Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
czcansrv.exe

Overview

General Information

Sample name:czcansrv.exe
Analysis ID:1542032
MD5:52d32df86af95f0844fc3dd43956c997
SHA1:44789fd469a3164712d00e89e7b2b7d3aa4d02e9
SHA256:3ad754f08c2f4c4fca7ff66937838429c893e3bceb2b6aa73768c90eb1276664
Infos:

Detection

Score:28
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

AI detected suspicious sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • czcansrv.exe (PID: 6540 cmdline: "C:\Users\user\Desktop\czcansrv.exe" MD5: 52D32DF86AF95F0844FC3DD43956C997)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.4% probability
Source: czcansrv.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: czcansrv.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Agent1\work\435\s\Sources\CZCanSrv\ReleaseMinDependency\CZCanSrv.pdb source: czcansrv.exe
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E222F3 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00E222F3
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DCE0DA Sleep,WSAGetOverlappedResult,WSARecv,WaitForSingleObject,SetEvent,SetEvent,GetTickCount,SetEvent,0_2_00DCE0DA
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DEC41B: EnterCriticalSection,DeviceIoControl,GetLastError,GetLastError,GetOverlappedResult,GetLastError,LeaveCriticalSection,0_2_00DEC41B
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DCC525 OpenSCManagerA,MessageBoxA,OpenServiceA,CloseServiceHandle,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00DCC525
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E101EF0_2_00E101EF
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E121A60_2_00E121A6
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E2C2800_2_00E2C280
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DC43900_2_00DC4390
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E125D60_2_00E125D6
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E2A5470_2_00E2A547
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E105460_2_00E10546
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E346A00_2_00E346A0
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DCC6AE0_2_00DCC6AE
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DE674B0_2_00DE674B
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DF47600_2_00DF4760
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E1088E0_2_00E1088E
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E2C92F0_2_00E2C92F
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DE2C070_2_00DE2C07
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E10C1C0_2_00E10C1C
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DCEDB20_2_00DCEDB2
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DE8D440_2_00DE8D44
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DE4D0E0_2_00DE4D0E
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E10FB90_2_00E10FB9
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DD8F6C0_2_00DD8F6C
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DD30C20_2_00DD30C2
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E113470_2_00E11347
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E116AC0_2_00E116AC
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E2B9300_2_00E2B930
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E11A200_2_00E11A20
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DC3BFE0_2_00DC3BFE
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E1FDC50_2_00E1FDC5
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E11D850_2_00E11D85
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E0FEA70_2_00E0FEA7
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E2BE400_2_00E2BE40
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DE3F480_2_00DE3F48
Source: C:\Users\user\Desktop\czcansrv.exeCode function: String function: 00DEDD71 appears 109 times
Source: C:\Users\user\Desktop\czcansrv.exeCode function: String function: 00DEE970 appears 61 times
Source: C:\Users\user\Desktop\czcansrv.exeCode function: String function: 00E21708 appears 33 times
Source: C:\Users\user\Desktop\czcansrv.exeCode function: String function: 00DC2AB0 appears 42 times
Source: C:\Users\user\Desktop\czcansrv.exeCode function: String function: 00E1E6C5 appears 54 times
Source: C:\Users\user\Desktop\czcansrv.exeCode function: String function: 00DEDD1C appears 49 times
Source: czcansrv.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: sus28.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\czcansrv.exeCode function: OpenSCManagerA,GetModuleFileNameA,CreateServiceA,CloseServiceHandle,MessageBoxA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00DCA4C1
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DC63EB CoCreateInstance,0_2_00DC63EB
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DCB1AF __EH_prolog3_catch_GS,LoadLibraryExA,LoadLibraryExA,FindResourceA,LoadResource,SizeofResource,FreeLibrary,0_2_00DCB1AF
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DCC41F StartServiceCtrlDispatcherA,0_2_00DCC41F
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DCC41F StartServiceCtrlDispatcherA,0_2_00DCC41F
Source: C:\Users\user\Desktop\czcansrv.exeCommand line argument: 0$0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exeCommand line argument: UnregServer0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exeCommand line argument: RegServer0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exeCommand line argument: AtlServer0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exeCommand line argument: Service0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exeCommand line argument: RegUser0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exeCommand line argument: AppID0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exeCommand line argument: LocalService0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exeCommand line argument: 0$0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exeCommand line argument: 0$0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exeCommand line argument: 0$0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exeCommand line argument: 0$0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exeCommand line argument: UnregServer0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exeCommand line argument: RegServer0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exeCommand line argument: AtlServer0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exeCommand line argument: Service0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exeCommand line argument: RegUser0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exeCommand line argument: AppID0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exeCommand line argument: LocalService0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exeCommand line argument: 0$0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exeCommand line argument: 0$0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exeCommand line argument: 0$0_2_00DCCEF1
Source: czcansrv.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\czcansrv.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\czcansrv.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\czcansrv.exeSection loaded: hid.dllJump to behavior
Source: C:\Users\user\Desktop\czcansrv.exeSection loaded: kernel.appcore.dllJump to behavior
Source: czcansrv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: czcansrv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: czcansrv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: czcansrv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: czcansrv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: czcansrv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: czcansrv.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: czcansrv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Agent1\work\435\s\Sources\CZCanSrv\ReleaseMinDependency\CZCanSrv.pdb source: czcansrv.exe
Source: czcansrv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: czcansrv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: czcansrv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: czcansrv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: czcansrv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DEA8DC LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00DEA8DC
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DEE310 push ecx; ret 0_2_00DEE9D3
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DEDD3F push ecx; ret 0_2_00DEDD52
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DCC41F StartServiceCtrlDispatcherA,0_2_00DCC41F
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DC1CED LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00DC1CED
Source: C:\Users\user\Desktop\czcansrv.exeAPI coverage: 1.0 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E222F3 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00E222F3
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DFDC97 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,0_2_00DFDC97
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DEE767 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00DEE767
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DFDC97 VirtualProtect ?,-00000001,00000104,?,?,?,0000001C0_2_00DFDC97
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DEA8DC LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00DEA8DC
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E190C2 mov ecx, dword ptr fs:[00000030h]0_2_00E190C2
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E21965 mov eax, dword ptr fs:[00000030h]0_2_00E21965
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E217BC mov eax, dword ptr fs:[00000030h]0_2_00E217BC
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E21779 mov eax, dword ptr fs:[00000030h]0_2_00E21779
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E21736 mov eax, dword ptr fs:[00000030h]0_2_00E21736
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E218DD mov eax, dword ptr fs:[00000030h]0_2_00E218DD
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E21817 mov eax, dword ptr fs:[00000030h]0_2_00E21817
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E21996 mov eax, dword ptr fs:[00000030h]0_2_00E21996
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E21921 mov eax, dword ptr fs:[00000030h]0_2_00E21921
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00E247B4 GetProcessHeap,0_2_00E247B4
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DEE767 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00DEE767
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DEE8FE SetUnhandledExceptionFilter,0_2_00DEE8FE
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DFD7E9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00DFD7E9
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DEDF29 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00DEDF29
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DEEBA1 cpuid 0_2_00DEEBA1
Source: C:\Users\user\Desktop\czcansrv.exeCode function: EnumSystemLocalesW,0_2_00E1E0C3
Source: C:\Users\user\Desktop\czcansrv.exeCode function: GetLocaleInfoW,0_2_00E280CC
Source: C:\Users\user\Desktop\czcansrv.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00E2819B
Source: C:\Users\user\Desktop\czcansrv.exeCode function: EnumSystemLocalesW,0_2_00E1E254
Source: C:\Users\user\Desktop\czcansrv.exeCode function: EnumSystemLocalesW,0_2_00E1E222
Source: C:\Users\user\Desktop\czcansrv.exeCode function: GetLocaleInfoW,0_2_00E1EB7F
Source: C:\Users\user\Desktop\czcansrv.exeCode function: EnumSystemLocalesW,0_2_00E27ABB
Source: C:\Users\user\Desktop\czcansrv.exeCode function: EnumSystemLocalesW,0_2_00E27BBF
Source: C:\Users\user\Desktop\czcansrv.exeCode function: EnumSystemLocalesW,0_2_00E27B24
Source: C:\Users\user\Desktop\czcansrv.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00E27C4A
Source: C:\Users\user\Desktop\czcansrv.exeCode function: GetLocaleInfoW,0_2_00E27E9D
Source: C:\Users\user\Desktop\czcansrv.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00E27FC6
Source: C:\Users\user\Desktop\czcansrv.exeCode function: 0_2_00DD82B9 GetLocalTime,0_2_00DD82B9

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		14
Windows Service		14
Windows Service		1
Disable or Modify Tools		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts12
Service Execution		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory2
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		Logon Script (Windows)Logon Script (Windows)2
Obfuscated Files or Information		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS23
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
czcansrv.exe5%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1542032
Start date and time:2024-10-25 13:19:01 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 18s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:Potential for more IOCs and behavior
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:czcansrv.exe
Detection:SUS
Classification:sus28.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 94%
  • Number of executed functions: 10
  • Number of non-executed functions: 233
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • VT rate limit hit for: czcansrv.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.613701793342054
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:czcansrv.exe
File size:672'256 bytes
MD5:52d32df86af95f0844fc3dd43956c997
SHA1:44789fd469a3164712d00e89e7b2b7d3aa4d02e9
SHA256:3ad754f08c2f4c4fca7ff66937838429c893e3bceb2b6aa73768c90eb1276664
SHA512:a1b84aaf467086c0430bc4615036d7fdbda4cc710a35429ab65103f1daed80f56a5013f1b73ab0f01509fe37da3bdac61d47353e2954f0034312ccc468248fee
SSDEEP:12288:CWsErQDDhCK0KEeZp44OaVDrQuBLouSWHmSrhm4AwfHfEM8wl1vN:RrKDhCoEeZp44OaV4VSb8wl1vN
TLSH:EEE49E12F58180B7CA3225310A66B37556FFA8712E2267CB539C077E6FB45D0AF1623B
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d.{.d.{.d.{...x.o.{...~...{.6...u.{.6.x.q.{.6.~.R.{.....r.{...b.f.{.d.z...{...z.k.{...~.z.{.....e.{.d...e.{...y.e.{.Richd.{

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x42e5dc
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x64ACFA30 [Tue Jul 11 06:44:00 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:7ad32d3ce41e5e74f9073f467044d27c

Entrypoint Preview

Instruction
call 00007FE35CB50083h
jmp 00007FE35CB4F6CAh
retn 0000h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
pop ebp
ret
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
pop ebp
ret
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov edx, 00488800h
mov ecx, 004887C4h
sub eax, edx
sub ecx, edx
cmp eax, ecx
jnbe 00007FE35CB4F893h
int3
pop ebp
ret
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov edx, 00488800h
mov ecx, 004887C4h
sub eax, edx
sub ecx, edx
cmp eax, ecx
jnbe 00007FE35CB4F897h
push 00000041h
pop ecx
int 29h
pop ebp
ret
retn 0000h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov edx, 00488800h
mov ecx, 004887C4h
sub eax, edx
sub ecx, edx
cmp eax, ecx
jnbe 00007FE35CB4F8B1h
cmp dword ptr [0049295Ch], 00000000h
je 00007FE35CB4F8A8h
push esi
mov esi, dword ptr [0049295Ch]
mov ecx, esi
push dword ptr [ebp+08h]
call dword ptr [0047A388h]
call esi
pop ecx
pop esi
pop ebp
ret
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov edx, 00488800h
mov ecx, 004887C4h
sub eax, edx
sub ecx, edx
cmp ecx, eax
sbb eax, eax
inc eax
pop ebp
ret
push ebp
mov ebp, esp
mov ecx, dword ptr [ebp+08h]
mov eax, ecx
sub eax, dword ptr [ebp+0Ch]
sub eax, 004887C0h
sub eax, 40h
cmp eax, dword ptr [ebp+10h]

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x8eca40xb4.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x940000xda18.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xa20000x5748.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x8869c0x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x887c80x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x886f00x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x7a0000x388.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x78a890x78c008fbc8c037f1a2f7d7a18be6f22d31dd7False0.4512507278726708data6.644117024573216IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x7a0000x15ed40x16000644bc625a606202766692e82b5bdca25False0.3907803622159091data5.264404162191819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x900000x38bc0x1e0076fbe0db58c9f57330955d020ef4c8a8False0.187890625data4.500306810151821IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x940000xda180xdc001efc546342993356bad798a45c7fa381False0.314453125data5.198439058553413IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xa20000x57480x5800565f8c64c105122758dba8c36f2d44c7False0.7017045454545454data6.6435449201237065IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
REGISTRY0x945300xb3ASCII text, with CRLF line terminatorsGermanGermany0.659217877094972
REGISTRY0x945e80x25eASCII text, with CRLF line terminatorsGermanGermany0.4900990099009901
REGISTRY0x948480x276ASCII text, with CRLF line terminatorsGermanGermany0.473015873015873
REGISTRY0x94ac00x28eASCII text, with CRLF line terminatorsGermanGermany0.4648318042813456
TYPELIB0x94d500xcb14dataGermanGermany0.3158421174117104
RT_STRING0xa18680x30dataGermanGermany0.6041666666666666
RT_VERSION0x942300x2fcdataGermanGermany0.4869109947643979
RT_MANIFEST0xa18980x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

Imports

DLLImport
WS2_32.dllhtons, recvfrom, sendto, setsockopt, gethostbyaddr, gethostbyname, WSAStartup, WSASetLastError, WSAGetLastError, WSAConnect, WSAEventSelect, WSAGetOverlappedResult, WSARecv, inet_ntoa, inet_addr, WSACleanup, WSASocketA, WSASend, closesocket
SETUPAPI.dllSetupDiGetDeviceInterfaceDetailA, SetupDiGetClassDevsA, SetupDiEnumDeviceInterfaces, SetupDiDestroyDeviceInfoList
HID.DLLHidP_GetCaps, HidD_GetHidGuid, HidD_GetPreparsedData, HidD_GetSerialNumberString, HidD_GetAttributes
KERNEL32.dllSetEvent, ResetEvent, WaitForSingleObject, CreateEventA, Sleep, WaitForMultipleObjects, GetProcAddress, LoadLibraryA, MultiByteToWideChar, CreateFileA, ReadFile, WriteFile, GetOverlappedResult, CreateThread, GetTickCount, SetupComm, GetCommState, SetCommState, SetCommTimeouts, GetCommandLineA, GetCurrentProcess, GetCurrentThread, GetCurrentThreadId, RaiseException, GetModuleFileNameA, GetModuleHandleA, InitializeCriticalSectionAndSpinCount, LoadLibraryExA, LoadResource, SizeofResource, lstrcmpiA, FindResourceA, WideCharToMultiByte, IsDBCSLeadByte, GetProfileIntA, GetLocalTime, SetPriorityClass, GetPriorityClass, WriteProfileStringA, DeviceIoControl, CancelIo, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, HeapReAlloc, HeapSize, HeapAlloc, HeapFree, CloseHandle, DecodePointer, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, GetModuleHandleW, GetLastError, EnumSystemLocalesW, GetFileType, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, WriteConsoleW, GetProcessHeap, SetConsoleCtrlHandler, SetStdHandle, GetStringTypeW, GetFileSizeEx, SetFilePointerEx, GetConsoleOutputCP, GetConsoleMode, FlushFileBuffers, ReadConsoleW, CreateFileW, FreeLibrary, GetStdHandle, GetModuleFileNameW, GetModuleHandleExW, ExitProcess, VirtualQuery, VirtualProtect, VirtualAlloc, GetSystemInfo, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, EncodePointer, SetLastError, InterlockedFlushSList, InterlockedPushEntrySList, RtlUnwind, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentProcessId, QueryPerformanceCounter, GetStartupInfoW, IsProcessorFeaturePresent, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, CreateEventW, WaitForSingleObjectEx, OutputDebugStringW, IsDebuggerPresent
USER32.dllUnregisterClassA, wsprintfA, LoadStringA, GetMessageA, DispatchMessageA, PostThreadMessageA, CharNextA, MessageBoxA, CharNextW
ADVAPI32.dllRegQueryInfoKeyA, StartServiceCtrlDispatcherA, SetServiceStatus, RegisterServiceCtrlHandlerA, OpenServiceA, OpenSCManagerA, DeleteService, CreateServiceA, ControlService, CloseServiceHandle, RegSetValueExA, RegQueryInfoKeyW, RegEnumKeyExA, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExA, ReportEventA, RegisterEventSourceA, DeregisterEventSource, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, IsValidSid, InitializeSecurityDescriptor, GetTokenInformation, GetLengthSid, CopySid, OpenThreadToken, OpenProcessToken, RegQueryValueExA, RegOpenKeyExA, RegOpenKeyA, RegEnumValueA, RegCloseKey
ole32.dllCoInitialize, CoTaskMemFree, CoTaskMemRealloc, CoTaskMemAlloc, StringFromGUID2, CoUninitialize, CoInitializeSecurity, CoRevokeClassObject, CoRegisterClassObject, CoInitializeEx, CoCreateInstance
OLEAUT32.dllSysFreeString, VariantClear, VariantInit, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayDestroy, SafeArrayCreate, VarBstrCmp, VarBstrCat, SysAllocStringByteLen, SysStringByteLen, UnRegisterTypeLib, RegisterTypeLib, LoadRegTypeLib, LoadTypeLib, VarUI4FromStr, SysAllocString, SysStringLen, SysAllocStringLen, VariantCopy

