fddbca536619562ecbf9e5eedfe
Opcode Fuzzy Hash: 00f8a9ab7e023347ffd56c6377bf01a2f595b2e3e67909ec1733f64737f5ca56
Instruction Fuzzy Hash: 9421F4F6600706AFD7219E59DC80E6BB3EDEFD0214F41052DFA0687281E775FA088A66

Function 070C4240 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 070C4271
RtlLeaveCriticalSection.NTDLL(?), ref: 070C428E
RtlLeaveCriticalSection.NTDLL(?), ref: 070C42B8
RtlLeaveCriticalSection.NTDLL(?), ref: 070C4301

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: 1deaa855ac21655054b634c8b04d388e3c9bf900257ea5a0b844cf181ac070c1
Instruction ID: 8791e5a22423fa44e582a8bf243f4d48efece9093695e64fa49da8a087a9fccc
Opcode Fuzzy Hash: 1deaa855ac21655054b634c8b04d388e3c9bf900257ea5a0b844cf181ac070c1
Instruction Fuzzy Hash: A22183B6604644AFD714CF59E885BAAF7E8FB88764F50826BFD05C7740D735A900C7A0

Function 070C4860 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 070C4891
RtlLeaveCriticalSection.NTDLL(?), ref: 070C48AE
RtlLeaveCriticalSection.NTDLL(?), ref: 070C48D8
RtlLeaveCriticalSection.NTDLL(?), ref: 070C4921

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: 06a03bd9bcd47889463fde4ffc6966b088797effd08dcd7179a5151bb6d601a7
Instruction ID: 0d392f57f5b53aba9262c2ab5744bcc2e628eba82fbbb1be6c1672d19b4b19f4
Opcode Fuzzy Hash: 06a03bd9bcd47889463fde4ffc6966b088797effd08dcd7179a5151bb6d601a7
Instruction Fuzzy Hash: ED216DB6A04644AFD714CF59E885BAAF7E8FB88764F10826BFD05C7740D735A900CBA0

Function 070CD640 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 070CD671
RtlLeaveCriticalSection.NTDLL(?), ref: 070CD68E
RtlLeaveCriticalSection.NTDLL(?), ref: 070CD6B8
RtlLeaveCriticalSection.NTDLL(?), ref: 070CD701

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: d6f703ccc796d08d0d6077e11d4d7873513f29c24719a1e9160e96abf2a02c05
Instruction ID: 6d667bcc405ad310016afdb627a1b4babe6ab7b95a0bc6d234ad5307d8078407
Opcode Fuzzy Hash: d6f703ccc796d08d0d6077e11d4d7873513f29c24719a1e9160e96abf2a02c05
Instruction Fuzzy Hash: 7D2151B6604604AFD714CF59E885BAAF7A8FB88765F10826BED19C7740D735A800CBA0

Function 070F0960 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000,18B52151), ref: 070F0993
RtlEnterCriticalSection.NTDLL(?), ref: 070F09DA
SetLastError.KERNEL32(00000000), ref: 070F09F1
RtlLeaveCriticalSection.NTDLL(?), ref: 070F0A15

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: 5f52c3119a176f0a852588209bcef5e1ee75d0d2c913f83cc4ffdb89958fd519
Instruction ID: 416e571e8267c9418b89b0a168d063f770a2d5540f4a6e5b573ca879f1e1a8d6
Opcode Fuzzy Hash: 5f52c3119a176f0a852588209bcef5e1ee75d0d2c913f83cc4ffdb89958fd519
Instruction Fuzzy Hash: D6318DB4A10205EFD714CF64D885F6AB3E9FB4C310F50866AEA16D7B41E774E800CBA0

Function 070EB650 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000,18B52151,?,?), ref: 070EB683
RtlEnterCriticalSection.NTDLL(?), ref: 070EB6CA
SetLastError.KERNEL32(00000000), ref: 070EB6E1
RtlLeaveCriticalSection.NTDLL(?), ref: 070EB705

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: 50bb32c6b7f001420692a25efde3ccfb202b7d5687e4f7f16db1261c9b738bb0
Instruction ID: c2e9815cc9adc168eebc11b008ff17a5f018dbc08c8608e68bc59b093e3ef66f
Opcode Fuzzy Hash: 50bb32c6b7f001420692a25efde3ccfb202b7d5687e4f7f16db1261c9b738bb0
Instruction Fuzzy Hash: E7315AF4A00605EFD714DF68D989E6AB7E9FB48310F10866AE956C7B40D774E900CBA0

Function 070E8E90 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(000010D2,?,?,?,?,?,?,?), ref: 070E8ED8
InterlockedIncrement.KERNEL32(0736D0D0), ref: 070E8EEB
GetLastError.KERNEL32(?,?,?,?,?), ref: 070E8F3E
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 070E8F50

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLast$IncrementInterlocked
String ID:
API String ID: 621017237-0
Opcode ID: b832c6405792bbe325aca0a8d54d3fca0089de84b58d6c91b9984faed8ff0664
Instruction ID: 7c638c016299aa64211acd3e299310bf24530b310b9286f0f38524c775df00b2
Opcode Fuzzy Hash: b832c6405792bbe325aca0a8d54d3fca0089de84b58d6c91b9984faed8ff0664
Instruction Fuzzy Hash: E42183F2A00105FFD700EFA5ED859ABB7ADAF54254F008255FE18E3280D734E95187A2

Function 070CE3A0 Relevance: 6.1, APIs: 4, Instructions: 76synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 070CE3F4
SetLastError.KERNEL32(00000000), ref: 070CE402
CloseHandle.KERNEL32(?), ref: 070CE44A
CloseHandle.KERNEL32(?), ref: 070CE466

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CloseHandle$ErrorLastObjectSingleWait
String ID:
API String ID: 1454876536-0
Opcode ID: d7df5883d5312e5086a6e11d847a063403a55517791bd33d4f169432c944a875
Instruction ID: 89b4746d6796da1682c519308140695b9ebb2d7506be08338ba8505ed057f5ee
Opcode Fuzzy Hash: d7df5883d5312e5086a6e11d847a063403a55517791bd33d4f169432c944a875
Instruction Fuzzy Hash: 0021BCF150064AFFDB14DBB4DC48B8AB7E8FB04315F00876AE929D7280DB34A914CBA1

Function 070C5250 Relevance: 6.1, APIs: 4, Instructions: 76synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 070C52A4
SetLastError.KERNEL32(00000000), ref: 070C52B2
CloseHandle.KERNEL32(?), ref: 070C52FA
CloseHandle.KERNEL32(?), ref: 070C5316

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CloseHandle$ErrorLastObjectSingleWait
String ID:
API String ID: 1454876536-0
Opcode ID: 4ad1055f979b01d06f957570fba1404dd4b9d3a44fcaf7a845d0171527871b5d
Instruction ID: 532717535d43e452856b6127cff057a71fa08a9ffe2519fd84d5a9014452a464
Opcode Fuzzy Hash: 4ad1055f979b01d06f957570fba1404dd4b9d3a44fcaf7a845d0171527871b5d
Instruction Fuzzy Hash: E621DDF5A0064AFFCB04DBA4EC44ACAB7E8FB04304F104659E91993280DB74B614CB91

Function 070F8EE0 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 070F8F0E
RtlLeaveCriticalSection.NTDLL(?), ref: 070F8F29
RtlLeaveCriticalSection.NTDLL(070F8D15), ref: 070F8F95
SetEvent.KERNEL32(?), ref: 070F8FB0

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: 318b4c8fed1daa1fb83749794664eb62afea5f9acfb91c80ef01fc4c4f7e91b1
Instruction ID: fe271f4188da1975ba561c2355310a09599daf38f3143413c24592bba946577c
Opcode Fuzzy Hash: 318b4c8fed1daa1fb83749794664eb62afea5f9acfb91c80ef01fc4c4f7e91b1
Instruction Fuzzy Hash: 5C31E6B1A04A05DFD714CF69D984AAAF7F5FB48714F50C66EE91A87740EB39A800CB50

Function 070FAC70 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000,18B52151,?,?,00000000,07262808,000000FF,?,070FD1C2,?,?,070FCD6E,00000000,?), ref: 070FACA1
RtlEnterCriticalSection.NTDLL(?), ref: 070FACD6
SetLastError.KERNEL32(00000000,?,00000000,07262808,000000FF,?,070FD1C2,?,?,070FCD6E,00000000,?), ref: 070FACED
RtlLeaveCriticalSection.NTDLL(070FCD6E), ref: 070FAD11

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: fcd6c8a43e0889a6834ef90bc3feb6aba80258d223d3438407986f6ca87845b1
Instruction ID: 065d9f748a5ab5431e46f489e71fc92f7afb16a46837d57cc91649c9fed15a74
Opcode Fuzzy Hash: fcd6c8a43e0889a6834ef90bc3feb6aba80258d223d3438407986f6ca87845b1
Instruction Fuzzy Hash: 6C2168F5A00605AFD714CF54E889F6AB3E9FF49310F50866AEA1A87B40D774E800CBA0

Function 070EE7D0 Relevance: 6.1, APIs: 4, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 070EE868

Part of subcall function 070EE890: HeapFree.KERNEL32(00000007,00000000,?,?,00000000,070EE806), ref: 070EE8D1

RtlDeleteCriticalSection.NTDLL(00000070), ref: 070EE832
RtlDeleteCriticalSection.NTDLL(00000058), ref: 070EE838
HeapFree.KERNEL32(?,00000000,00000000), ref: 070EE843

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalDeleteFreeHeapSection$_free
String ID:
API String ID: 210024702-0
Opcode ID: 3c02564b7f17b4782b8422bc9c07175955d214a5ef402272a62fc452d276d157
Instruction ID: 493efb0e6fe4a3a43dc3fde390a6808937be8349c7ee93ae91abbfe1627951ca
Opcode Fuzzy Hash: 3c02564b7f17b4782b8422bc9c07175955d214a5ef402272a62fc452d276d157
Instruction Fuzzy Hash: EF218EB5A00609EFD710CF6DD980A5AB7F9FFC9314B208A5ED499D7250C731B945CB90

Function 070C2F00 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 070C2F46

Part of subcall function 07248728: HeapFree.KERNEL32(00000000,00000000,?,07250575,00000000,?,?,0724AA58,0724871D), ref: 0724873E
Part of subcall function 07248728: GetLastError.KERNEL32(00000000,?,07250575,00000000,?,?,0724AA58,0724871D), ref: 07248750

_free.LIBCMT ref: 070C2F4F
CloseHandle.KERNEL32(8908558B,18B52151,?,?,00000000,?,?,07262E78,000000FF,?,070BADA1), ref: 070C2F94
CloseHandle.KERNEL32(00000190,18B52151,?,?,00000000,?,?,07262E78,000000FF,?,070BADA1), ref: 070C2FB7

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CloseHandle_free$ErrorFreeHeapLast
String ID:
API String ID: 1377863804-0
Opcode ID: bb232572bcaa19bf5b79a7d098b9946354ec96b6cfa49c851f12b83ca73cfb39
Instruction ID: 0cdb2fbba1df128b1471dacaa7cf214c5919e29b3e09a7629b987a294ad80145
Opcode Fuzzy Hash: bb232572bcaa19bf5b79a7d098b9946354ec96b6cfa49c851f12b83ca73cfb39
Instruction Fuzzy Hash: 70215EF290060AEFC724DF64D940A99F7E8FB04710F51472EEA28A7680C735B915DB91

Function 070CF060 Relevance: 6.1, APIs: 4, Instructions: 70synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 070CF0C9
SetLastError.KERNEL32(00000000), ref: 070CF0D7
_free.LIBCMT ref: 070CF0E8
CloseHandle.KERNEL32(?), ref: 070CF128

Part of subcall function 070F0200: GetCurrentThreadId.KERNEL32 ref: 070F0204

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CloseCurrentErrorHandleLastObjectSingleThreadWait_free
String ID:
API String ID: 222395615-0
Opcode ID: fca850f30ce7c98b0fe4315461c7b9fd9c1b0dc6b47e8c17c58fd5fcf8252d81
Instruction ID: f582bed0462392f9470aa5abe53138e2b6cba8d817a00cc737ae49e3b4b4bc66
Opcode Fuzzy Hash: fca850f30ce7c98b0fe4315461c7b9fd9c1b0dc6b47e8c17c58fd5fcf8252d81
Instruction Fuzzy Hash: 00218BF6A10606EBDB18DF65D888B89FBE9FB00718F100719E928D7280CB34B614CB95

Function 070FE3E0 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 070FE42F
InterlockedCompareExchange.KERNEL32(?,?,?), ref: 070FE443