Possible Origin

Language of compilation systemCountry where language is spokenMap
GermanGermany
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:07:19:51
Start date:25/10/2024
Path:C:\Users\user\Desktop\czcansrv.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\czcansrv.exe"
Imagebase:0xdc0000
File size:672'256 bytes
MD5 hash:52D32DF86AF95F0844FC3DD43956C997
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:0.4%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:21.2%
    Total number of Nodes:151
    Total number of Limit Nodes:4
    execution_graph 56764 dee411 56799 deedcf 56764->56799 56766 dee416 ___scrt_is_nonwritable_in_current_image 56803 dedb33 56766->56803 56768 dee42e 56769 dee581 56768->56769 56786 dee458 ___scrt_is_nonwritable_in_current_image __InternalCxxFrameHandler ___scrt_release_startup_lock 56768->56786 56858 dee767 4 API calls 2 library calls 56769->56858 56771 dee588 56851 e191ec 56771->56851 56775 dee596 56777 dee882 GetStartupInfoW 56775->56777 56776 dee477 56778 dee59d 56777->56778 56779 e1ad56 55 API calls 56778->56779 56780 dee5a5 56779->56780 56781 dccef1 230 API calls 56780->56781 56782 dee5b3 56781->56782 56783 dee4f8 56811 dee882 56783->56811 56786->56776 56786->56783 56854 e189dd 48 API calls 3 library calls 56786->56854 56793 dee51a 56793->56771 56794 dee51e 56793->56794 56795 dee527 56794->56795 56856 e1919a 23 API calls __InternalCxxFrameHandler 56794->56856 56857 dedca4 83 API calls ___scrt_uninitialize_crt 56795->56857 56798 dee52f 56798->56776 56800 deede5 56799->56800 56802 deedee 56800->56802 56860 deed82 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 56800->56860 56802->56766 56804 dedb3c 56803->56804 56861 deeba1 IsProcessorFeaturePresent 56804->56861 56806 dedb48 56862 df2354 10 API calls 2 library calls 56806->56862 56808 dedb4d 56809 dedb51 56808->56809 56863 df2389 7 API calls 2 library calls 56808->56863 56809->56768 56864 def750 56811->56864 56813 dee895 GetStartupInfoW 56814 dee4fe 56813->56814 56815 e1ad56 56814->56815 56865 e233a0 56815->56865 56817 dee506 56820 dccef1 GetCommandLineA 56817->56820 56818 e1ad5f 56818->56817 56871 e23914 48 API calls __ismbbgraph 56818->56871 56874 dca30b 56820->56874 56822 dccf29 56877 dc996f 56822->56877 56824 dccf57 56825 dccfca 56824->56825 56827 dccf65 lstrcmpiA 56824->56827 56848 dc996f 3 API calls 56824->56848 56883 dcaa62 56825->56883 56829 dccf75 lstrcmpiA 56827->56829 56830 dcd0c1 56827->56830 56833 dccf85 lstrcmpiA 56829->56833 56835 dcd0af 56829->56835 56894 dcc677 94 API calls 56830->56894 56831 dcd091 56837 dcd09c 56831->56837 56838 dcd095 RegCloseKey 56831->56838 56833->56835 56836 dccf95 lstrcmpiA 56833->56836 56834 dcaa62 5 API calls 56839 dcd030 56834->56839 56893 dcb4a1 109 API calls 2 library calls 56835->56893 56836->56835 56841 dccfa5 lstrcmpiA 56836->56841 56892 dedd31 5 API calls ___raise_securityfailure 56837->56892 56838->56837 56843 dcd076 56839->56843 56890 dcad09 RegQueryValueExA RaiseException 56839->56890 56841->56824 56841->56835 56843->56831 56847 dcd085 RegCloseKey 56843->56847 56844 dcd0bf 56844->56837 56845 dcd0ab 56855 dee8bb GetModuleHandleW 56845->56855 56847->56831 56848->56824 56849 dcd05e 56891 dcc41f 154 API calls 56849->56891 56905 e18fae 56851->56905 56854->56783 56855->56793 56856->56795 56857->56798 56858->56771 56859 e191a9 23 API calls __InternalCxxFrameHandler 56859->56775 56860->56802 56861->56806 56862->56808 56863->56809 56864->56813 56866 e233a9 56865->56866 56870 e233db 56865->56870 56872 e1dcfd 48 API calls 3 library calls 56866->56872 56868 e233cc 56873 e231a8 55 API calls 3 library calls 56868->56873 56870->56818 56871->56818 56872->56868 56873->56870 56895 dca2ac 56874->56895 56878 dc997b 56877->56878 56879 dc99a5 56877->56879 56878->56879 56880 dc999c CharNextA 56878->56880 56881 dc99ab CharNextA 56878->56881 56882 dc9995 CharNextA 56878->56882 56879->56824 56880->56878 56880->56879 56881->56879 56882->56878 56884 dcaa8c RegOpenKeyExA 56883->56884 56885 dcaa85 56883->56885 56887 dcaa8a 56884->56887 56897 dcaf2b 56885->56897 56888 dcaa9f 56887->56888 56904 dc9334 RegCloseKey 56887->56904 56888->56831 56888->56834 56890->56849 56891->56843 56892->56845 56893->56844 56894->56837 56896 dca2b7 LoadStringA 56895->56896 56896->56822 56898 dcaf6c 56897->56898 56899 dcaf36 GetModuleHandleA 56897->56899 56901 dcaf72 RegOpenKeyExA 56898->56901 56903 dcaf7a 56898->56903 56900 dcaf45 GetProcAddress 56899->56900 56899->56903 56902 dcaf55 56900->56902 56900->56903 56901->56903 56902->56903 56903->56887 56904->56888 56906 e18fdb 56905->56906 56907 e18fed 56905->56907 56932 e1907f GetModuleHandleW 56906->56932 56917 e18d1d 56907->56917 56910 e18fe0 56910->56907 56933 e190e4 GetModuleHandleExW 56910->56933 56912 dee58e 56912->56859 56915 e1903f 56918 e18d29 ___scrt_is_nonwritable_in_current_image 56917->56918 56939 e216c0 EnterCriticalSection 56918->56939 56920 e18d33 56940 e18e80 56920->56940 56922 e18d40 56944 e18d5e 56922->56944 56925 e19045 56949 e190c2 56925->56949 56928 e19063 56930 e190e4 __InternalCxxFrameHandler 3 API calls 56928->56930 56929 e19053 GetCurrentProcess TerminateProcess 56929->56928 56931 e1906b ExitProcess 56930->56931 56932->56910 56934 e19123 GetProcAddress 56933->56934 56935 e19144 56933->56935 56934->56935 56938 e19137 56934->56938 56936 e18fec 56935->56936 56937 e1914a FreeLibrary 56935->56937 56936->56907 56937->56936 56938->56935 56939->56920 56942 e18e8c ___scrt_is_nonwritable_in_current_image 56940->56942 56941 e18ef3 __InternalCxxFrameHandler 56941->56922 56942->56941 56947 e1a786 14 API calls 3 library calls 56942->56947 56948 e21708 LeaveCriticalSection 56944->56948 56946 e18d4c 56946->56912 56946->56925 56947->56941 56948->56946 56954 e21965 GetPEB 56949->56954 56952 e1904f 56952->56928 56952->56929 56953 e190cc GetPEB 56953->56952 56955 e190c7 56954->56955 56956 e2197f 56954->56956 56955->56952 56955->56953 56958 e1e825 56956->56958 56961 e1e6c5 56958->56961 56962 e1e6f3 56961->56962 56963 e1e6ef 56961->56963 56962->56963 56968 e1e5fa 56962->56968 56963->56955 56966 e1e70d GetProcAddress 56966->56963 56967 e1e71d __strnicoll 56966->56967 56967->56963 56969 e1e60b try_get_module 56968->56969 56970 e1e6a1 56969->56970 56971 e1e629 LoadLibraryExW 56969->56971 56975 e1e677 LoadLibraryExW 56969->56975 56970->56963 56970->56966 56972 e1e644 GetLastError 56971->56972 56973 e1e6a8 56971->56973 56972->56969 56973->56970 56974 e1e6ba FreeLibrary 56973->56974 56974->56970 56975->56969 56975->56973