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CompareExchangeInterlocked
String ID:
API String ID: 3335655927-0
Opcode ID: 27ae1d4f3341814daf4bea47a3a44d8971f367734618f145c6ab0743001c51d6
Instruction ID: fe8d02c608bc33dc146d745ba398c1fdc96c6bd449708b94b6cbb4489e2d7ceb
Opcode Fuzzy Hash: 27ae1d4f3341814daf4bea47a3a44d8971f367734618f145c6ab0743001c51d6
Instruction Fuzzy Hash: 2B219DB1600204EBC730CF68E988F96B7F9FB89300F10899EFA86C7250C771A911CB60

Function 070ED220 Relevance: 6.1, APIs: 4, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(?), ref: 070ED24D
setsockopt.WS2_32(?,0000FFFF,00007010,?,00000004), ref: 070ED272

Part of subcall function 070EB520: RtlEnterCriticalSection.NTDLL(?), ref: 070EB54E
Part of subcall function 070EB520: RtlLeaveCriticalSection.NTDLL(?), ref: 070EB56B

HeapFree.KERNEL32(?,00000000,?,?,?,00000000,00000000,00000000), ref: 070ED2C2
InterlockedDecrement.KERNEL32(?), ref: 070ED2C9

Part of subcall function 070ED5B0: HeapFree.KERNEL32(?,00000000,?,?,?,?,?,?,?,070ED299,?,?), ref: 070ED652

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalFreeHeapInterlockedSection$DecrementEnterIncrementLeavesetsockopt
String ID:
API String ID: 2428991505-0
Opcode ID: 992e200d5b8d9b9c8e9a1a75b4da3af993e17abb86d1645f932c1fcb5ba453d0
Instruction ID: 73d13b012ae6be7d46d930bb8ab8820f07456ccb41ca9d384b1fdb7e5ac2526c
Opcode Fuzzy Hash: 992e200d5b8d9b9c8e9a1a75b4da3af993e17abb86d1645f932c1fcb5ba453d0
Instruction Fuzzy Hash: 36114FF1650204AFE710DF64DC85FAEB7BCEB49B14F10862BFA15D7380DA79A9008B65

Function 070C9100 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 070C914E
_free.LIBCMT ref: 070C9165
std::exception::exception.LIBCMT ref: 070C9187
__CxxThrowException@8.LIBCMT ref: 070C919C

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Exception@8Throw_free_mallocstd::exception::exception
String ID:
API String ID: 2028091880-0
Opcode ID: 0ad949202d5eb6ff5a709f85fa611fb3b40b581982f8c17f43a9b58a22dc34c5
Instruction ID: 1f5d8c5680ee42256987ff0af5965044842a1c9932ffa6759b3a55f51fc10590
Opcode Fuzzy Hash: 0ad949202d5eb6ff5a709f85fa611fb3b40b581982f8c17f43a9b58a22dc34c5
Instruction Fuzzy Hash: DB11B4F1A203029FDB64DF68D88565DB7F9AF94744F14862DDC9AC7300FA31B5808752

Function 070C80F0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 070C8138
_free.LIBCMT ref: 070C814F
std::exception::exception.LIBCMT ref: 070C8171
__CxxThrowException@8.LIBCMT ref: 070C8186

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Exception@8Throw_free_mallocstd::exception::exception
String ID:
API String ID: 2028091880-0
Opcode ID: a47d4882f0e5adea602e85988b18bbf5e6724064b83b69f7184441ec3c92fe86
Instruction ID: 0ce3ec17c99ea6f75cd9020c5ade5d49816ed0d211c9f696b94e41aaa0610753
Opcode Fuzzy Hash: a47d4882f0e5adea602e85988b18bbf5e6724064b83b69f7184441ec3c92fe86
Instruction Fuzzy Hash: 8711E6F1A10702AFCB64DF68C88065EB7ECAF44640B14CA2DDD9AC7380FA31E180CB56

Function 070E5470 Relevance: 6.1, APIs: 4, Instructions: 59fileCOMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32(00000000,?,?,?,?,?,070E61F2,?,?), ref: 070E547E
CreateFileMappingA.KERNEL32(00000000,00000000,00000002,?,00000000,00000000), ref: 070E5493
MapViewOfFileEx.KERNEL32(00000000,00000004,00000000,00000000,?,00000000,?,?,?,070E61F2,?,?), ref: 070E54D3
CloseHandle.KERNEL32(?,?,?,?,070E61F2,?,?), ref: 070E54EA

Part of subcall function 070CB420: GetLastError.KERNEL32(070C736C), ref: 070CB420

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastMappingSizeView
String ID:
API String ID: 322783378-0
Opcode ID: c1372c8cfbd6aad15463874d416eb681530bb40ad874ba3b76370f7be534b898
Instruction ID: 47b5425f7032852c2574b3597f9b159b60ea21d43cbfe0fec0f2c836edf9f8fe
Opcode Fuzzy Hash: c1372c8cfbd6aad15463874d416eb681530bb40ad874ba3b76370f7be534b898
Instruction Fuzzy Hash: DC1151B1600705ABD320DFA5EC09B2BF7FCEB84709F10465EE949C7780E6B4A80487A1

Function 070EB520 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 070EB54E
RtlLeaveCriticalSection.NTDLL(?), ref: 070EB56B
SetLastError.KERNEL32(00000000,?,070ED288), ref: 070EB589
RtlLeaveCriticalSection.NTDLL(?), ref: 070EB5A2

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalSection$Leave$EnterErrorLast
String ID:
API String ID: 3832147951-0
Opcode ID: 46e917553a42ad9e5f90f2783f3f0bfcb8b0213584ad1691d21f2c42568db44e
Instruction ID: b6ce00b55d601a7b5af3051826e2d07c324badf5fc75e51c0044749eaba507e9
Opcode Fuzzy Hash: 46e917553a42ad9e5f90f2783f3f0bfcb8b0213584ad1691d21f2c42568db44e
Instruction Fuzzy Hash: FA1182B6A046149FD714CF88E849BAEB7F8FB49714F0046AFE915D7740DB79A800CB90

Function 070F0200 Relevance: 6.0, APIs: 4, Instructions: 50threadnetworkCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 070F0204
WSACloseEvent.WS2_32(?), ref: 070F0246
shutdown.WS2_32(070BB357,00000001), ref: 070F025A
closesocket.WS2_32(070BB357), ref: 070F0264