    Executed Functions

    Function 00DCCEF1 Relevance: 35.1, APIs: 8, Strings: 12, Instructions: 136stringregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetCommandLineA.KERNEL32 ref: 00DCCF0A
      • Part of subcall function 00DCA30B: LoadStringA.USER32(?,?,?,00000100), ref: 00DCA338
      • Part of subcall function 00DC996F: CharNextA.USER32(?), ref: 00DC999D
    • lstrcmpiA.KERNEL32(00000000,UnregServer), ref: 00DCCF6B
    • lstrcmpiA.KERNEL32(00000000,RegServer), ref: 00DCCF7B
    • lstrcmpiA.KERNEL32(00000000,AtlServer), ref: 00DCCF8B
    • lstrcmpiA.KERNEL32(00000000,Service), ref: 00DCCF9B
    • lstrcmpiA.KERNEL32(00000000,RegUser), ref: 00DCCFAB
      • Part of subcall function 00DC996F: CharNextA.USER32(?), ref: 00DC9996
      • Part of subcall function 00DC996F: CharNextA.USER32(?), ref: 00DC99AC
    • RegCloseKey.ADVAPI32(00000000,?,{A3D51521-7C23-4FEB-851D-15636F49E2CD},00020019,80000000,AppID,00020019), ref: 00DCD08B
    • RegCloseKey.KERNELBASE(?,80000000,AppID,00020019), ref: 00DCD096
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: lstrcmpi$CharNext$Close$CommandLineLoadString
    • String ID: 0$$0$$0$$0$$AppID$AtlServer$LocalService$RegServer$RegUser$Service$UnregServer${A3D51521-7C23-4FEB-851D-15636F49E2CD}
    • API String ID: 632892863-2174613164
    • Opcode ID: 0b876709d1306057508103702d0b047acbcdd0021aa37aac44a6a27b6253e7b0
    • Instruction ID: ac01b28474a81fc4f95cbd442602424137626c4b5b1d6adaf9809c7d161f75ba
    • Opcode Fuzzy Hash: 0b876709d1306057508103702d0b047acbcdd0021aa37aac44a6a27b6253e7b0
    • Instruction Fuzzy Hash: DD41167190432E5ACB25AB699C46FE9B769DF45700F0450ADF645B3180DBB08E86CFB1
    Function 00E21965 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 215 e21965-e2197d GetPEB 216 e2198e-e21990 215->216 217 e2197f-e21983 call e1e825 215->217 219 e21991-e21995 216->219 220 e21988-e2198c 217->220 220->216 220->219
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c8ad7a5069ba01e9a53e32a83a8ffa24ea787f0601f99ad401c30a2ff5fbb120
    • Instruction ID: 762510e86ff9b156ab47f2bd569e8ade749a0c15a9069e70757e1a2dd7a9c24e
    • Opcode Fuzzy Hash: c8ad7a5069ba01e9a53e32a83a8ffa24ea787f0601f99ad401c30a2ff5fbb120
    • Instruction Fuzzy Hash: A1E08C32A11238EBCB14DB88D914D8AF3FCFB88B50B1510A6B501E3200C270DF40CBD0
    Function 00E190C2 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 221 e190c2 call e21965 223 e190c7-e190ca 221->223 224 e190e1-e190e3 223->224 225 e190cc-e190dc GetPEB 223->225 225->224 226 e190de-e190e0 225->226
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bf516f258805a009964ecb99b285af801c3d637a113c1c044c3fd5898dfc4b90
    • Instruction ID: a1041952195c6ac823c80ebbeb46e2478ca3ed699051daa4341b3d10062ee6be
    • Opcode Fuzzy Hash: bf516f258805a009964ecb99b285af801c3d637a113c1c044c3fd5898dfc4b90
    • Instruction Fuzzy Hash: 2EC08C34000A4046CE29892082713E433A4B3EA7C6F8024CCC9032B643C51F9CC2D610
    Function 00E1E5FA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 e1e5fa-e1e606 42 e1e698-e1e69b 41->42 43 e1e6a1 42->43 44 e1e60b-e1e61c 42->44 47 e1e6a3-e1e6a7 43->47 45 e1e629-e1e642 LoadLibraryExW 44->45 46 e1e61e-e1e621 44->46 50 e1e644-e1e64d GetLastError 45->50 51 e1e6a8-e1e6b8 45->51 48 e1e6c1-e1e6c3 46->48 49 e1e627 46->49 48->47 53 e1e695 49->53 54 e1e686-e1e693 50->54 55 e1e64f-e1e661 call e1d128 50->55 51->48 52 e1e6ba-e1e6bb FreeLibrary 51->52 52->48 53->42 54->53 55->54 58 e1e663-e1e675 call e1d128 55->58 58->54 61 e1e677-e1e684 LoadLibraryExW 58->61 61->51 61->54
    APIs
    • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,3D2EC555,?,00E1E707,?,?,00000000,00000000), ref: 00E1E6BB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: FreeLibrary
    • String ID: api-ms-$ext-ms-
    • API String ID: 3664257935-537541572
    • Opcode ID: b94fc8f54709493e4f55490ccd022f978fbad05115f4dcc69f4dda154987a1d3
    • Instruction ID: 4d1f08f82bb2bf860a8d555a81156dd073a1b60be3f4434a9678569b4bde9761
    • Opcode Fuzzy Hash: b94fc8f54709493e4f55490ccd022f978fbad05115f4dcc69f4dda154987a1d3
    • Instruction Fuzzy Hash: 56210571A01311AFCB318B21AC45ADA37A89BA17A4F651620FD01B7390DA70ED80C6E1
    Function 00DEE411 Relevance: 7.6, APIs: 5, Instructions: 123COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • ___security_init_cookie.LIBCMT ref: 00DEE411
      • Part of subcall function 00DEEDCF: ___get_entropy.LIBCMT ref: 00DEEDE9
    • ___scrt_release_startup_lock.LIBCMT ref: 00DEE4AD
    • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00DEE4C1
    • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00DEE4E7
    • ___scrt_uninitialize_crt.LIBCMT ref: 00DEE52A
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ___scrt_is_nonwritable_in_current_image$___get_entropy___scrt_release_startup_lock___scrt_uninitialize_crt___security_init_cookie
    • String ID:
    • API String ID: 2539496024-0
    • Opcode ID: 5fa8346518c6ee42983b0cacef566ead45046a6b9f9258f7d897949bef3e14d0
    • Instruction ID: 4231ae9413b00dc14072fe14eea7827cb7f348d6b7696fac81723489ecf09f6d
    • Opcode Fuzzy Hash: 5fa8346518c6ee42983b0cacef566ead45046a6b9f9258f7d897949bef3e14d0
    • Instruction Fuzzy Hash: 4D3138316457E2AADB247B776C07BED37A1DF42765F28042DF4807B2C3DE61898092B6
    Function 00E19045 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetCurrentProcess.KERNEL32(00E191BA,?,00E1903F,00000000,?,?,00E191BA,3D2EC555,?,00E191BA), ref: 00E19056
    • TerminateProcess.KERNEL32(00000000,?,00E1903F,00000000,?,?,00E191BA,3D2EC555,?,00E191BA), ref: 00E1905D
    • ExitProcess.KERNEL32 ref: 00E1906F
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Process$CurrentExitTerminate
    • String ID:
    • API String ID: 1703294689-0
    • Opcode ID: cd478240a32278ca2fcc8447cffa3d0a88f3980a660b72697a6e22d0c854872e
    • Instruction ID: 2d1e5a71f01690564a01f98a0e2014d8da6fe46476e4c9865438b3fdfd5db5ea
    • Opcode Fuzzy Hash: cd478240a32278ca2fcc8447cffa3d0a88f3980a660b72697a6e22d0c854872e
    • Instruction Fuzzy Hash: 27D09E3100010CAFCF153F61DD1D99A3F69BF44341B485060B95976032DB7699D5DB81
    Function 00DC996F Relevance: 3.8, APIs: 3, Instructions: 34COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 137 dc996f-dc9979 138 dc997b 137->138 139 dc99a5 137->139 141 dc9981-dc9984 138->141 140 dc99a7-dc99aa 139->140 141->139 142 dc9986-dc9989 141->142 143 dc9998-dc999a 142->143 144 dc999c-dc99a3 CharNextA 143->144 145 dc998b-dc998f 143->145 144->139 144->141 145->144 146 dc9991-dc9993 145->146 147 dc99ab-dc99ae CharNextA 146->147 148 dc9995-dc9996 CharNextA 146->148 147->140 148->143
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CharNext
    • String ID:
    • API String ID: 3213498283-0
    • Opcode ID: 655142f67bcfbda2b4e815f93e5e016dad733cc6467dda29ea3e4a542a7f5060
    • Instruction ID: e53ec458c174b72e34a73d0f98f1757822a1791a7d44f6016909a894cba32d72
    • Opcode Fuzzy Hash: 655142f67bcfbda2b4e815f93e5e016dad733cc6467dda29ea3e4a542a7f5060
    • Instruction Fuzzy Hash: 64F0A76290512717D722562A4838F9EF7988F83B50B2E255CD8C497200DE32DC414BF2
    Function 00E1E6C5 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 149 e1e6c5-e1e6ed 150 e1e6f3-e1e6f5 149->150 151 e1e6ef-e1e6f1 149->151 153 e1e6f7-e1e6f9 150->153 154 e1e6fb-e1e702 call e1e5fa 150->154 152 e1e744-e1e747 151->152 153->152 156 e1e707-e1e70b 154->156 157 e1e72a-e1e741 156->157 158 e1e70d-e1e71b GetProcAddress 156->158 160 e1e743 157->160 158->157 159 e1e71d-e1e728 call e1a902 158->159 159->160 160->152
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ed7896f0672aebfd77eb6915330a59875b93b02427449d49c5c381a00a078565
    • Instruction ID: 2e7dd2d36ff03d1ea915020e7b04c1ac0b2493d7b1c7636b88908d33fea4f900
    • Opcode Fuzzy Hash: ed7896f0672aebfd77eb6915330a59875b93b02427449d49c5c381a00a078565
    • Instruction Fuzzy Hash: 5001F5336007259FEB1A8E2EEC819DA33D6AB843647189121FD05FB294EA30DC858782
    Function 00DCAA62 Relevance: 1.5, APIs: 1, Instructions: 36registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 163 dcaa62-dcaa83 164 dcaa8c RegOpenKeyExA 163->164 165 dcaa85-dcaa8a call dcaf2b 163->165 167 dcaa92-dcaa96 164->167 165->167 169 dcaaaf-dcaab4 167->169 170 dcaa98-dcaaac call dc9334 167->170 170->169
    APIs
    • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00DCADD3,?,00000000,?,00000000,00000000), ref: 00DCAA8C
      • Part of subcall function 00DCAF2B: GetModuleHandleA.KERNEL32(Advapi32.dll,00000000,?,00DCAA8A,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00DCADD3,?,00000000), ref: 00DCAF3B
      • Part of subcall function 00DCAF2B: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedA), ref: 00DCAF4B
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: AddressHandleModuleOpenProc
    • String ID:
    • API String ID: 1337834000-0
    • Opcode ID: 62a26df2dcf78e838e453885fed1a81fc9b591b22e809ffb31790a2532f8bdaf
    • Instruction ID: ba04d050eedefb2f4edfb343c6a57500b87df04a95c5d827d976c5f409953be2
    • Opcode Fuzzy Hash: 62a26df2dcf78e838e453885fed1a81fc9b591b22e809ffb31790a2532f8bdaf
    • Instruction Fuzzy Hash: 7AF0907160110BAB9F08DF59C915EBEBBEAEFC4314B04802EB805D3200EA30AE01DBB1
    Function 00DCA30B Relevance: 1.5, APIs: 1, Instructions: 31COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 173 dca30b-dca37b call dca2ac LoadStringA
    APIs
    • LoadStringA.USER32(?,?,?,00000100), ref: 00DCA338
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: LoadString
    • String ID:
    • API String ID: 2948472770-0
    • Opcode ID: 96b6f9b4c3f652362ed4addce66dc72a3122005b94f06f669609f5b2edb15ae7
    • Instruction ID: 053b2b2cc8b1425b2ac28faeb14b8f5e500451c250f9ca5dc310456f2e5f8441
    • Opcode Fuzzy Hash: 96b6f9b4c3f652362ed4addce66dc72a3122005b94f06f669609f5b2edb15ae7
    • Instruction Fuzzy Hash: 0FF097B1401B08AFD7619F66D848BD7BFE5FF88314F00482EE9AE86220D7716554DF91

    Non-executed Functions

    Function 00DE674B Relevance: 86.8, APIs: 45, Strings: 4, Instructions: 1069COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00DE6755
    • SysFreeString.OLEAUT32(?), ref: 00DE698C
    • SysFreeString.OLEAUT32(?), ref: 00DE6998
    • SysFreeString.OLEAUT32(?), ref: 00DE69FE
    • SysFreeString.OLEAUT32(?), ref: 00DE6A1F
    • SysFreeString.OLEAUT32(?), ref: 00DE6A36
    • SysFreeString.OLEAUT32(?), ref: 00DE6A97
    • SysFreeString.OLEAUT32(?), ref: 00DE6B87
    • SysFreeString.OLEAUT32(?), ref: 00DE6DA1
    • SysFreeString.OLEAUT32(?), ref: 00DE6DAD
    • SysFreeString.OLEAUT32(?), ref: 00DE6E13
    • SysFreeString.OLEAUT32(?), ref: 00DE6E34
    • SysFreeString.OLEAUT32(?), ref: 00DE6E4B
    • SysFreeString.OLEAUT32(?), ref: 00DE6EAC
      • Part of subcall function 00DEAA9C: CloseHandle.KERNEL32(00000000), ref: 00DEAAA8
      • Part of subcall function 00DEAA9C: CloseHandle.KERNEL32(00000000), ref: 00DEAABB
    • SysFreeString.OLEAUT32(?), ref: 00DE6F18
    • SysFreeString.OLEAUT32(?), ref: 00DE6F97
    • SysFreeString.OLEAUT32(?), ref: 00DE6F9F
    • __EH_prolog3_GS.LIBCMT ref: 00DE6FB9
    • SysFreeString.OLEAUT32(?), ref: 00DE6FDE
    • SysFreeString.OLEAUT32(?), ref: 00DE6B08
      • Part of subcall function 00DD0D47: SysFreeString.OLEAUT32 ref: 00DD0D57
      • Part of subcall function 00DD0D47: SysAllocString.OLEAUT32(?), ref: 00DD0D62
      • Part of subcall function 00DCF963: __EH_prolog3.LIBCMT ref: 00DCF96A
      • Part of subcall function 00DCF963: SysStringLen.OLEAUT32(?), ref: 00DCF98C
      • Part of subcall function 00DCF963: SysFreeString.OLEAUT32(?), ref: 00DCF9DA
    • SysFreeString.OLEAUT32(?), ref: 00DE77D3
    • SysFreeString.OLEAUT32(?), ref: 00DE77E5
    • SysFreeString.OLEAUT32(?), ref: 00DE77ED
    • SysFreeString.OLEAUT32(?), ref: 00DE77F9
    • SysFreeString.OLEAUT32(?), ref: 00DE7877
    • SysFreeString.OLEAUT32(?), ref: 00DE787F
    • SysFreeString.OLEAUT32(?), ref: 00DE7887
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: String$Free$CloseH_prolog3_Handle$AllocH_prolog3
    • String ID: d$d$d$d
    • API String ID: 1931423635-3382918743
    • Opcode ID: 9f8cd8de4a516844638d4832aaadc63be5ca12629814143fea2e7b379af929d2
    • Instruction ID: e4f6b21ab994a8642372034c57627e094957e668d4ae8e8057c4e968bea24045
    • Opcode Fuzzy Hash: 9f8cd8de4a516844638d4832aaadc63be5ca12629814143fea2e7b379af929d2
    • Instruction Fuzzy Hash: 24A28C709003999BDF21EB65CC45BEEBBB9EF54304F1444AAE84AA3251DB319E84DF31
    Function 00DC1CED Relevance: 84.2, APIs: 24, Strings: 24, Instructions: 160libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 805 dc1ced-dc1cf7 806 dc1cf9-dc1d0b LoadLibraryA 805->806 807 dc1d11-dc1ed1 GetProcAddress * 23 805->807 806->807 808 dc1fa6-dc1fa9 806->808 809 dc1ed7-dc1edd 807->809 810 dc1fa0 807->810 809->810 811 dc1ee3-dc1ee9 809->811 810->808 811->810 812 dc1eef-dc1ef5 811->812 812->810 813 dc1efb-dc1f01 812->813 813->810 814 dc1f07-dc1f0d 813->814 814->810 815 dc1f13-dc1f19 814->815 815->810 816 dc1f1f-dc1f25 815->816 816->810 817 dc1f27-dc1f2d 816->817 817->810 818 dc1f2f-dc1f35 817->818 818->810 819 dc1f37-dc1f3d 818->819 819->810 820 dc1f3f-dc1f45 819->820 820->810 821 dc1f47-dc1f4d 820->821 821->810 822 dc1f4f-dc1f55 821->822 822->810 823 dc1f57-dc1f5d 822->823 823->810 824 dc1f5f-dc1f65 823->824 824->810 825 dc1f67-dc1f6d 824->825 825->810 826 dc1f6f-dc1f75 825->826 826->810 827 dc1f77-dc1f7d 826->827 827->810 828 dc1f7f-dc1f85 827->828 828->810 829 dc1f87-dc1f8d 828->829 829->810 830 dc1f8f-dc1f95 829->830 830->810 831 dc1f97-dc1f99 830->831 831->810 832 dc1f9b-dc1f9f 831->832
    APIs
    • LoadLibraryA.KERNEL32(CANusb.dll,?,00DC20D5), ref: 00DC1CFE
    • GetProcAddress.KERNEL32(00000000,INIPC_initialize_board), ref: 00DC1D1E
    • GetProcAddress.KERNEL32(CANPC_initialize_chip), ref: 00DC1D31
    • GetProcAddress.KERNEL32(CANPC_initialize_chip2), ref: 00DC1D44
    • GetProcAddress.KERNEL32(INIPC_close_board), ref: 00DC1D57
    • GetProcAddress.KERNEL32(CANPC_reset_board), ref: 00DC1D6A
    • GetProcAddress.KERNEL32(CANPC_start_chip), ref: 00DC1D7D
    • GetProcAddress.KERNEL32(CANPC_reinitialize), ref: 00DC1D90
    • GetProcAddress.KERNEL32(CANPC_send_data), ref: 00DC1DA3
    • GetProcAddress.KERNEL32(CANPC_get_version), ref: 00DC1DB6
    • GetProcAddress.KERNEL32(CANPC_enable_fifo), ref: 00DC1DC9
    • GetProcAddress.KERNEL32(CANPC_enable_timestamps), ref: 00DC1DDC
    • GetProcAddress.KERNEL32(CANPC_enable_fifo_transmit_ack), ref: 00DC1DEF
    • GetProcAddress.KERNEL32(CANPC_enable_fifo_transmit_ack2), ref: 00DC1E02
    • GetProcAddress.KERNEL32(CANPC_reset_chip), ref: 00DC1E15
    • GetProcAddress.KERNEL32(CANPC_get_serial_number), ref: 00DC1E28
    • GetProcAddress.KERNEL32(CANPC_set_acceptance), ref: 00DC1E3B
    • GetProcAddress.KERNEL32(CANPC_set_acceptance2), ref: 00DC1E4E
    • GetProcAddress.KERNEL32(CANPC_set_mode), ref: 00DC1E61
    • GetProcAddress.KERNEL32(CANPC_set_mode2), ref: 00DC1E74
    • GetProcAddress.KERNEL32(CANPC_set_output_control), ref: 00DC1E87
    • GetProcAddress.KERNEL32(CANPC_set_output_control2), ref: 00DC1E9A
    • GetProcAddress.KERNEL32(CANPC_set_interrupt_event), ref: 00DC1EAD
    • GetProcAddress.KERNEL32(CANPC_read_ac), ref: 00DC1EC0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID: CANPC_enable_fifo$CANPC_enable_fifo_transmit_ack$CANPC_enable_fifo_transmit_ack2$CANPC_enable_timestamps$CANPC_get_serial_number$CANPC_get_version$CANPC_initialize_chip$CANPC_initialize_chip2$CANPC_read_ac$CANPC_reinitialize$CANPC_reset_board$CANPC_reset_chip$CANPC_send_data$CANPC_set_acceptance$CANPC_set_acceptance2$CANPC_set_interrupt_event$CANPC_set_mode$CANPC_set_mode2$CANPC_set_output_control$CANPC_set_output_control2$CANPC_start_chip$CANusb.dll$INIPC_close_board$INIPC_initialize_board
    • API String ID: 2238633743-1505593120
    • Opcode ID: 21397db5dfbaec2f112f1bf9b248ef51ceb9d6a8b97607b0991bd1ee4d5a7275
    • Instruction ID: 36715b6eac1f06681997b8a0dc2bd72ab47a85ed9494116185aeeabc6d0730e4
    • Opcode Fuzzy Hash: 21397db5dfbaec2f112f1bf9b248ef51ceb9d6a8b97607b0991bd1ee4d5a7275
    • Instruction Fuzzy Hash: 19611A35E51753EFCB2E4B32AC45B65FE65FF41B82F18126EA41862224CB31A964CFD0
    Function 00DE3F48 Relevance: 74.4, APIs: 22, Strings: 20, Instructions: 876registryCOMMON
    Download Yara Rule
    APIs
    • wsprintfA.USER32 ref: 00DE3FCC
    • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?), ref: 00DE3FEE
    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00DE400E
    • RegQueryValueExA.ADVAPI32(?,IgnoreFirstBytes,00000000,?,?,?), ref: 00DE4049
    • RegQueryValueExA.ADVAPI32(?,AddTerminationChar,00000000,?,?,?), ref: 00DE4094
    • wsprintfA.USER32 ref: 00DE40CC
    • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?), ref: 00DE40EE
    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00DE410B
      • Part of subcall function 00DEC1EC: CloseHandle.KERNEL32(00000000,?,00DE3F12), ref: 00DEC1F8
      • Part of subcall function 00DEC1EC: CloseHandle.KERNEL32(00000000,?,00DE3F12), ref: 00DEC20B
      • Part of subcall function 00DEAA9C: CloseHandle.KERNEL32(00000000), ref: 00DEAAA8
      • Part of subcall function 00DEAA9C: CloseHandle.KERNEL32(00000000), ref: 00DEAABB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CloseHandleOpen$QueryValuewsprintf
    • String ID: AddTerminationChar$AltSetting$IgnoreFirstBytes$Index$Interface$NbOfInterfaces$Recipient$Request$ReturnBytecount$SOFTWARE\Carl Zeiss\USB\%04X\Configuration$SOFTWARE\Carl Zeiss\USB\%04X\Configuration\Interface_%d$SOFTWARE\Carl Zeiss\USB\%04X\Connect\Request_%d$SOFTWARE\Carl Zeiss\USB\%04X\Input$SOFTWARE\Carl Zeiss\USB\%04X\Output$StartSequence$TranSize$Type$Value$d$d
    • API String ID: 2644540064-4223651951
    • Opcode ID: dd5281d5d90647a4615dc49b2cb1639666a17068acd75f6cc72c921c1c0846f3
    • Instruction ID: 660c8f1a4d965c135bd631b93833008d6cf67e08d86a42dda9f36236d9d1271e
    • Opcode Fuzzy Hash: dd5281d5d90647a4615dc49b2cb1639666a17068acd75f6cc72c921c1c0846f3
    • Instruction Fuzzy Hash: 9B8297B594026A9BDB65DF51DC84BEEBBBCEB04744F1441EAE91DA2101DB309F84CFA0
    Function 00DF4760 Relevance: 64.1, APIs: 32, Strings: 4, Instructions: 1115COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Name::operator+$operator+
    • String ID: /$/$/$0
    • API String ID: 1595903985-3730329782
    • Opcode ID: 3fff0537d3136c342175a5bf8732bf6cd1bd9a7730ae8ae1777c55cb81708a29
    • Instruction ID: cc09be590d30419265d2a4a23626a997893c1c7c76d3d56ec2eb86614dc267af
    • Opcode Fuzzy Hash: 3fff0537d3136c342175a5bf8732bf6cd1bd9a7730ae8ae1777c55cb81708a29
    • Instruction Fuzzy Hash: CC821E71D0060D9BDB19DBA8D891BFEB7B4EF44340F1AC12AEB15E7284DB749A448B70
    Function 00DCEDB2 Relevance: 55.0, APIs: 28, Strings: 3, Instructions: 751synchronizationCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00DCD383: SysStringLen.OLEAUT32(?), ref: 00DCD38D
      • Part of subcall function 00DCD383: VarBstrCat.OLEAUT32(?,?,00000000), ref: 00DCD3A5
      • Part of subcall function 00DCD383: SysFreeString.OLEAUT32 ref: 00DCD3B2
    • __EH_prolog3_catch_GS.LIBCMT ref: 00DCEDDE
    • WaitForSingleObject.KERNEL32(?,000003E8,0000010C,00000000), ref: 00DCEDFA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: String$BstrFreeH_prolog3_catch_ObjectSingleWait
    • String ID: USB($) %04X "$.USB(
    • API String ID: 1761973-2128719457
    • Opcode ID: b0efe87d3e938b2c90eadb76afa6849432db4945f3930b31f2313fcfdb689600
    • Instruction ID: cbeef8a85d4ecdcef2e97dca3ac7f03ece85a46551f236e93d205b8d25ecc7b5
    • Opcode Fuzzy Hash: b0efe87d3e938b2c90eadb76afa6849432db4945f3930b31f2313fcfdb689600
    • Instruction Fuzzy Hash: 22626D70A0025A9BDB25DB65CC85FEDB7B6EF54304F1884BEE54AA3251DA709E84CF30
    Function 00DE4D0E Relevance: 48.0, APIs: 22, Strings: 5, Instructions: 793COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00DE4D18
    • SysFreeString.OLEAUT32(?), ref: 00DE4E4E
    • SysFreeString.OLEAUT32(?), ref: 00DE4E7A
    • SysStringLen.OLEAUT32(?), ref: 00DE4E85
    • SysStringLen.OLEAUT32(?), ref: 00DE4E9B
    • SysFreeString.OLEAUT32(?), ref: 00DE4ECE
    • SysStringLen.OLEAUT32(?), ref: 00DE4EAB
      • Part of subcall function 00DD82B9: GetLocalTime.KERNEL32(00000050,?,?,?,00DD3662,00000200,?,?,?,?,?,00000008,00DD2BC0,00000000,00000000,00000004), ref: 00DD8347
      • Part of subcall function 00DD6DBC: WaitForSingleObject.KERNEL32(00000000,000003E8,00000000,?,00DE9E05,00000000,?,?,00000000,?,?,0000000C,00DC190B,00000104,?,?), ref: 00DD6DD0
      • Part of subcall function 00DD6DBC: SetEvent.KERNEL32(00000000,?,00DE9E05,00000000,?,?,00000000,?,?,0000000C,00DC190B,00000104,?,?,00000000,00000000), ref: 00DD6DFB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: String$Free$EventH_prolog3_LocalObjectSingleTimeWait
    • String ID: ) not found $ENDPOINT_IN_ADDRESS$ENDPOINT_OUT_ADDRESS$SOFTWARE\Carl Zeiss\USB\%04X$USB(
    • API String ID: 3079880029-2892316594
    • Opcode ID: da3afec864661c09d064b556379f9f25beb417a04bfc0cbc6209f392d9ad3394
    • Instruction ID: 5041e0a4f5a18a1e207be36c7b43bafd69fe1c75487b1b6273b6897b373c57c9
    • Opcode Fuzzy Hash: da3afec864661c09d064b556379f9f25beb417a04bfc0cbc6209f392d9ad3394
    • Instruction Fuzzy Hash: 7962D37090069A9FDB25AB75DC41BEEB7B9EF04344F0444AAE85EA3181DB319E84CF71
    Function 00DC4390 Relevance: 26.8, APIs: 14, Strings: 1, Instructions: 502filesynchronizationCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00DC4397
    • GetTickCount.KERNEL32 ref: 00DC444E
    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00DC449D
    • WriteFile.KERNEL32(?,?,00000001,?,?), ref: 00DC44C1
    • GetLastError.KERNEL32 ref: 00DC44C7
    • WaitForSingleObject.KERNEL32(?,-000003E8), ref: 00DC44E7
    • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 00DC44FE
    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00DC4574
    • WriteFile.KERNEL32(?,00000000,00000000,?,?), ref: 00DC458F
    • GetLastError.KERNEL32 ref: 00DC4595
    • WaitForSingleObject.KERNEL32(?,000003E8), ref: 00DC45C1
    • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 00DC45D8
    • CloseHandle.KERNEL32(?), ref: 00DC4617
    • CloseHandle.KERNEL32(?), ref: 00DC453D
      • Part of subcall function 00DD6EE2: __EH_prolog3.LIBCMT ref: 00DD6EE9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CloseCreateErrorEventFileH_prolog3HandleLastObjectOverlappedResultSingleWaitWrite$CountTick
    • String ID: DC3>
    • API String ID: 430576489-1927568244
    • Opcode ID: 167c4a584d8604baec2d6df3399940518e014f6da1cc56bfbefbf7da0fa0fdb4
    • Instruction ID: 68dc827fd99cb4971edab2d9d829d387766b3dd494c1c24fdb31d9d716489a45
    • Opcode Fuzzy Hash: 167c4a584d8604baec2d6df3399940518e014f6da1cc56bfbefbf7da0fa0fdb4
    • Instruction Fuzzy Hash: B4125A70900206EFDB289F65C855BBAB7F5FF48311F28852EE856DB291EB709941CB70
    Function 00DE8D44 Relevance: 20.1, APIs: 10, Strings: 1, Instructions: 841synchronizationCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_catch.LIBCMT ref: 00DE8D4B
      • Part of subcall function 00DE7F2B: __EH_prolog3.LIBCMT ref: 00DE7F32
      • Part of subcall function 00DE7F2B: WaitForSingleObject.KERNEL32(?,00000000,0000000C,00DE8D66,00000024,00DEA3B2), ref: 00DE7F51