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CloseCurrentEventThreadclosesocketshutdown
String ID:
API String ID: 802825583-0
Opcode ID: b66e9aff86e641304e9250686b1c1d964b063ad22f659f17e86fc792b3f232e7
Instruction ID: 0733fd4d2f5f2dfd222052b2e243846a23a679aa7ed05047812babc922fe9c63
Opcode Fuzzy Hash: b66e9aff86e641304e9250686b1c1d964b063ad22f659f17e86fc792b3f232e7
Instruction Fuzzy Hash: C60140B52007018FD674DF2DEC4895AF3EABFC8624B148B1AF596C3B90D774E8428B60

Function 070F7110 Relevance: 6.0, APIs: 4, Instructions: 50threadnetworkCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 070F7114
WSACloseEvent.WS2_32(?), ref: 070F7156
shutdown.WS2_32(070BD157,00000001), ref: 070F716A
closesocket.WS2_32(070BD157), ref: 070F7174

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CloseCurrentEventThreadclosesocketshutdown
String ID:
API String ID: 802825583-0
Opcode ID: 6d82365902831a4312cfce0395087d50825bb2907324bd48e52e9507ebd9a60d
Instruction ID: 06fabc5eb4f02a988b45eb8a95b4099eb62c131d2c5fedcd6b32e4f17f8107de
Opcode Fuzzy Hash: 6d82365902831a4312cfce0395087d50825bb2907324bd48e52e9507ebd9a60d
Instruction Fuzzy Hash: 53012DB5200B009FC6349F2DE84895AB7EABF88220B145B1AF596C3B90DB74E8468B51

Function 070E63B0 Relevance: 6.0, APIs: 4, Instructions: 46networkCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(?), ref: 070E63D3
WSARecv.WS2_32(00000000,?,00000001,?,?,?,00000000), ref: 070E63ED
WSAGetLastError.WS2_32 ref: 070E63F8
InterlockedDecrement.KERNEL32(?), ref: 070E6409

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Interlocked$DecrementErrorIncrementLastRecv
String ID:
API String ID: 2764021884-0
Opcode ID: d7b7709e7c961b45d2684bf6d507f794facc0f89971265c83192e24d16c07558
Instruction ID: cd5f49206291b4f54f10d7c3d445daa92dc8231de56cbd0f2394f0c472081748
Opcode Fuzzy Hash: d7b7709e7c961b45d2684bf6d507f794facc0f89971265c83192e24d16c07558
Instruction Fuzzy Hash: 960167B1501218AFD710DFA8BCC99AAF7FCFB49219F40436EF909D3640D6715D448BA1

Function 07248614 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0724862E

Part of subcall function 07248694: __FF_MSGBANNER.LIBCMT ref: 072486AD
Part of subcall function 07248694: __NMSG_WRITE.LIBCMT ref: 072486B4
Part of subcall function 07248694: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 072486D9

std::exception::exception.LIBCMT ref: 07248663
std::exception::exception.LIBCMT ref: 0724867D
__CxxThrowException@8.LIBCMT ref: 0724868E

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: f2f5bf14158cfa0ce278e2c8544c79b7468bf412dffa9348a05828f6da7c6a31
Instruction ID: e2ca7ebf917dacb55805a08263ee1e655d5f1ad57c9b06161aaf6e48b0083665
Opcode Fuzzy Hash: f2f5bf14158cfa0ce278e2c8544c79b7468bf412dffa9348a05828f6da7c6a31
Instruction Fuzzy Hash: 3DF028F193020EFBEF4CFB94D805A9E7BBEBB40714F04001AD814A6080CFB4A640C792

Function 070D26F0 Relevance: 6.0, APIs: 4, Instructions: 38synchronizationCOMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(?,00000002,00000001), ref: 070D2700
InterlockedCompareExchange.KERNEL32(?,00000002,00000000), ref: 070D270C
WaitForSingleObject.KERNEL32(?,00000005,?,?,070D22CE,?,?,?,070BBDB7,000000FF,18B52151), ref: 070D2729
SetLastError.KERNEL32(0000139F,?,?,070D22CE,?,?,?,070BBDB7,000000FF,18B52151,?,?,?,?,?,07263F5E), ref: 070D2737

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CompareExchangeInterlocked$ErrorLastObjectSingleWait
String ID:
API String ID: 322141815-0
Opcode ID: 1b0387b0f8d52e7aafa17b846bfcec1d4eb9335b82cf3a5f5054f2f7e73ddf31
Instruction ID: 2c8f9f1ef747a280d590c66b637aa49156fb31d61880eadb7255424c97dabad0
Opcode Fuzzy Hash: 1b0387b0f8d52e7aafa17b846bfcec1d4eb9335b82cf3a5f5054f2f7e73ddf31
Instruction Fuzzy Hash: 3FF0A7B2340301ABE270EA58BC4AF9AB399FF91750F558142F240E72D0C3A4EC438A54

Function 07248471 Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0736C284), ref: 0724847E
RtlLeaveCriticalSection.NTDLL(0736C284), ref: 0724849A
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,070CAF53,00000000,?,?,?,?,070CB134,?,070DCB53,?,18B52151), ref: 072484B9
RtlLeaveCriticalSection.NTDLL(0736C284), ref: 072484C0

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CriticalSection$Leave$EnterExceptionRaise
String ID:
API String ID: 799838862-0
Opcode ID: 0ab032f0c15a9174983e044359cf0fe5a2e9f8eb59ea7faa9605eb6cf83aadc7
Instruction ID: b29c4b2812e466bb5c572d71a3fa55f66c3b015df649ef1a552fc4dcbfdd7b49
Opcode Fuzzy Hash: 0ab032f0c15a9174983e044359cf0fe5a2e9f8eb59ea7faa9605eb6cf83aadc7
Instruction Fuzzy Hash: FCF090B6230201AFE7248A55BC49A6A77A8FF85725F01845AFA0ADB640DBB4B801C771

Function 070C2DB0 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 070C8090: HeapFree.KERNEL32(?,00000000,?,?,00000000,070C2DBC,?,?,070BADAC,?), ref: 070C80AE
Part of subcall function 070C8090: _free.LIBCMT ref: 070C80CA

HeapDestroy.KERNEL32(00000000,?,?,070BADAC,?), ref: 070C2DC3
HeapCreate.KERNEL32(?,?,?,?,?,070BADAC,?), ref: 070C2DD5
_free.LIBCMT ref: 070C2DE5
HeapDestroy.KERNEL32(?,?,?,070BADAC,?), ref: 070C2E12