      • Part of subcall function 00DE7F2B: SetEvent.KERNEL32(?), ref: 00DE7F72
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00DE8DAF
      • Part of subcall function 00DE7E02: GetTickCount.KERNEL32 ref: 00DE7E24
      • Part of subcall function 00DE7E02: GetTickCount.KERNEL32 ref: 00DE7E51
      • Part of subcall function 00DE7E02: GetTickCount.KERNEL32 ref: 00DE7E89
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00DE8EF3
    • GetTickCount.KERNEL32 ref: 00DE8F38
    • SetEvent.KERNEL32(?), ref: 00DE8FAF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CountTick$ObjectSingleWait$Event$H_prolog3H_prolog3_catch
    • String ID: i
    • API String ID: 3041293726-3865851505
    • Opcode ID: 602e27d3e2b40bf7385f4d17896ae6703fc7e0ec5d2abdbcb3810442c96b3141
    • Instruction ID: 5773f1db2d47cbe312ca12561dc2626d7c1f9e807334444abdb722453c6665a5
    • Opcode Fuzzy Hash: 602e27d3e2b40bf7385f4d17896ae6703fc7e0ec5d2abdbcb3810442c96b3141
    • Instruction Fuzzy Hash: 5F62A170A01286AFDF19EF66C8A4BBEFBB5BF49300F184159E4499B291DB359C41CB70
    Function 00DCC525 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 74servicewindowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00DCA6CD: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,?,?,00DCA4DC), ref: 00DCA6DB
      • Part of subcall function 00DCA6CD: OpenServiceA.ADVAPI32(00000000,?,00000001,?,?,?,00DCA4DC), ref: 00DCA6EE
      • Part of subcall function 00DCA6CD: CloseServiceHandle.ADVAPI32(00000000,?,?,?,00DCA4DC), ref: 00DCA700
      • Part of subcall function 00DCA6CD: CloseServiceHandle.ADVAPI32(00000000,?,?,?,00DCA4DC), ref: 00DCA703
    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00DCC550
    • MessageBoxA.USER32(00000000,Service could not be deleted,?,00000000), ref: 00DCC56A
    • OpenServiceA.ADVAPI32(00000000,?,00010020), ref: 00DCC57B
    • CloseServiceHandle.ADVAPI32(00000000,?,00010020), ref: 00DCC58B
    • ControlService.ADVAPI32(00000000,00000001,?,?,00010020), ref: 00DCC5A3
    • DeleteService.ADVAPI32(00000000,?,00010020), ref: 00DCC5AA
    • CloseServiceHandle.ADVAPI32(?,?,00010020), ref: 00DCC5BB
    • CloseServiceHandle.ADVAPI32(?,?,00010020), ref: 00DCC5C0
    Strings
    • Couldn't open service manager, xrefs: 00DCC564
    • Couldn't open service, xrefs: 00DCC593
    • Service could not be deleted, xrefs: 00DCC5C8
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Service$CloseHandle$Open$Manager$ControlDeleteMessage
    • String ID: Couldn't open service$Couldn't open service manager$Service could not be deleted
    • API String ID: 553974496-2277503015
    • Opcode ID: 4ca918548a3a39597a7794a8ad1f8b4fba0dccd7e9a6315e037a4bd15077c5a5
    • Instruction ID: cd7584d74c7a7cc564af7ad837e4184e003bce3c7d808ddf28d272f7b14d51de
    • Opcode Fuzzy Hash: 4ca918548a3a39597a7794a8ad1f8b4fba0dccd7e9a6315e037a4bd15077c5a5
    • Instruction Fuzzy Hash: B9110331A60309AFCB119B729D4CEBF7EB8DB8DB50F080028F645B3110CA249D428A71
    Function 00DCC6AE Relevance: 18.0, APIs: 7, Strings: 3, Instructions: 480COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00DC1AF0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00DC1849,?,?,?,00DC165A), ref: 00DC1AF5
      • Part of subcall function 00DC1AF0: GetLastError.KERNEL32(?,00DC1849,?,?,?,00DC165A), ref: 00DC1AFF
    • GetModuleFileNameA.KERNEL32(00DC0000,?,00000104), ref: 00DCC73F
    • _strlen.LIBCMT ref: 00DCC786
    • GetModuleHandleA.KERNEL32(00000000,?,00000003,?), ref: 00DCC81B
    • GetModuleFileNameA.KERNEL32(00DC0000,?,00000104), ref: 00DCC9F8
    • _strlen.LIBCMT ref: 00DCCA3F
    • GetModuleHandleA.KERNEL32(00000000,?,00000003,?), ref: 00DCCAD2
    • _strlen.LIBCMT ref: 00DCCBAC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Module$_strlen$FileHandleName$CountCriticalErrorInitializeLastSectionSpin
    • String ID: Module$Module_Raw$REGISTRY
    • API String ID: 224816270-549000027
    • Opcode ID: 144e41b6af75dc2717043da55f0e2730010ec683bbb1668ae9ae2b7a94613e59
    • Instruction ID: cae4a7c330191174f22f43f73b4f3954c67fcc51e9951ed17aabb4231c48775c
    • Opcode Fuzzy Hash: 144e41b6af75dc2717043da55f0e2730010ec683bbb1668ae9ae2b7a94613e59
    • Instruction Fuzzy Hash: CFF1B07291122A9BDB21EA54CC45FAA7368EF44310F15109DFA49F7142EB30EE80CFB0
    Function 00DCA4C1 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 75windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00DCA6CD: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,?,?,00DCA4DC), ref: 00DCA6DB
      • Part of subcall function 00DCA6CD: OpenServiceA.ADVAPI32(00000000,?,00000001,?,?,?,00DCA4DC), ref: 00DCA6EE
      • Part of subcall function 00DCA6CD: CloseServiceHandle.ADVAPI32(00000000,?,?,?,00DCA4DC), ref: 00DCA700
      • Part of subcall function 00DCA6CD: CloseServiceHandle.ADVAPI32(00000000,?,?,?,00DCA4DC), ref: 00DCA703
    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00DCA4F3
    • MessageBoxA.USER32(00000000,Couldn't create service,?,00000000), ref: 00DCA555
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: OpenService$CloseHandleManager$Message
    • String ID: Couldn't create service$Couldn't open service manager$RPCSS
    • API String ID: 954447789-115047700
    • Opcode ID: e2eceafdf5adc75aa45d78040d4937be2e2e54b1c16f01844ce332a7689f3dc5
    • Instruction ID: 8c4582d931a8a3fcaa5378ccff1a2248ecfacba1c3908997d5fcea00113de4b9
    • Opcode Fuzzy Hash: e2eceafdf5adc75aa45d78040d4937be2e2e54b1c16f01844ce332a7689f3dc5
    • Instruction Fuzzy Hash: 3911E7B165431D7EE72067769C8DFBB7EACDB05798F050429B682F3040DAA4CD449672
    Function 00DEA8DC Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 64libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(setupapi.dll,?,00000000,00000000,?,00DEAB29,?,00DE37FD,?,3D2EC555,?,?,?,00E387F1,000000FF), ref: 00DEA8F9
    • GetProcAddress.KERNEL32(00000000,SetupDiGetClassDevsA), ref: 00DEA913
    • GetProcAddress.KERNEL32(00000000,SetupDiDestroyDeviceInfoList), ref: 00DEA921
    • GetProcAddress.KERNEL32(00000000,SetupDiEnumDeviceInterfaces), ref: 00DEA930
    • GetProcAddress.KERNEL32(?,SetupDiGetDeviceInterfaceDetailA), ref: 00DEA941
    Strings
    • setupapi.dll, xrefs: 00DEA8F4
    • SetupDiGetClassDevsA, xrefs: 00DEA90D
    • SetupDiGetDeviceInterfaceDetailA, xrefs: 00DEA937
    • SetupDiDestroyDeviceInfoList, xrefs: 00DEA915
    • SetupDiEnumDeviceInterfaces, xrefs: 00DEA923
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID: SetupDiDestroyDeviceInfoList$SetupDiEnumDeviceInterfaces$SetupDiGetClassDevsA$SetupDiGetDeviceInterfaceDetailA$setupapi.dll
    • API String ID: 2238633743-3340099623
    • Opcode ID: 234e85abf9d6a15df93f83924ef80f60209ab4a966381cb6f5b11915439fc646
    • Instruction ID: 951211f8c04c42232f22a72a16a59ea31dc585843b1a98e510cab0712b186459
    • Opcode Fuzzy Hash: 234e85abf9d6a15df93f83924ef80f60209ab4a966381cb6f5b11915439fc646
    • Instruction Fuzzy Hash: EF11EC71E00325AFCB14AFBDCC89A597EE4EF48354B09417AE445EB252D6B4D800CFA1
    Function 00E2819B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E1DC42: GetLastError.KERNEL32(?,00000008,00E24D32), ref: 00E1DC46
      • Part of subcall function 00E1DC42: SetLastError.KERNEL32(00000000,00E4E9D8,00000024,00E1D07A), ref: 00E1DCE8
    • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00E282A7
    • IsValidCodePage.KERNEL32(00000000), ref: 00E282F0
    • IsValidLocale.KERNEL32(?,00000001), ref: 00E282FF
    • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00E28347
    • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00E28366
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
    • String ID: L^
    • API String ID: 415426439-79745055
    • Opcode ID: 86b5d12bcdc587d4320e64caf41b2743c0b9667ef9c91bb9b867f9c1f9057940
    • Instruction ID: 76f181cc32e8313b21d698838e509406836a3499373d048164337fe8d1b8434c
    • Opcode Fuzzy Hash: 86b5d12bcdc587d4320e64caf41b2743c0b9667ef9c91bb9b867f9c1f9057940
    • Instruction Fuzzy Hash: C0519072A02A29DFDF10DFA5ED45ABE77B8BF14704F081429F901FB1A1DB7099448B61
    Function 00DCB1AF Relevance: 10.7, APIs: 7, Instructions: 157libraryCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_catch_GS.LIBCMT ref: 00DCB1B9
    • LoadLibraryExA.KERNEL32(00000000,00000000,00000060,00000000,?,?,00000003,?,?,?,00000003,?,00000000,?,00000003,?), ref: 00DCB285
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,?,?,00000003,?), ref: 00DCB2A0
    • FindResourceA.KERNEL32(00000000,?,?), ref: 00DCB2CB
    • LoadResource.KERNEL32(00000000,00000000,?,?,?,?,00000003,?), ref: 00DCB2E7
    • SizeofResource.KERNEL32(00000000,?,?,?,?,?,00000003,?), ref: 00DCB2FE
      • Part of subcall function 00DCCE32: _memcpy_s.LIBCMT ref: 00DCCE41
      • Part of subcall function 00DCAF82: CoTaskMemFree.OLE32(00000000,00000000,00000000,00000000,00000000,?), ref: 00DCB0A9
    • FreeLibrary.KERNEL32(00000000,?,?,?,?,00000003,?), ref: 00DCB394
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: LibraryLoadResource$Free$FindH_prolog3_catch_SizeofTask_memcpy_s
    • String ID:
    • API String ID: 1014413209-0
    • Opcode ID: ba3d550366cb71b09ed01032197c8b147abcd2f53b2e0c3e00135680f0ed51b2
    • Instruction ID: 072cf121ca088ac60e445dc99b0046fc8fc2d08b004eebe270c69a9241ebaa15
    • Opcode Fuzzy Hash: ba3d550366cb71b09ed01032197c8b147abcd2f53b2e0c3e00135680f0ed51b2
    • Instruction Fuzzy Hash: E8514CB1A0026A9ACB219F54CC86FADB7B4EF44310F5440EEF649A7251DB30DE858F79
    Function 00E2C92F Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: __floor_pentium4
    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
    • API String ID: 4168288129-2761157908
    • Opcode ID: baedb9850b8e66e0f344c880bdc6dc209aa0b3b46baeab51490a01136e0089ad
    • Instruction ID: a3a320efd0820af3850096c4f983bb1db300ad679f675e03c8a1bc7c7c05b3d4
    • Opcode Fuzzy Hash: baedb9850b8e66e0f344c880bdc6dc209aa0b3b46baeab51490a01136e0089ad
    • Instruction Fuzzy Hash: 1ED22772E082288FDB65CE28ED407EAB7B5EB44304F1551EAD54DF7240EB78AE858F41
    Function 00DCE0DA Relevance: 9.1, APIs: 6, Instructions: 109networksleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(00000001), ref: 00DCDF71
    • WSAGetOverlappedResult.WS2_32(000000FF,?,?,00000000,?), ref: 00DCDFEC
    • WSARecv.WS2_32(000000FF,00000001,00000001,?,?,?,00000000), ref: 00DCE0A5
    • SetEvent.KERNEL32(?), ref: 00DCE1D3
    • GetTickCount.KERNEL32 ref: 00DCE1E3
      • Part of subcall function 00DD2ABF: __EH_prolog3.LIBCMT ref: 00DD2AC6
      • Part of subcall function 00DD2ABF: GetTickCount.KERNEL32 ref: 00DD2B05
    • SetEvent.KERNEL32(?), ref: 00DCE228
    • SetEvent.KERNEL32(?), ref: 00DCE23B
    • SetEvent.KERNEL32(?), ref: 00DCE243
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Event$CountTick$H_prolog3OverlappedRecvResultSleep
    • String ID:
    • API String ID: 3629467455-0
    • Opcode ID: 1f2aad5a86917854b13de8f4b21a293080e95f5f931ba421cc4975d063a8e7b7
    • Instruction ID: 309b8bacbe51952299f4d703330419f323d42e93dcb19a38f0aab37e95aaa563
    • Opcode Fuzzy Hash: 1f2aad5a86917854b13de8f4b21a293080e95f5f931ba421cc4975d063a8e7b7
    • Instruction Fuzzy Hash: 8A5119B090021ADEDB318F25CD88F9ABBB9EF41310F1841AEE55EA3151D7709E84DF65
    Function 00DEC41B Relevance: 9.1, APIs: 6, Instructions: 64COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(?,?,00000000,?,?,?,00DEC960,00222008,00000000,00000000,00000000,00000000,00000000,00DECAD9,?,00DE3EFA), ref: 00DEC43D
    • DeviceIoControl.KERNEL32(00000000,?,00DE3EFA,?,00DECAD9,00000000,00000000,?), ref: 00DEC45D
    • LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,00DEC960,00222008,00000000,00000000,00000000,00000000,00000000,00DECAD9,?,00DE3EFA), ref: 00DEC4A1
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CriticalSection$ControlDeviceEnterLeave
    • String ID:
    • API String ID: 3815106556-0
    • Opcode ID: c9f3a9e454db0edc6b9162383ab5d6791c00b6b3050693a3b1c8a1236bb689c8
    • Instruction ID: ef000ce1ee2fea71af3300713275264fdb6a9c87a6dac1afd38385e809ae876f
    • Opcode Fuzzy Hash: c9f3a9e454db0edc6b9162383ab5d6791c00b6b3050693a3b1c8a1236bb689c8
    • Instruction Fuzzy Hash: 5C118EB651011AFFDB11EFA6DC48AEEBBA8FB08310F148125E909E2190D771ED55DBA0
    Function 00E27FC6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(?,2000000B,00E282E4,00000002,00000000,?,?,?,00E282E4,?,00000000), ref: 00E2805F
    • GetLocaleInfoW.KERNEL32(?,20001004,00E282E4,00000002,00000000,?,?,?,00E282E4,?,00000000), ref: 00E28088
    • GetACP.KERNEL32(?,?,00E282E4,?,00000000), ref: 00E2809D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID: ACP$OCP
    • API String ID: 2299586839-711371036
    • Opcode ID: 3c9edf2d07a259c9881574d0091913cdddf18317b029614f4f14876b1c8acf02
    • Instruction ID: f4d1d91b9ce0285e525ea2c5194d335b2567889d92f34b0f363b686a37d68382
    • Opcode Fuzzy Hash: 3c9edf2d07a259c9881574d0091913cdddf18317b029614f4f14876b1c8acf02
    • Instruction Fuzzy Hash: 6121D632602124AAFB348F65EF04E9773A6AB54B68B5AA024E906F7100EF33DD48D350
    Function 00DD8F6C Relevance: 8.1, APIs: 3, Strings: 1, Instructions: 1087COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00DE0E7C: Sleep.KERNEL32(00000014,?,00DD8F9F), ref: 00DE0E92