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Heap$Destroy_free$CreateFree
String ID:
API String ID: 4097506873-0
Opcode ID: c2569c1e36611774a6bd9a3a9bcbb44cd9a1cb2054944f2071bc786ba564d0ac
Instruction ID: 82fcbd26aae196f20e3669a59fd500433b70788532b53d601748a734b02624aa
Opcode Fuzzy Hash: c2569c1e36611774a6bd9a3a9bcbb44cd9a1cb2054944f2071bc786ba564d0ac
Instruction Fuzzy Hash: AEF037F91006029BE760DF24E908B5BB7F9FF80704F108A1DE85993740DB3AE815CBA0

Function 070C2B10 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 070B1890: HeapFree.KERNEL32(?,00000000,?,?,?,070B1461), ref: 070B18AD
Part of subcall function 070B1890: _free.LIBCMT ref: 070B18C9

HeapDestroy.KERNEL32(00000000,?,00000000,070BA68F,?), ref: 070C2B23
HeapCreate.KERNEL32(?,?,?,?,00000000,070BA68F,?), ref: 070C2B35
_free.LIBCMT ref: 070C2B45
HeapDestroy.KERNEL32(?,?,00000000,070BA68F,?), ref: 070C2B72

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Heap$Destroy_free$CreateFree
String ID:
API String ID: 4097506873-0
Opcode ID: 45d23e96b926b71ed6cc06687b77886bcbe7474509fcd77b893d1f366637415b
Instruction ID: dae34e324d8aa2a967039fc539902b1dc0a17a42351ac78dc3a292638d78d770
Opcode Fuzzy Hash: 45d23e96b926b71ed6cc06687b77886bcbe7474509fcd77b893d1f366637415b
Instruction Fuzzy Hash: BDF014F9100A029BD7209F24E948B6BB7F9FF84701F108A19E85993640DB39E8158BA0

Function 071A2280 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 223COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 071A23AB
_memset.LIBCMT ref: 071A2325

Part of subcall function 07186B20: _memset.LIBCMT ref: 07186B7B

Strings

crypto\asn1\tasn_new.c, xrefs: 071A2334, 071A23BA, 071A23F0, 071A2465, 071A2494

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _memset
String ID: crypto\asn1\tasn_new.c
API String ID: 2102423945-954152134
Opcode ID: 55a0d8517b63e29604eba7f7d9c03ee5bb5a51f45b55dd72b12f7f2b39619cca
Instruction ID: befaf1d99e8cb36ddec64eaf14a3c9f58f1f1a945de0689a75315b4f99792d49
Opcode Fuzzy Hash: 55a0d8517b63e29604eba7f7d9c03ee5bb5a51f45b55dd72b12f7f2b39619cca
Instruction Fuzzy Hash: 7551F6F9700306BAD2316AA5ACC1E7B7798FFC2654F15042EF509866C1E775E44882B2

Function 070DC3D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 070DC430
std::_Xinvalid_argument.LIBCPMT ref: 070DC4AF

Strings

list<T> too long, xrefs: 070DC4AA

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Xinvalid_argument__time64std::_
String ID: list<T> too long
API String ID: 1981659842-4027344264
Opcode ID: d83ba736eaadca1793a076cdef79126775358e12561e93be49628123eb2e2da5
Instruction ID: bd7d76bb75da295de061fe8ea815f679e1af2e56d410a2e29e1627f76a7d555e
Opcode Fuzzy Hash: d83ba736eaadca1793a076cdef79126775358e12561e93be49628123eb2e2da5
Instruction Fuzzy Hash: B95148F5A00319DFDB14DF94C8849AEBBBAFF48710B24425AE911AB304D771AD41CBA1

Function 070DC590 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 070DC696
std::_Xinvalid_argument.LIBCPMT ref: 070DC71F

Strings

list<T> too long, xrefs: 070DC71A

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: Xinvalid_argument__time64std::_
String ID: list<T> too long
API String ID: 1981659842-4027344264
Opcode ID: 3e83ff2d85c8e955da73c227debfe5d33a25f72ca7bf00687b4965b5fc7d2db2
Instruction ID: d54dbf111aa1475d97b21336cc855bb8fdaae80daeff915408ab20a9c593c135
Opcode Fuzzy Hash: 3e83ff2d85c8e955da73c227debfe5d33a25f72ca7bf00687b4965b5fc7d2db2
Instruction Fuzzy Hash: FE513CB1500709DFDB54DF98C881A9AB7B9FF48320F14876AE8259B291D730ED45CBA1

Function 070B8950 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

recv sn=%lu, xrefs: 070B8A13

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID:
String ID: recv sn=%lu
API String ID: 0-1144994348
Opcode ID: a5b8954d478ef1999a1e57d380f7ab7a87fbba4b7d28522224fcf7f400b78927
Instruction ID: 52ce956c325808c483d1798b06ea0595c71c51bdef036475796922756fd22583
Opcode Fuzzy Hash: a5b8954d478ef1999a1e57d380f7ab7a87fbba4b7d28522224fcf7f400b78927
Instruction Fuzzy Hash: FA515AB1600606EFDB24CF29C580A9AF7E9FF48310F14C269D9198B6A0E771FA54CBD1

Function 070DCC20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

_strtok_s.LIBCMT ref: 070DCC3A
SetLastError.KERNEL32(0000000B,070DAED5,?,?), ref: 070DCCA3

Part of subcall function 070B2260: __CxxThrowException@8.LIBCMT ref: 070B2272

Strings

, xrefs: 070DCC34

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorException@8LastThrow_strtok_s
String ID:
API String ID: 4046940521-1129450437
Opcode ID: c8380d73c9b0076eac9757ef44c3dfc5c637d8c685f8fb62d54cb858b56f9552
Instruction ID: c9dd333c190348ff40ad17588bb7575aba6cae7678f76f6c335840fbd7919b14
Opcode Fuzzy Hash: c8380d73c9b0076eac9757ef44c3dfc5c637d8c685f8fb62d54cb858b56f9552
Instruction Fuzzy Hash: 2E31D8B2204349DFEB14DF78D895AAFB7D6EB85314B055359D909CB200DA32AD05CB91

Function 071AAA40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,071ABC77), ref: 071AAA74

Strings

engines\e_capi.c, xrefs: 071AAA98, 071AAAB9, 071AAAE5, 071AAB19, 071AAB29

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: engines\e_capi.c
API String ID: 626452242-2638333933
Opcode ID: bd3cb5dec98acc30c1ee8266c62f15c13b404a9a1ebee9980371bea29460b0fc
Instruction ID: c2d3393d471b6c8a8f1ddc5cce55e016003a77ad22c8676a0b2370683bfeab52
Opcode Fuzzy Hash: bd3cb5dec98acc30c1ee8266c62f15c13b404a9a1ebee9980371bea29460b0fc
Instruction Fuzzy Hash: E421E5F57C43053AF6207AA5BC43F97229CDB81F64F008025F70DEA2C2E6D0A51086E5

Function 0718F5B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0718F5D6
_memset.LIBCMT ref: 0718F672

Strings

crypto\buffer\buffer.c, xrefs: 0718F5EF, 0718F630, 0718F645

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _memset
String ID: crypto\buffer\buffer.c
API String ID: 2102423945-2193715570
Opcode ID: 0be46efc5b0c8d7532abd20765fb05d3ff39b0a37ecee08dcf5e428f3ae3e54e
Instruction ID: f2092c0868a86ef85477be0efb5d814eacaa00ddc4da7c4a1f8e23c05e52e3be
Opcode Fuzzy Hash: 0be46efc5b0c8d7532abd20765fb05d3ff39b0a37ecee08dcf5e428f3ae3e54e
Instruction Fuzzy Hash: 602149F57803006BE3246E29FC82B56B3D9DBD0721F18853DF64AD72C0E7B5E8468661

Function 0723B190 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0723B1B9

Strings

%lu:%s:%s:%d:%s, xrefs: 0723B218
processing, xrefs: 0723B1A8

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CurrentThread
String ID: %lu:%s:%s:%d:%s$processing
API String ID: 2882836952-2734553931
Opcode ID: 959e6d32f6a0eef7f064f6fe0cba29202fc4b09523437c55a54c4a07864d1816
Instruction ID: ee060965ffb5509d1d86cbff69a51ed7ea4906e573d0455d5007e1828a1ef4bd
Opcode Fuzzy Hash: 959e6d32f6a0eef7f064f6fe0cba29202fc4b09523437c55a54c4a07864d1816
Instruction Fuzzy Hash: 1E215EF6514346ABD724DB54D841EEBB7ECAFC8744F044A19F68587141EB34E608C7A3

Function 070D45C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81timeCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(000010D8), ref: 070D45D6
timeGetTime.WINMM(?,?,?,?), ref: 070D4645

Strings

Invalid EOF state, xrefs: 070D460A

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLastTimetime
String ID: Invalid EOF state
API String ID: 3872538547-1983131253
Opcode ID: dbff68a8b7c6462a32e90865c7523d5a4da03cdeac6d563ee63893a48b28c300
Instruction ID: 3030fdc6321e9bb8915c9bc333aa83a4d778b034414b317e440ad2036d7aaba2
Opcode Fuzzy Hash: dbff68a8b7c6462a32e90865c7523d5a4da03cdeac6d563ee63893a48b28c300
Instruction Fuzzy Hash: 1121ADF1500786AFDB20CFA5D880FAA77E8EF44616F048259FD1A8B241D771EC01CBA2

Function 070D3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81timeCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(000010D8), ref: 070D3726
timeGetTime.WINMM(?,?,?,?), ref: 070D3795

Strings

Invalid EOF state, xrefs: 070D375A

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLastTimetime
String ID: Invalid EOF state
API String ID: 3872538547-1983131253
Opcode ID: a6245932488215442bdc1f8a30f3fd27307627b1dc3416331cfe3b737b31d09d
Instruction ID: 43b25368249cfeda94177f696c75e6e743ba8c0bba0ceda984d76c04c6666974
Opcode Fuzzy Hash: a6245932488215442bdc1f8a30f3fd27307627b1dc3416331cfe3b737b31d09d
Instruction Fuzzy Hash: A3218BF5200B46DBCB60CF65DC80BBAB7E8AF4A654F048659E9188B240C770ED01CBA2

Function 070D8310 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 070D6C40: _memmove.LIBCMT ref: 070D6C9B

WaitForSingleObject.KERNEL32(?,?), ref: 070D8368
SetLastError.KERNEL32 ref: 070D83D7

Strings

CHttpSyncClientT<class CSSLClient,443>::SendWSMessage, xrefs: 070D83C2

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLastObjectSingleWait_memmove
String ID: CHttpSyncClientT<class CSSLClient,443>::SendWSMessage
API String ID: 983526275-4166858666
Opcode ID: f938da399828fa5c14a3957b9427f719b46cd5137796b1d7c23bf3a9b3b9040c
Instruction ID: 11e6d851271cd0ec9913dbc935fe256e4cc046e23a61a416e4cf2bc4a7b1433a
Opcode Fuzzy Hash: f938da399828fa5c14a3957b9427f719b46cd5137796b1d7c23bf3a9b3b9040c
Instruction Fuzzy Hash: BE213DB23147059BDB14DE68D855EAB73E9EB89714F00876DF95EC72C0DBA0AD0187A0

Function 070D7090 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 070D6C40: _memmove.LIBCMT ref: 070D6C9B

WaitForSingleObject.KERNEL32(?,?), ref: 070D70E8
SetLastError.KERNEL32 ref: 070D7157

Strings

CHttpSyncClientT<class CTcpClient,80>::SendWSMessage, xrefs: 070D7142

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLastObjectSingleWait_memmove
String ID: CHttpSyncClientT<class CTcpClient,80>::SendWSMessage
API String ID: 983526275-559251722
Opcode ID: ab9fb754ecbf93625cac51facee5b268333a4ac55b51331976ac8ee8e7a29062
Instruction ID: 8bf9f616f4e6345e98843192940f63464e45aebbf243a5edb2f60a11aa5cc87f
Opcode Fuzzy Hash: ab9fb754ecbf93625cac51facee5b268333a4ac55b51331976ac8ee8e7a29062
Instruction Fuzzy Hash: 522160B22207059BDB18DE68DC55EAB73E9EB89710F00975DF95AC7280DB60AC01C7A0

Function 071AB610 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(00000000,00000002,00000000,071AD0D1), ref: 071AB62B

Strings

engines\e_capi.c, xrefs: 071AB63E, 071AB66A, 071AB6A9, 071AB6C2

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CertCertificateContextProperty
String ID: engines\e_capi.c
API String ID: 665277682-2638333933
Opcode ID: 36abdddaac049dedc6bfe91a40f49dcd4d3514856c7a3ced1a8a438033f317cf
Instruction ID: a85e85de535d6fa95024df52dbaf9427441cad2065f9fcc235615c69e9cdc768
Opcode Fuzzy Hash: 36abdddaac049dedc6bfe91a40f49dcd4d3514856c7a3ced1a8a438033f317cf
Instruction Fuzzy Hash: 8811A7F5789312BAF620B7B1BC83F5B529C9B40B65F104019F70DD92C1E7A4D5104AE6