    • SetEvent.KERNEL32(?), ref: 00DD907F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: EventSleep
    • String ID: Simulation %2d -> %2d
    • API String ID: 3275870920-1257032037
    • Opcode ID: 37a55a5186ebf7a53edf821bba0e392535cc4579767c7976701687795c96a0fa
    • Instruction ID: f85d73e592e8a0436859a1eed31dbf696f9ec9371420a2b0af433aa47aeac660
    • Opcode Fuzzy Hash: 37a55a5186ebf7a53edf821bba0e392535cc4579767c7976701687795c96a0fa
    • Instruction Fuzzy Hash: 2682B570A00205DBDF29DFA5C8A5AADBBB5EF44714F18406BF901AB396DB72D841CB70
    Function 00E1FDC5 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: _strrchr
    • String ID:
    • API String ID: 3213747228-0
    • Opcode ID: 39c07734bbae36493996a32add0c90e6df768c1cfab020e37288015585da5fdc
    • Instruction ID: e04e891f2c329c6e13b14bf9e41a812d1b7ad2506435dcc5c9bf1b81375e0c6c
    • Opcode Fuzzy Hash: 39c07734bbae36493996a32add0c90e6df768c1cfab020e37288015585da5fdc
    • Instruction Fuzzy Hash: 1EB17B32A002559FEB11CF28C891BFEBBE5EF5A314F15917AE405BB382D2759D42C7A0
    Function 00E222F3 Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00E2238E
    • FindNextFileW.KERNEL32(00000000,?), ref: 00E22409
    • FindClose.KERNEL32(00000000), ref: 00E2242B
    • FindClose.KERNEL32(00000000), ref: 00E2244E
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Find$CloseFile$FirstNext
    • String ID:
    • API String ID: 1164774033-0
    • Opcode ID: c49c36ac464050c75646d6aed48a31bdb08b21d757af95b99c3595e5bfdd2f54
    • Instruction ID: 1030cbc7a3d810214410a1cdad274e1296e96acf8820e74ff7b8e4568bc48277
    • Opcode Fuzzy Hash: c49c36ac464050c75646d6aed48a31bdb08b21d757af95b99c3595e5bfdd2f54
    • Instruction Fuzzy Hash: 1841C87190123ABEDB30EF64EC89ABEB7B9EF54309F148199E505B7140E7749E84CB60
    Function 00DFDC97 Relevance: 6.1, APIs: 4, Instructions: 83memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00DFDCC0
    • GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 00DFDCD4
    • VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004,?,?,?,0000001C), ref: 00DFDD24
    • VirtualProtect.KERNEL32(?,-00000001,00000104,?,?,?,0000001C), ref: 00DFDD39
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Virtual$AllocInfoProtectQuerySystem
    • String ID:
    • API String ID: 3562403962-0
    • Opcode ID: fd8bac21f9d05ef9b053a6f1f114e29d7209799bc7228cc37b7026648dd458dd
    • Instruction ID: 2b89d7b1041aa45090007718b8a88172881f7ec0bd4a410a808fe2f1dcb2e164
    • Opcode Fuzzy Hash: fd8bac21f9d05ef9b053a6f1f114e29d7209799bc7228cc37b7026648dd458dd
    • Instruction Fuzzy Hash: 8721A772E0021DAFCB10DBA6CC89AEF7BBAEF44754F194425EA15F7140D6309A44C7B0
    Function 00DEE767 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00DEE773
    • IsDebuggerPresent.KERNEL32 ref: 00DEE83F
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00DEE85F
    • UnhandledExceptionFilter.KERNEL32(?), ref: 00DEE869
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
    • String ID:
    • API String ID: 254469556-0
    • Opcode ID: ccbe4c66e8396a506e2928f178e19cf74f3d2c3f19e039c33f396d3253709637
    • Instruction ID: 6b1f3d7a8b7457b0dd4267aa01c18b3df7a9bb3def430b738e41b8b26b9d80e3
    • Opcode Fuzzy Hash: ccbe4c66e8396a506e2928f178e19cf74f3d2c3f19e039c33f396d3253709637
    • Instruction Fuzzy Hash: BA312775D0521D9BDB20EFA5D9897CDBBB8BF08300F1040AAE44CAB250EB719B898F55
    Function 00DC3BFE Relevance: 4.8, APIs: 3, Instructions: 319synchronizationCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00DC3C08
    • WaitForSingleObject.KERNEL32(?,000003E8), ref: 00DC3C56
    • SetEvent.KERNEL32(?), ref: 00DC3C73
      • Part of subcall function 00DD6F6F: SysFreeString.OLEAUT32(?), ref: 00DD6FA0
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: EventFreeH_prolog3_ObjectSingleStringWait
    • String ID:
    • API String ID: 2130574638-0
    • Opcode ID: bd53ed73b241a791c125526e65e9eca63301dcfe017a3464b788bdc3474077b0
    • Instruction ID: 424b88cce2d378991327f9ab39552e580262776e870153c1b3b189e6d408d28d
    • Opcode Fuzzy Hash: bd53ed73b241a791c125526e65e9eca63301dcfe017a3464b788bdc3474077b0
    • Instruction Fuzzy Hash: 88C18531A007259BCB35DF3998A0BF9B7F5AF58310F5484AEE589D7281DA349B80DF24
    Function 00E27C4A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E1DC42: GetLastError.KERNEL32(?,00000008,00E24D32), ref: 00E1DC46
      • Part of subcall function 00E1DC42: SetLastError.KERNEL32(00000000,00E4E9D8,00000024,00E1D07A), ref: 00E1DCE8
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E27C9E
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E27CE8
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E27DAE
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: InfoLocale$ErrorLast
    • String ID:
    • API String ID: 661929714-0
    • Opcode ID: 35d1e119485d180d3c470f7650e601a6a502a5d4d1c80205d2ec7336d2bde23a
    • Instruction ID: e3cd301096cdc87362c9d574bea704919ed3cbc796fa37c2dd34ace5344872bf
    • Opcode Fuzzy Hash: 35d1e119485d180d3c470f7650e601a6a502a5d4d1c80205d2ec7336d2bde23a
    • Instruction Fuzzy Hash: 9861B47191422B9FEB289F28EC82BBA77A8EF05304F1051BDED45E6181E774DD85CB60
    Function 00DFD7E9 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00DFD8E1
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00DFD8EB
    • UnhandledExceptionFilter.KERNEL32(00DFD6ED,?,?,?,?,?,?), ref: 00DFD8F8
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$DebuggerPresent
    • String ID:
    • API String ID: 3906539128-0
    • Opcode ID: e8fc3c1aae967f9675e0ee2e7a22b539f5663a9cd70eaeb19f77ebb94e2055fe
    • Instruction ID: 59dfbc72da9a4e63d354ec31d1f20444f42029106a429540ff7c9fe9e9185cab
    • Opcode Fuzzy Hash: e8fc3c1aae967f9675e0ee2e7a22b539f5663a9cd70eaeb19f77ebb94e2055fe
    • Instruction Fuzzy Hash: 5031F47090121CABCB61EF65DC8879DBBB8BF08310F5041EAE41CA7261EB709F858F54
    Function 00E2B930 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bd641936a990975ce5d0bbe82679ce967efb11659890725b72aa908f9a61a1d9
    • Instruction ID: f8d0bee0bc8dc303ffb556946a0749d4c33055e23769d45addb82c2b7d5a9c48
    • Opcode Fuzzy Hash: bd641936a990975ce5d0bbe82679ce967efb11659890725b72aa908f9a61a1d9
    • Instruction Fuzzy Hash: FEF12B71E002299FDF14CFA9D880AADB7B1FF88324F159269E915BB395D730AD41CB90
    Function 00E2A547 Relevance: 2.8, APIs: 1, Instructions: 1260COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: __floor_pentium4
    • String ID:
    • API String ID: 4168288129-0
    • Opcode ID: 929c9e7d101b0ca2ddfc9893da867d2ce6cf8cbb37205652fa62873de916021b
    • Instruction ID: 77416a4a638caf283c6817af7a723df4ee971cfb5a4fedb1a6476f4f4dfa6d63
    • Opcode Fuzzy Hash: 929c9e7d101b0ca2ddfc9893da867d2ce6cf8cbb37205652fa62873de916021b
    • Instruction Fuzzy Hash: 38B21872E046298FDB65CE28ED407EAB3B5EB84305F1951EAD84DF7240E774AE818F41
    Function 00DD30C2 Relevance: 1.8, APIs: 1, Instructions: 288COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00DD30C9
      • Part of subcall function 00DD34AD: __EH_prolog3.LIBCMT ref: 00DD34B4
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: H_prolog3H_prolog3_
    • String ID:
    • API String ID: 3355343447-0
    • Opcode ID: 4cfdd49a504f4a487730aad0caf1d3bb5a36c2b3f3549cf64aeeb4a3e0356391
    • Instruction ID: e6ae09083d923f29ca8ce4ee3fd2f9f3e889975a8924ff58c7abd9201b234a56
    • Opcode Fuzzy Hash: 4cfdd49a504f4a487730aad0caf1d3bb5a36c2b3f3549cf64aeeb4a3e0356391
    • Instruction Fuzzy Hash: 9FC16E75A00648DFCB14DFA8C8919AEFBF1FF58300B18855EE8569B342DA31E906CB71
    Function 00DE2C07 Relevance: 1.8, APIs: 1, Instructions: 278COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 62bdad7967770efdeff06f2775708dd37fcd3b462587fd5d73f049a766a8d11c
    • Instruction ID: 6fd2a896795f4767b6209ea1ca2315cce757f1df8acab00d23e7906677401f03
    • Opcode Fuzzy Hash: 62bdad7967770efdeff06f2775708dd37fcd3b462587fd5d73f049a766a8d11c
    • Instruction Fuzzy Hash: 5F91B2317142859BDB28BF26C84197F37E9EF48710B29452EF94ACB290EB30D941CBB5
    Function 00E346A0 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00E3469B,?,?,00000008,?,?,00E34143,00000000), ref: 00E348CD
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ExceptionRaise
    • String ID:
    • API String ID: 3997070919-0
    • Opcode ID: f6015574844734c13db9bde7b2ef8ebe7ff51bbec21d89a024092bd97f784000
    • Instruction ID: 5de26ee9a44effdd1e8d6d6e6e6e7d186af8c169c8e2b77eaec08a15f293bf53
    • Opcode Fuzzy Hash: f6015574844734c13db9bde7b2ef8ebe7ff51bbec21d89a024092bd97f784000
    • Instruction Fuzzy Hash: ABB149B66106098FD719CF28C48ABA57FE0FF45368F259658E899DF2E1C335E981CB40
    Function 00DEEBA1 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00DEEBB7
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: FeaturePresentProcessor
    • String ID:
    • API String ID: 2325560087-0
    • Opcode ID: 6eaf56b663d27738af9537cef10e8a44e7e6529df1955b36311f375c1c4a5de8
    • Instruction ID: 9e79d9bbe706ff0998197a5f521307abb242f329e269ec2a43ee5433ccfc278b
    • Opcode Fuzzy Hash: 6eaf56b663d27738af9537cef10e8a44e7e6529df1955b36311f375c1c4a5de8
    • Instruction Fuzzy Hash: C25170B19017068FDB29CF96D9857AAB7F0FB48311F28892AD406FB361D375D948CB60
    Function 00E121A6 Relevance: 1.6, Strings: 1, Instructions: 392COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 4c9a91bf547e8b93df904e582b4b8bfbe2af076ba6dac0c3e491c0465e01cadf
    • Instruction ID: 00a07c34a5e8a412cd3f68c592c72dc87bf9d365504ff40e2f5eb804bef0dc89
    • Opcode Fuzzy Hash: 4c9a91bf547e8b93df904e582b4b8bfbe2af076ba6dac0c3e491c0465e01cadf
    • Instruction Fuzzy Hash: EDE19270A006058FCB24CF68C9906EEB7F2FF49318B14665DD666BB2A0D730ADD6CB51
    Function 00E125D6 Relevance: 1.6, Strings: 1, Instructions: 388COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: eaa15e90fadd218bbef67a132bc710ba524805fc70f65a69a5ff4406fc05e769
    • Instruction ID: 1f210e88bac466c6b6fd0e64fc816bfaa9818ea2af17dfe7bf287e2d39d9e3f2
    • Opcode Fuzzy Hash: eaa15e90fadd218bbef67a132bc710ba524805fc70f65a69a5ff4406fc05e769
    • Instruction Fuzzy Hash: 6CE1A0746006058FCB28CF68C980AEEB7F1FF45318F24A65DD656AB291D730ADD2CB51
    Function 00E11D85 Relevance: 1.6, Strings: 1, Instructions: 388COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: f8dc1c841e749fc2dc7f9aa8fc4d6245c5a0ee81678306ab7c02d96a60d5d699
    • Instruction ID: bb4ec01f1abd6c8138251579392807d60054b6bc16d5ca6697599e7507bedd55
    • Opcode Fuzzy Hash: f8dc1c841e749fc2dc7f9aa8fc4d6245c5a0ee81678306ab7c02d96a60d5d699
    • Instruction Fuzzy Hash: 80E19E746006058FCB24CF68C980AEEB7F1FF49318F24A69DD656AB291D730ADC6CB51
    Function 00E10C1C Relevance: 1.6, Strings: 1, Instructions: 348COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 151b561931af262a14dcb0c80400673d9dbdfd50332369ceb1e9faa19006942e
    • Instruction ID: 203f97caa47e843520110a02b33e2af7fc0b3392ff8e50fc6230242f7b3ea7d0
    • Opcode Fuzzy Hash: 151b561931af262a14dcb0c80400673d9dbdfd50332369ceb1e9faa19006942e
    • Instruction Fuzzy Hash: 06C1917060064ACFCB25CF68C4916FEB7B1BF49318F146619D496BB291C7B0ADC6CB91
    Function 00E1088E Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 32e34213de3c274340c62ea72800a90c0fdd3ecf52e7097a7f889fd7cbb1057f
    • Instruction ID: fbe8ca1d6d63a580b2148ad5ad041d373d8c76b88f58b1f9f3544507f950f78c
    • Opcode Fuzzy Hash: 32e34213de3c274340c62ea72800a90c0fdd3ecf52e7097a7f889fd7cbb1057f
    • Instruction Fuzzy Hash: E5C1B27090474A8FDB28CF68C490AEEB7F1BF85318F146619D496B7292C7B0ADC5CB91
    Function 00E10FB9 Relevance: 1.6, Strings: 1, Instructions: 344COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 3918bbd35fd045355bd7b4c2007715e10eced374bbeccf6c2a4d085ac8506328
    • Instruction ID: bdabd78bcf3669c11badb18e3e24b2562824a58a8bbc6c5ba85fad9b2a4bedf5
    • Opcode Fuzzy Hash: 3918bbd35fd045355bd7b4c2007715e10eced374bbeccf6c2a4d085ac8506328
    • Instruction Fuzzy Hash: A0C1DE74A006868FCB28CF68C4806EEB7F1AF09318F146699D656E72A1C731EDC5DB51
    Function 00E27E9D Relevance: 1.6, APIs: 1, Instructions: 83COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E1DC42: GetLastError.KERNEL32(?,00000008,00E24D32), ref: 00E1DC46
      • Part of subcall function 00E1DC42: SetLastError.KERNEL32(00000000,00E4E9D8,00000024,00E1D07A), ref: 00E1DCE8
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E27EF1
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ErrorLast$InfoLocale
    • String ID:
    • API String ID: 3736152602-0
    • Opcode ID: 1f7c327f75564e503d9fd64284b5ca850cb7cb23a5c02ea3e829fec821443091
    • Instruction ID: 1ef8862a7cf2d70caa02db50ec3bcb39c2baa0c8249ba74f603902ead1b3e4c0
    • Opcode Fuzzy Hash: 1f7c327f75564e503d9fd64284b5ca850cb7cb23a5c02ea3e829fec821443091
    • Instruction Fuzzy Hash: 2821047261C227AFEB289B25ED42ABA73E8EF04314F10207EF905E6241EB74ED44C750
    Function 00E116AC Relevance: 1.6, Strings: 1, Instructions: 326COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: ea30dcf6968b0c227f9b78cf9aa4f79c31948c4d20cb60b75532999b6dd977a9
    • Instruction ID: 7462a25f91db3ed2b1a68dbe17ca12f861024945f748905f83719b91c552d6b9
    • Opcode Fuzzy Hash: ea30dcf6968b0c227f9b78cf9aa4f79c31948c4d20cb60b75532999b6dd977a9
    • Instruction Fuzzy Hash: 3CB1AF70A007098ACB28DF68C5906FEB7F1AF85708F10A59ED696B7390D730ADC6CB51