Function 070EEB40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 070B9E10: InterlockedCompareExchange.KERNEL32(0736D06C,00000001,00000000), ref: 070B9E25
Part of subcall function 070B9E10: SwitchToThread.KERNEL32 ref: 070B9E39

WaitForSingleObject.KERNEL32(?,000000FF), ref: 070EEBA3
std::_Xinvalid_argument.LIBCPMT ref: 070EEBDD

Strings

list<T> too long, xrefs: 070EEBD8

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: CompareExchangeInterlockedObjectSingleSwitchThreadWaitXinvalid_argumentstd::_
String ID: list<T> too long
API String ID: 4003689891-4027344264
Opcode ID: c42a39333113fceb2d929425fd6524cf7e660643042393ddce588f1d93a2b9c2
Instruction ID: 265e4b77bb8889383d01cad5e6002224f2ef2c1536a9c897853b23c51c4d74e2
Opcode Fuzzy Hash: c42a39333113fceb2d929425fd6524cf7e660643042393ddce588f1d93a2b9c2
Instruction Fuzzy Hash: 7F2151B1604609EFD714DF64D980BD6F7E9FB49720F10872AE96A87380DB34A915CB90

Function 070D8240 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?), ref: 070D828C
SetLastError.KERNEL32 ref: 070D82F9

Strings

CHttpSyncClientT<class CSSLClient,443>::SendRequest, xrefs: 070D82E4

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: CHttpSyncClientT<class CSSLClient,443>::SendRequest
API String ID: 1211598281-2290349448
Opcode ID: 52c0079b4f638356bd49815d138611cd0bd5e9e2fe5004d99f32941775c68685
Instruction ID: 246218b402ff3e875102e7b29ab7b7dc24fbf8606a31c424d3f34ae64d94af2f
Opcode Fuzzy Hash: 52c0079b4f638356bd49815d138611cd0bd5e9e2fe5004d99f32941775c68685
Instruction Fuzzy Hash: 36215EB12107059BDB58EF68D855EBB73E9EF89710F00862DF91AC7280E770E80187A0

Function 070D6FC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?), ref: 070D700C
SetLastError.KERNEL32 ref: 070D7079

Strings

CHttpSyncClientT<class CTcpClient,80>::SendRequest, xrefs: 070D7064

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: CHttpSyncClientT<class CTcpClient,80>::SendRequest
API String ID: 1211598281-3747731813
Opcode ID: 3e0704b975489ac4007a1cec86f290a0ac43cbfac2c086debac8e062294077fe
Instruction ID: 9eab64dd268b7ac4231822bcdc0c9163b30142721eb9c992025bd12449e82387
Opcode Fuzzy Hash: 3e0704b975489ac4007a1cec86f290a0ac43cbfac2c086debac8e062294077fe
Instruction Fuzzy Hash: 3A2151B2610705DBDB14EE68DC59EAB77E9EF85710F00962DF91AC7280D771E801C761

Function 070D8190 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 070EF3E0: SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 070EF47B
Part of subcall function 070EF3E0: ResetEvent.KERNEL32(00000002,?,?,?,?,?,?), ref: 070EF4CD

WaitForSingleObject.KERNEL32(?,?,?,?,00000001,?,?), ref: 070D81D6
SetLastError.KERNEL32 ref: 070D822E

Strings

CHttpSyncClientT<class CSSLClient,443>::Start, xrefs: 070D8219

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLast$EventObjectResetSingleWait
String ID: CHttpSyncClientT<class CSSLClient,443>::Start
API String ID: 2267819996-568597545
Opcode ID: 0451f15d806dd10536ca0cd9632ee6264baa59f0044442baf4d493a0e686ca97
Instruction ID: 9f388e8dc9402ffbe52c11c17913fcca1fd1e432ad2db16606d385ca0ddaf3a2
Opcode Fuzzy Hash: 0451f15d806dd10536ca0cd9632ee6264baa59f0044442baf4d493a0e686ca97
Instruction Fuzzy Hash: 85113DB13103059FDB24DE69D945FABB3EDEF84754F00862DF51AD7281DB71A90187A0

Function 070D6F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 070EF3E0: SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 070EF47B
Part of subcall function 070EF3E0: ResetEvent.KERNEL32(00000002,?,?,?,?,?,?), ref: 070EF4CD

WaitForSingleObject.KERNEL32(?,?,?,?,00000001,?,?), ref: 070D6F56
SetLastError.KERNEL32 ref: 070D6FAE

Strings

CHttpSyncClientT<class CTcpClient,80>::Start, xrefs: 070D6F99

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLast$EventObjectResetSingleWait
String ID: CHttpSyncClientT<class CTcpClient,80>::Start
API String ID: 2267819996-4146076942
Opcode ID: 7ddbf6538cca78166e1d461af9f6f61f5a161957b4e39c590c55920a97fe1b55
Instruction ID: c50589963376119ad7d2b6764502550a9a0eca1d903e55eca097ee4649f4774e
Opcode Fuzzy Hash: 7ddbf6538cca78166e1d461af9f6f61f5a161957b4e39c590c55920a97fe1b55
Instruction Fuzzy Hash: 85113DB13507069FEB24DE69D945FABB3E9AB84750F00862DF51AC7280DB71AD018BA0

Function 070E5570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000003A,?,070E5A56,18B52151), ref: 070E558C
_swscanf.LIBCMT ref: 070E55C5

Strings

%d.%d.%d.%d%c, xrefs: 070E55BF

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: _swscanf
String ID: %d.%d.%d.%d%c
API String ID: 2748852333-2398565245
Opcode ID: e4502e2ad48f2c439736c499362609f555d23f73561ae3a5d5e02afb611c69ae
Instruction ID: 86d81e9e964cd8642cf88d77b2659fe4cf1ecef3374677ed861dcd0f08281ed4
Opcode Fuzzy Hash: e4502e2ad48f2c439736c499362609f555d23f73561ae3a5d5e02afb611c69ae
Instruction Fuzzy Hash: 1D11C6F2B1010D9FEB68DBA4DC61BFE73BDDB05604F50066DE90797280EB219A14C792

Function 070E6520 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

WSARecvFrom.WS2_32(00000002,?,00000001,00000002,070FE830,00000002,?,00000000,00000000), ref: 070E656B
WSAGetLastError.WS2_32 ref: 070E6576