    Function 00E11347 Relevance: 1.6, Strings: 1, Instructions: 322COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 0d5422a679e4c6a5459ec58ef6a9d8bdf4e4d53ab03af3f36f6312445d7882ee
    • Instruction ID: 31c2b1e27dc4af7e385550773696f7aef9f9203628b014728c6c38cc505997e3
    • Opcode Fuzzy Hash: 0d5422a679e4c6a5459ec58ef6a9d8bdf4e4d53ab03af3f36f6312445d7882ee
    • Instruction Fuzzy Hash: 54B1CD70A0060A8FCB24CF68C580AFEB7F6AF84708B14659DD666F7690D731ADC6CB51
    Function 00E11A20 Relevance: 1.6, Strings: 1, Instructions: 322COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: abe5cc72fbd0a6d13488f8c0fed72f20196653a2114fc080b5d7020cee494722
    • Instruction ID: 25c322b61a2e80de886973ef8d314699fe0c58743df461a8debf5f6189ab4430
    • Opcode Fuzzy Hash: abe5cc72fbd0a6d13488f8c0fed72f20196653a2114fc080b5d7020cee494722
    • Instruction Fuzzy Hash: EBB1B170A04B0A8ECB24CF68C590AFEBBF1AF44708F50659DD656B7690D730ADC5CB51
    Function 00E101EF Relevance: 1.6, Strings: 1, Instructions: 318COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 3082a7b148598682a09afaf7a196064dc18c79d974c34ff1c9e3fa28d952be88
    • Instruction ID: da67e75e360d6391a29bd567ea923388e8ac016764ae3e626108deeb8fec251c
    • Opcode Fuzzy Hash: 3082a7b148598682a09afaf7a196064dc18c79d974c34ff1c9e3fa28d952be88
    • Instruction Fuzzy Hash: 62B1F47090060A8FCB24CF68C595AFEB7F5AB45318F14251DD5A6F72A2CBB09DC2CB51
    Function 00E10546 Relevance: 1.6, Strings: 1, Instructions: 314COMMONLIBRARYCODE
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: ab94d567eae6e2bfe89430f0b3f7ffad3ebded70fe542f945984b7b502da12a5
    • Instruction ID: 2516634ab7b1b9fb7614e0df1dbd8c2870249b8e8dc4a0fb1cf4e45d2277ec4f
    • Opcode Fuzzy Hash: ab94d567eae6e2bfe89430f0b3f7ffad3ebded70fe542f945984b7b502da12a5
    • Instruction Fuzzy Hash: 94B1A07090460A8BCB38DF68C5916FEB7F2AF84318F14251AE492B7691D6B0E9D1CF91
    Function 00E0FEA7 Relevance: 1.6, Strings: 1, Instructions: 314COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 0bf933d159f877b433ff2e3dd1ebbf68fa644b19952f8f3266168e78c8c268a7
    • Instruction ID: 0d769ce72cd0482e1ca203c8b498d2ffd5fdb067470083665a1e1b225997eac1
    • Opcode Fuzzy Hash: 0bf933d159f877b433ff2e3dd1ebbf68fa644b19952f8f3266168e78c8c268a7
    • Instruction Fuzzy Hash: CEB1D470A0060A9BCB349F68C4956FEB7F1AB05308F242A2AD492F76D1C775EDD2CB51
    Function 00E27B24 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E1DC42: GetLastError.KERNEL32(?,00000008,00E24D32), ref: 00E1DC46
      • Part of subcall function 00E1DC42: SetLastError.KERNEL32(00000000,00E4E9D8,00000024,00E1D07A), ref: 00E1DCE8
    • EnumSystemLocalesW.KERNEL32(00E27C4A,00000001,00000000,?,-00000050,?,00E2827B,00000000,?,?,?,00000055,?), ref: 00E27B96
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem
    • String ID:
    • API String ID: 2417226690-0
    • Opcode ID: b3664b183fb71bf3c8ce066d737c486a88765ae8180d99877b9957da8e9a6437
    • Instruction ID: b26571f40b8cfbaa47596c377abf38f6bacbc42faacce0bf65f10e07b92fe654
    • Opcode Fuzzy Hash: b3664b183fb71bf3c8ce066d737c486a88765ae8180d99877b9957da8e9a6437
    • Instruction Fuzzy Hash: 1711253A2087055FDB189F39D8A15BABB92FF84369B18482CE9C697A40E371A842C740
    Function 00DD82B9 Relevance: 1.6, APIs: 1, Instructions: 62timeCOMMON
    Download Yara Rule
    APIs
    • GetLocalTime.KERNEL32(00000050,?,?,?,00DD3662,00000200,?,?,?,?,?,00000008,00DD2BC0,00000000,00000000,00000004), ref: 00DD8347
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: LocalTime
    • String ID:
    • API String ID: 481472006-0
    • Opcode ID: fc1564daae4f434fc2f837b005045bfd43c2056adac42f71df4d7653d85c2f66
    • Instruction ID: 36aa2f64b74ea8f6de445197f398cc25c740ec47bce448cddd44caa8bd87f18a
    • Opcode Fuzzy Hash: fc1564daae4f434fc2f837b005045bfd43c2056adac42f71df4d7653d85c2f66
    • Instruction Fuzzy Hash: A211BFBA4017459ADB21AF26DD45AA7BBE8FF84B50F04481FF88982A41DF71E401EB70
    Function 00E280CC Relevance: 1.5, APIs: 1, Instructions: 45COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E1DC42: GetLastError.KERNEL32(?,00000008,00E24D32), ref: 00E1DC46
      • Part of subcall function 00E1DC42: SetLastError.KERNEL32(00000000,00E4E9D8,00000024,00E1D07A), ref: 00E1DCE8
    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00E27E66,00000000,00000000,?), ref: 00E280F8
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ErrorLast$InfoLocale
    • String ID:
    • API String ID: 3736152602-0
    • Opcode ID: 913ecedc78f17e6b341bf78d755c18951f4c372ec1d7578dfdab7598d4e47f66
    • Instruction ID: a259b3f82ab9dcb681eef634b78e8590231d559affb8167944e6973bf1d806eb
    • Opcode Fuzzy Hash: 913ecedc78f17e6b341bf78d755c18951f4c372ec1d7578dfdab7598d4e47f66
    • Instruction Fuzzy Hash: 51F0A9326021356FDB285725ED067BA77A4EB50758F195428EC45B31C0DF74FD52C590
    Function 00E27BBF Relevance: 1.5, APIs: 1, Instructions: 41COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E1DC42: GetLastError.KERNEL32(?,00000008,00E24D32), ref: 00E1DC46
      • Part of subcall function 00E1DC42: SetLastError.KERNEL32(00000000,00E4E9D8,00000024,00E1D07A), ref: 00E1DCE8
    • EnumSystemLocalesW.KERNEL32(00E27E9D,00000001,00000000,?,-00000050,?,00E2823F,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00E27C09
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem
    • String ID:
    • API String ID: 2417226690-0
    • Opcode ID: 5064f27cb7e3ff8551e73b6dbb8dd5f51500f5ed3377da4430261cf6d958b47b
    • Instruction ID: aa3a4ebfdc272de85eed896ac84aa12f0172ff19d9953419cb814e2cdc3054ee
    • Opcode Fuzzy Hash: 5064f27cb7e3ff8551e73b6dbb8dd5f51500f5ed3377da4430261cf6d958b47b
    • Instruction Fuzzy Hash: BDF046362043145FCB245F39AC86A7ABB91FF8032CF09483CF9859B680C6B1AC41C750
    Function 00DC63EB Relevance: 1.5, APIs: 1, Instructions: 35comCOMMON
    Download Yara Rule
    APIs
    • CoCreateInstance.OLE32(00E40580,00000000,00000001,00E3D6B8,?), ref: 00DC6416
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CreateInstance
    • String ID:
    • API String ID: 542301482-0
    • Opcode ID: 6d4a32403cbe1caada4e539d1b04f173ef0684e9ae9a7ab82a29d5a4e1a8b2d7
    • Instruction ID: ba7ed1b41f6eee4bf5dc0506b352416d1f07fab8cad69ab9573117efcb779bea
    • Opcode Fuzzy Hash: 6d4a32403cbe1caada4e539d1b04f173ef0684e9ae9a7ab82a29d5a4e1a8b2d7
    • Instruction Fuzzy Hash: 4CF08272349322AB83258F8AEC84E57FF6CEF55B607144129FA08AB200D770DC50CAF1
    Function 00E1E0C3 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E216C0: EnterCriticalSection.KERNEL32(-00E536C8,?,00E18ADE,00000000,00E4E4F8,0000000C,00E18AA5,?,?,00E1DF91,?,?,00E1DDE0,00000001,00000364,00000000), ref: 00E216CF
    • EnumSystemLocalesW.KERNEL32(Function_0005E0B0,00000001,00E4E858,0000000C), ref: 00E1E0FB
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CriticalEnterEnumLocalesSectionSystem
    • String ID:
    • API String ID: 1272433827-0
    • Opcode ID: 803503efe17b3fb459c0093615bb4993a346d4915a9b3577af7aafcd0d22bd53
    • Instruction ID: 172cffad35c2a7d25f8f3d5751bf52dda03266fd8ce4add0617493ef8e5559ea
    • Opcode Fuzzy Hash: 803503efe17b3fb459c0093615bb4993a346d4915a9b3577af7aafcd0d22bd53
    • Instruction Fuzzy Hash: 90F03C76A00314EFD705DF59E842B9D7BF0FB08761F10442AF410A73A1CA754984CB51
    Function 00E27ABB Relevance: 1.5, APIs: 1, Instructions: 31COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E1DC42: GetLastError.KERNEL32(?,00000008,00E24D32), ref: 00E1DC46
      • Part of subcall function 00E1DC42: SetLastError.KERNEL32(00000000,00E4E9D8,00000024,00E1D07A), ref: 00E1DCE8
    • EnumSystemLocalesW.KERNEL32(00E27A14,00000001,00000000,?,?,00E2829D,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00E27AF2
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem
    • String ID:
    • API String ID: 2417226690-0
    • Opcode ID: b453c1f17f018aba0e5cd92b593ebafb186783aaaae3678d9dac887bc5752589
    • Instruction ID: 726b018926f9995035dc3778f36e57e73c40e2eaf7b956319ca1c8888110fe81
    • Opcode Fuzzy Hash: b453c1f17f018aba0e5cd92b593ebafb186783aaaae3678d9dac887bc5752589
    • Instruction Fuzzy Hash: 46F055363002045BCB159F39EC466AABF90FFC1724F0A0058EA499B240C2719982C790
    Function 00DCC41F Relevance: 1.5, APIs: 1, Instructions: 29COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00DCA57D: __EH_prolog3.LIBCMT ref: 00DCA584
      • Part of subcall function 00DCA57D: CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,00000004,00DCC42E), ref: 00DCA5A2
    • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 00DCC44F
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CreateCtrlDispatcherEventH_prolog3ServiceStart
    • String ID:
    • API String ID: 520211092-0
    • Opcode ID: d1ae4d12109e7b00d313033ef3c4d348a52b8d7df32a4d2cf185082ca4023c81
    • Instruction ID: 3e8f34f9066bd86a3b033eefc2b5f36885897c1c8711fdf13e921290042738b9
    • Opcode Fuzzy Hash: d1ae4d12109e7b00d313033ef3c4d348a52b8d7df32a4d2cf185082ca4023c81
    • Instruction Fuzzy Hash: B1F08271D10719DBCB20EFA98904AEEFBFCFFC0705B04446ED16A93200D774A5458B61
    Function 00E1EB7F Relevance: 1.5, APIs: 1, Instructions: 24COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00E1CB47,?,20001004,00000000,00000002,?,?,00E1BEBF), ref: 00E1EBB3
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID:
    • API String ID: 2299586839-0
    • Opcode ID: 88b21c730625eecc0b2d94ee76f41a914f7ce9ec6e672fe5c99e7169fd1337f1
    • Instruction ID: fdc689bd352442dee59b8d3bef5db0a956696fd5c746958d89482682b6efec32
    • Opcode Fuzzy Hash: 88b21c730625eecc0b2d94ee76f41a914f7ce9ec6e672fe5c99e7169fd1337f1
    • Instruction Fuzzy Hash: ABE01A31540218BBCF122F61DC08EEE7F6AEF44751F044020FD0575261CB3189A1AA95
    Function 00E1E254 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
    Download Yara Rule
    APIs
    • EnumSystemLocalesW.KERNEL32(Function_0005E0B0,00000001), ref: 00E1E26E
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: EnumLocalesSystem
    • String ID:
    • API String ID: 2099609381-0
    • Opcode ID: a7518d557b2c1c912667eee4b40b5890d4d5eefde557c538bad5fab540b13b57
    • Instruction ID: 71512c291326f2b9913460361e33ef2cc16be06ba2ecdf33cdf8032e2ae11a03
    • Opcode Fuzzy Hash: a7518d557b2c1c912667eee4b40b5890d4d5eefde557c538bad5fab540b13b57
    • Instruction Fuzzy Hash: 69D0A770600308BFC70A5F22EC4A9413F56F340361B100419F918273A0DEB258C4C691
    Function 00E1E222 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
    Download Yara Rule
    APIs
    • EnumSystemLocalesW.KERNEL32(Function_0005E0B0,00000001), ref: 00E1E238
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: EnumLocalesSystem
    • String ID:
    • API String ID: 2099609381-0
    • Opcode ID: 19ff5a6a04620040ecbbfe3973d3750428d2b40949a429e9db24984882a3d2ca
    • Instruction ID: 6d38818351346db1b0d4cb5477b5cfd66b5ecd3cf1edc7075cebfc5bd917bf53
    • Opcode Fuzzy Hash: 19ff5a6a04620040ecbbfe3973d3750428d2b40949a429e9db24984882a3d2ca
    • Instruction Fuzzy Hash: 36D0C9B4601300BFC70A9F21E89A9413FA2F704312B20086DF512AB3B0CAB118C8CA51
    Function 00DEE8FE Relevance: 1.5, APIs: 1, Instructions: 3COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_0002E90D,00DEE404), ref: 00DEE903
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: 1c2edea3260ec3bc737fd2291b6fa0f6dcd68830a641ee5fcc6baf0a1e8a6537
    • Instruction ID: dbd82a148cc7114d0dbe4564c9a2e1a50f84ccb6d4857e28dca27a875af50fd0
    • Opcode Fuzzy Hash: 1c2edea3260ec3bc737fd2291b6fa0f6dcd68830a641ee5fcc6baf0a1e8a6537
    • Instruction Fuzzy Hash:
    Function 00E21996 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID: $8
    • API String ID: 0-3016705100
    • Opcode ID: e87ce55e414c52fef30e8f176e5e20c6f2493996667a8ec8ddfb4b79c44b4f4a
    • Instruction ID: 5aa05ef973c55a53394b0ea2019f57390be1c8b4fa3b8b85b00d6a043ae0a3c7
    • Opcode Fuzzy Hash: e87ce55e414c52fef30e8f176e5e20c6f2493996667a8ec8ddfb4b79c44b4f4a
    • Instruction Fuzzy Hash: 3BF096326442349BC72A9A9CE92ABA9B2D8EB99714F156097F501F7390C6A1DF80C7D0
    Function 00E217BC Relevance: 1.3, Strings: 1, Instructions: 38COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID: $8
    • API String ID: 0-3016705100
    • Opcode ID: 6e5f2dabba5886e45622ce70f4e8a2b24e00c0ef6c2523bc242744aaee987b72
    • Instruction ID: 68feb852c4aded5122d40717e18ca6d1b0baefaf927aa93d2adfd1431ee4522d
    • Opcode Fuzzy Hash: 6e5f2dabba5886e45622ce70f4e8a2b24e00c0ef6c2523bc242744aaee987b72
    • Instruction Fuzzy Hash: ECF0CD32640218EBC72DCE2CE598B5973E8EB15345F2024A8F105F7390E6B0DF408600
    Function 00E21921 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID: 8
    • API String ID: 0-1179640460
    • Opcode ID: 2d7d5abf30a1b459cab6ddb375fe38974b7e764b15aa44251da6287f52fdef42
    • Instruction ID: 2b0132af7e1379689755e4dcb137f2739b4c10c155dd29350a3ca9435bf0fa8f
    • Opcode Fuzzy Hash: 2d7d5abf30a1b459cab6ddb375fe38974b7e764b15aa44251da6287f52fdef42
    • Instruction Fuzzy Hash: 9BF01C72610224ABCB2A9B48D845A9973E8EB89B95F111496F541F7250C6B09E4487D0
    Function 00E21779 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID: 8
    • API String ID: 0-1179640460
    • Opcode ID: 4b246bab7a89c3599d848ad71f538c0c83e125e3740e381ef0d12249c0501fa3