Strings

D', xrefs: 070E658A

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorFromLastRecv
String ID: D'
API String ID: 1754479778-1892035989
Opcode ID: 06956a4366ae28f93d6ba9f3454d6ba0f7bf95b3bc1b05e2f9a9e92b6640e902
Instruction ID: 8b33106d7dcfcdb0cbe4f059029210c30b244f1b2fb70dadba870f927474d7ef
Opcode Fuzzy Hash: 06956a4366ae28f93d6ba9f3454d6ba0f7bf95b3bc1b05e2f9a9e92b6640e902
Instruction Fuzzy Hash: DA118AB2A10204AFDB14DF58E8899EE77BCEB44310F5442AAE915D7280E775DA548B90

Function 070EEAC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 070EEAD3

Part of subcall function 07248530: std::exception::exception.LIBCMT ref: 07248545
Part of subcall function 07248530: __CxxThrowException@8.LIBCMT ref: 0724855A
Part of subcall function 07248530: std::exception::exception.LIBCMT ref: 0724856B

_memmove.LIBCMT ref: 070EEAFE

Strings

vector<T> too long, xrefs: 070EEACE

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: 1236d1408a67b2be9b19dce094ee42a04bda6f786375e5e4ed67524ac63f4e84
Instruction ID: 97df01cbc56d6d8968df0a603025611ff722ce7fdd5fca5e1cbcccb0bee51138
Opcode Fuzzy Hash: 1236d1408a67b2be9b19dce094ee42a04bda6f786375e5e4ed67524ac63f4e84
Instruction Fuzzy Hash: F9014FF161020A9FE728DFA8CCD186BB7D9EB546147144A2DE49BC7640E670F8018B51

Function 07248A7E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

__get_sys_err_msg.LIBCMT ref: 07248AAF
__invoke_watson.LIBCMT ref: 07248ACB

Part of subcall function 0724AA53: __getptd_noexit.LIBCMT ref: 0724AA53

Strings

Operation not permitted, xrefs: 07248A83

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: __get_sys_err_msg__getptd_noexit__invoke_watson
String ID: Operation not permitted
API String ID: 837821014-3249010025
Opcode ID: 36b42c500213ad6ce56fb3eb8a09930259d7dad59bbd65d4a84ec5694b26374e
Instruction ID: b4765f459ff5f57df5f5b5eb041ee465c31360b38973be06a6f0fc98b230b863
Opcode Fuzzy Hash: 36b42c500213ad6ce56fb3eb8a09930259d7dad59bbd65d4a84ec5694b26374e
Instruction Fuzzy Hash: 82F0E5B313012ABBDB29BE55DC04DEF7BACDFC16B0B144422FE2C87100DAB1894186E2

Function 070E9370 Relevance: 5.1, APIs: 4, Instructions: 144COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(000010D2,?,?,?,?,?,?,?,00000000,?,070E8FCC,00000000), ref: 070E9462
SetLastError.KERNEL32(000000E8,?,?,?,?,?,?,?,?,00000000,?,070E8FCC,00000000), ref: 070E94F0
SetLastError.KERNEL32(0000065F,?,?,?,?,?,?,?,?,?,00000000,?,070E8FCC,00000000), ref: 070E9500
SetLastError.KERNEL32(0000065F,?,?,?,00000000,?,070E8FCC,00000000,?,?,?,?,?,?,?,?), ref: 070E9517

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 7b1cc81179f69ebb29f961f46eefd4795d581316269b21bb731a18e59b54203b
Instruction ID: bee8e8bc3e0dd1c4a41fb6b936e087053fdf27e156dfff66d7d2271300d04618
Opcode Fuzzy Hash: 7b1cc81179f69ebb29f961f46eefd4795d581316269b21bb731a18e59b54203b
Instruction Fuzzy Hash: 18411AF6E20205BBE720B6B56C45F6F76BC5F81604F048665ED19A62C1FBB1E600C7A3

Function 070E9240 Relevance: 5.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000065F,?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 070E9278
SetLastError.KERNEL32(00000490,?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 070E9292

Memory Dump Source

Source File: 00000000.00000002.3294927605.00000000070B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070B0000, based on PE: true

Associated: 00000000.00000002.3294927605.0000000007361000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000736C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.000000000738C000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3294927605.0000000007397000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_25.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 1a65d3920e4a64679657cb1dcc82521ae85135160d4cd9a9d17b5a7a36af295f
Instruction ID: 18adf89d4fc9808b81005a15e90f78824c752327091fdc1eb035b70a31790e8a
Opcode Fuzzy Hash: 1a65d3920e4a64679657cb1dcc82521ae85135160d4cd9a9d17b5a7a36af295f
Instruction Fuzzy Hash: 21310CF1A50104AFDB20AB75EC85AAF77BCEB41355F044266FD19962C0E730AA54C7E3

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 25.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Origin\plug\7za.exe

C:\Origin\plug\pic.zip

C:\Origin\plug\plug.zip

C:\Origin\plug\update.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
25.exe

Function 070F0DA0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 192
networkCOMMON

Function 070C7150 Relevance: 33.2, APIs: 22, Instructions: 229
synchronizationCOMMON

Function 070EF3E0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 168
networkCOMMON

Function 070F2280 Relevance: 15.2, APIs: 10, Instructions: 241
COMMON

Function 070D2750 Relevance: 15.1, APIs: 10, Instructions: 96
COMMON

Function 070D1440 Relevance: 13.7, APIs: 9, Instructions: 212
COMMON

Function 070E57C0 Relevance: 13.6, APIs: 9, Instructions: 141
networkstringCOMMON

Function 070EFA30 Relevance: 12.1, APIs: 8, Instructions: 92
networkCOMMON

Function 07249922 Relevance: 12.1, APIs: 8, Instructions: 63
threadCOMMON

Function 070EF7E0 Relevance: 10.7, APIs: 7, Instructions: 201
networkCOMMON

Function 070EFB20 Relevance: 10.6, APIs: 7, Instructions: 128
threadnetworkCOMMON

Function 070E6290 Relevance: 10.6, APIs: 7, Instructions: 87
COMMON

Function 070EFF90 Relevance: 9.1, APIs: 6, Instructions: 121
memoryCOMMON

Function 070D2210 Relevance: 9.1, APIs: 6, Instructions: 72
COMMON

Function 070C73D0 Relevance: 9.1, APIs: 6, Instructions: 51
COMMON