    • Instruction ID: 5b0b072ba0d8058da556e7e2b7302be75869436be96db5be5b32f1712a7a50d2
    • Opcode Fuzzy Hash: 4b246bab7a89c3599d848ad71f538c0c83e125e3740e381ef0d12249c0501fa3
    • Instruction Fuzzy Hash: 33E06535A00308EFCB19CB69D954A4AB3E8EB89785F2054A8F80AE7390D334DF44CB80
    Function 00E247B4 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: HeapProcess
    • String ID:
    • API String ID: 54951025-0
    • Opcode ID: b0caad3900a3a5bbc35c313b7a261b6743618d9bae71a95b2af60580a864816c
    • Instruction ID: 33765f0377728c0f2bea98426221f0e96f3584fc521145be59ad99f64d828f83
    • Opcode Fuzzy Hash: b0caad3900a3a5bbc35c313b7a261b6743618d9bae71a95b2af60580a864816c
    • Instruction Fuzzy Hash: 83A011B0202280AF83088F32AA882083BE8AB002C2B08002AA000E00A0EA2080C8AA02
    Function 00E2C280 Relevance: .4, Instructions: 386COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: eb2f31acbb9f44d9a370e7e66e9700d563013572f5f59f0b54d6b6f52a89d4aa
    • Instruction ID: 2b0fb810a65815f7ca43f012590965aceaa170408cefac387e6e3c20a2022748
    • Opcode Fuzzy Hash: eb2f31acbb9f44d9a370e7e66e9700d563013572f5f59f0b54d6b6f52a89d4aa
    • Instruction Fuzzy Hash: B0E16F71A002288FDB25DF19DC80BAEB7B9FF46708F2450EAD949B7241D7309E818F91
    Function 00E2BE40 Relevance: .3, Instructions: 259COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 57f6d77bec6c300d1791afd2576b9ad34f5a64a1befc4b00228df4cb2ef77a5d
    • Instruction ID: 44ca95b5a119b884140d9323fd9b19a3a4d71a9b620dba366f20388dff63f91d
    • Opcode Fuzzy Hash: 57f6d77bec6c300d1791afd2576b9ad34f5a64a1befc4b00228df4cb2ef77a5d
    • Instruction Fuzzy Hash: 81A12C76A002298BDB24DF18DC81BEDB7F5EB89304F2550EAD909BB241D7719E818F91
    Function 00E218DD Relevance: .0, Instructions: 29COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b46625afac38978fe9c565af4a031436a7d2a289274b1c34650a3680e00a7ae5
    • Instruction ID: fda053197ee9a37ca52c213876876bbf75a9f8731d8b2943d93393f3c509e9b0
    • Opcode Fuzzy Hash: b46625afac38978fe9c565af4a031436a7d2a289274b1c34650a3680e00a7ae5
    • Instruction Fuzzy Hash: 89F01C31611264EBCB2A8748D415A9972F8EB85B65F155096F501B7291C270DF80C790
    Function 00E21736 Relevance: .0, Instructions: 26COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3bb6be6e3a2c40a137046c71258fef158df421da1388737bec7aa58631536f91
    • Instruction ID: 3a4c8de6fb17f680957f74efee75bcf796c6f8b51e487ef942278a3145ad320e
    • Opcode Fuzzy Hash: 3bb6be6e3a2c40a137046c71258fef158df421da1388737bec7aa58631536f91
    • Instruction Fuzzy Hash: 64E06535600384EFCB09CB69C544A4AB3F8EB89789F2094B8F809E7691D334DF84CB10
    Function 00E21817 Relevance: .0, Instructions: 18COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 21173f34987fa89f39f15d31161974fc4ce0ce7f404b629575d268ef801ac022
    • Instruction ID: 077fe2a514200d08dade6ecdda9eda70b666fc9ea1a913c4e415217898c6bd9f
    • Opcode Fuzzy Hash: 21173f34987fa89f39f15d31161974fc4ce0ce7f404b629575d268ef801ac022
    • Instruction Fuzzy Hash: 72E0E275505248EFCB08DBA8C589A8AB7F8EB48754F5558A4F405E7251D234EF80DA50
    Function 00DF740A Relevance: 35.3, APIs: 19, Strings: 1, Instructions: 339COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Name::operator+$NameName::$Decorator::getName::operator|=ReturnTypeoperator+
    • String ID: .
    • API String ID: 1186856153-1603360339
    • Opcode ID: 53c4cb0ccdcad4702274d580ad15220d95728909bb0873f62dcc4dd7ea7caad5
    • Instruction ID: 269cc4bdf05bfefb3ec3283adedfbbb4ceec461c5ffb696706d84b15adacc716
    • Opcode Fuzzy Hash: 53c4cb0ccdcad4702274d580ad15220d95728909bb0873f62dcc4dd7ea7caad5
    • Instruction Fuzzy Hash: 00C1407191520CAFCB08EF98D895AFE7BB4EB09300F15855EE705A7391EB70AA45CB70
    Function 00DCB5A4 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 445stringregistryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00DCA94F: CharNextA.USER32(00000000,?,00000000,00000000,00DCB38D,00000000,?), ref: 00DCA976
      • Part of subcall function 00DCA94F: CharNextA.USER32(?,?,00000000,00000000,00DCB38D,00000000,?), ref: 00DCA9EA
    • lstrcmpiA.KERNEL32 ref: 00DCB62A
    • lstrcmpiA.KERNEL32(00000000,ForceRemove), ref: 00DCB641
    • _strlen.LIBCMT ref: 00DCB9A5
    • RegCloseKey.ADVAPI32(00000000,00000000), ref: 00DCBBF0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CharNextlstrcmpi$Close_strlen
    • String ID: Delete$ForceRemove$NoRemove$Val
    • API String ID: 1395372240-1781481701
    • Opcode ID: e337b28956d258173ebd2713ef13bc5afc1b2d7c8447f723fddc8da172e1533f
    • Instruction ID: 174ad5223236c9f8e7528d9820ed85ca1cb38a695016dc99d5eeccb043b1fd75
    • Opcode Fuzzy Hash: e337b28956d258173ebd2713ef13bc5afc1b2d7c8447f723fddc8da172e1533f
    • Instruction Fuzzy Hash: A4F16331D0022B9BDB399A558C96FEAB7B5AF45760F0400DEEA05A7185DB34DE80CFB1
    Function 00DD14CA Relevance: 31.9, APIs: 13, Strings: 5, Instructions: 356COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00DD14D4
      • Part of subcall function 00DD0DF6: HidD_GetHidGuid.HID ref: 00DD0E1F
      • Part of subcall function 00DD0DF6: SetupDiGetClassDevsA.SETUPAPI(?,00000000,00000000,00000012), ref: 00DD0E2E
      • Part of subcall function 00DD0DF6: SetupDiEnumDeviceInterfaces.SETUPAPI(00000000,00000000,?,?,0000001C), ref: 00DD0E4D
      • Part of subcall function 00DD0DF6: SetupDiDestroyDeviceInfoList.SETUPAPI(00000000), ref: 00DD0E58
    • HidD_GetAttributes.HID(000000FF,00000100), ref: 00DD151F
    • SysFreeString.OLEAUT32(?), ref: 00DD15E0
    • wsprintfA.USER32 ref: 00DD1604
    • SysFreeString.OLEAUT32(?), ref: 00DD1635
    • wsprintfA.USER32 ref: 00DD164B
    • SysFreeString.OLEAUT32(?), ref: 00DD16D1
    • SysStringLen.OLEAUT32(?), ref: 00DD16DC
    • SysStringLen.OLEAUT32(?), ref: 00DD16F2
    • SysStringLen.OLEAUT32(?), ref: 00DD1702
    • SysFreeString.OLEAUT32(?), ref: 00DD1735
    • CloseHandle.KERNEL32(000000FF), ref: 00DD1746
    • __EH_prolog3.LIBCMT ref: 00DD1784
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: String$Free$Setup$Devicewsprintf$AttributesClassCloseDestroyDevsEnumGuidH_prolog3H_prolog3_HandleInfoInterfacesList
    • String ID: ) Can't read Attributes $) No Access to Device $) VID %04X $, PID %04X $HID(
    • API String ID: 1290964909-4212071394
    • Opcode ID: 5ff59a561d355633888a6cdde0fb579f6ba93c135e2810a7636ce89c2f04288e
    • Instruction ID: 29ccae661d85a7c810a022c26ed8edcb56c6bb946c4a1a7ce53aaf950bed0b7a
    • Opcode Fuzzy Hash: 5ff59a561d355633888a6cdde0fb579f6ba93c135e2810a7636ce89c2f04288e
    • Instruction Fuzzy Hash: 8CD1C774900219AADF21DFA4CC45BEEBB75EF04310F14816AF859A7291DB719E85CFB0
    Function 00DE3B12 Relevance: 31.8, APIs: 11, Strings: 7, Instructions: 274registryCOMMON
    Download Yara Rule
    APIs
    • wsprintfA.USER32 ref: 00DE3BC5
    • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?), ref: 00DE3BE7
    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00DE3C04
    • RegQueryValueExA.ADVAPI32(?,Request,00000000,?,?,?), ref: 00DE3C42
    • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?), ref: 00DE3C94
    • RegQueryValueExA.ADVAPI32(?,Type,00000000,?,?,?), ref: 00DE3CE8
    • RegQueryValueExA.ADVAPI32(?,Recipient,00000000,?,?,?), ref: 00DE3D3E
    • RegQueryValueExA.ADVAPI32(?,Index,00000000,?,?,?), ref: 00DE3D90
    • RegQueryValueExA.ADVAPI32(?,ReturnBytecount,00000000,?,?,?), ref: 00DE3DE0
    • RegCloseKey.ADVAPI32(?), ref: 00DE3E09
    • RegCloseKey.ADVAPI32(?), ref: 00DE3E67
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: QueryValue$CloseOpen$wsprintf
    • String ID: Index$Recipient$Request$ReturnBytecount$SOFTWARE\Carl Zeiss\USB\%04X\Disconnect\Request_%d$Type$Value
    • API String ID: 3581893009-4183600560
    • Opcode ID: df827f9e3c5570240eea3e6c37ec4947058f6d6b7205a7c8627405949a73d438
    • Instruction ID: 9134a2c8e38a64c7f5ac0fe3087e0b147df18e961314b1a760f788405f018656
    • Opcode Fuzzy Hash: df827f9e3c5570240eea3e6c37ec4947058f6d6b7205a7c8627405949a73d438
    • Instruction Fuzzy Hash: 9DB10B7190029ADEDB35EB15CD45BFEB7B8EB04700F1485EBE50AB6241EA306E85CF60
    Function 00DD0F70 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 237COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00DD0F7A
      • Part of subcall function 00DD0DF6: HidD_GetHidGuid.HID ref: 00DD0E1F
      • Part of subcall function 00DD0DF6: SetupDiGetClassDevsA.SETUPAPI(?,00000000,00000000,00000012), ref: 00DD0E2E
      • Part of subcall function 00DD0DF6: SetupDiEnumDeviceInterfaces.SETUPAPI(00000000,00000000,?,?,0000001C), ref: 00DD0E4D
      • Part of subcall function 00DD0DF6: SetupDiDestroyDeviceInfoList.SETUPAPI(00000000), ref: 00DD0E58
    • HidD_GetAttributes.HID(000000FF,?), ref: 00DD0FCE
    • HidD_GetSerialNumberString.HID(000000FF,?,00000190,00E3C9FA,000000FF,?), ref: 00DD101E
    • SysFreeString.OLEAUT32(?), ref: 00DD1107
    • wsprintfA.USER32 ref: 00DD1123
    • SysFreeString.OLEAUT32(?), ref: 00DD1154
    • wsprintfA.USER32 ref: 00DD116A
    • SysFreeString.OLEAUT32(?), ref: 00DD119B
    • SysStringLen.OLEAUT32(?), ref: 00DD11A6
    • SysStringLen.OLEAUT32(?), ref: 00DD11BC
    • SysStringLen.OLEAUT32(?), ref: 00DD11CC
    • SysFreeString.OLEAUT32(?), ref: 00DD11EF
    • SysFreeString.OLEAUT32(?), ref: 00DD1201
    • CloseHandle.KERNEL32(000000FF,000000FF,?), ref: 00DD120D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: String$Free$Setup$Devicewsprintf$AttributesClassCloseDestroyDevsEnumGuidH_prolog3_HandleInfoInterfacesListNumberSerial
    • String ID: ) VID %04X $, PID %04X $HID(
    • API String ID: 2257598788-56692182
    • Opcode ID: b208374b35b1aed4923bba4a40a10091132c40fa54c3086d73c73f2768a33fa2
    • Instruction ID: 36909699778cd1423f35ea791d4203b32c3d01af6aea20e21e2d4953b22befc1
    • Opcode Fuzzy Hash: b208374b35b1aed4923bba4a40a10091132c40fa54c3086d73c73f2768a33fa2
    • Instruction Fuzzy Hash: B891C675900359AACB219FA5CC45BEDBBB8EF04300F0440AAEA49B3291DB719EC5CF75
    Function 00DCAAB7 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 201COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00DCAABE
    • _strlen.LIBCMT ref: 00DCAAE3
    • CharNextA.USER32(?,?,00000000,00000000), ref: 00DCAB4D
    • CharNextA.USER32(00000000,?,?,00000000,00000000), ref: 00DCAB56
    • CharNextA.USER32(00000000,?,?,00000000,00000000), ref: 00DCAB5F
    • CharNextA.USER32(00000000,?,?,00000000,00000000), ref: 00DCAB68
    • CharNextA.USER32(00000000,}},?,00000000,00000000), ref: 00DCAC23
    • CharNextA.USER32(00000000,00000000,00000040,00DCAFB6,00000000,00000000,00000000,?), ref: 00DCAC33
    • CharNextA.USER32(?,00000000,00000000), ref: 00DCAC4F
    • CoTaskMemFree.OLE32(?,00000000,00000040,00DCAFB6,00000000,00000000,00000000,?), ref: 00DCACF2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CharNext$FreeH_prolog3_Task_strlen
    • String ID: }}$HKCR$HKCU{Software{Classes
    • API String ID: 3710767669-1142484189
    • Opcode ID: 5e9d7f71631ad0647bdb72a51d57c6495886f04b05d923c74ddee1fe24c16cce
    • Instruction ID: c8d64a5ad1bc1758d812fc5d905f2c2a8c0fe0547e59c1bd5dab264e1f53e242
    • Opcode Fuzzy Hash: 5e9d7f71631ad0647bdb72a51d57c6495886f04b05d923c74ddee1fe24c16cce
    • Instruction Fuzzy Hash: C3718F7490424FAFDB119F68D958FADBBB5AF15314F28001DF882A7261DB349C94CB72
    Function 00DF88DE Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 301COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • DName::operator+.LIBCMT ref: 00DF8949
    • DName::operator+.LIBCMT ref: 00DF8A7F
      • Part of subcall function 00DF44C8: shared_ptr.LIBCMT ref: 00DF44E4
    • DName::operator+.LIBCMT ref: 00DF8ACB
    • DName::operator+.LIBCMT ref: 00DF8ADA
    • DName::operator+.LIBCMT ref: 00DF8A35
      • Part of subcall function 00DFA1B2: DName::operator=.LIBVCRUNTIME ref: 00DFA241
    • DName::operator+.LIBCMT ref: 00DF8C07
    • DName::operator=.LIBVCRUNTIME ref: 00DF8C47
    • DName::DName.LIBVCRUNTIME ref: 00DF8C5F
    • DName::operator+.LIBCMT ref: 00DF8C6E
    • DName::operator+.LIBCMT ref: 00DF8C7A
      • Part of subcall function 00DFA1B2: Replicator::operator[].LIBVCRUNTIME ref: 00DFA1EF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Name::operator+$Name::operator=$NameName::Replicator::operator[]shared_ptr
    • String ID: .$.$.
    • API String ID: 1026175760-3465964574
    • Opcode ID: 6285ea3ade782f46fba4a020819899704de3cc286c10624582d835cfdd7338ef
    • Instruction ID: e81957903a8711b00b3f67757434a668c4929479501173964ea8a61bea0f0b46
    • Opcode Fuzzy Hash: 6285ea3ade782f46fba4a020819899704de3cc286c10624582d835cfdd7338ef
    • Instruction Fuzzy Hash: D0C1AEB19013089FDB14CFA4D845BFAB7F8EF05301F09845EE649A7291EB719A89DB31
    Function 00DCEA44 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 166registryCOMMON
    Download Yara Rule
    APIs
    • GetProfileIntA.KERNEL32(CZCanSrv,ProcID_Min,00000010), ref: 00DCEAA8
    • GetProfileIntA.KERNEL32(CZCanSrv,ProcID_Max,000000FE), ref: 00DCEAC0
    • GetProfileIntA.KERNEL32(CZCanSrv,Internal_Address,00000011), ref: 00DCEAF5
    • CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,00000004,00DCA5C2), ref: 00DCEB0B
    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Carl Zeiss\internal Test,00000000,00020019,00000004,?,00000000,?,00000004,00DCA5C2), ref: 00DCEB7A
    • RegQueryValueExA.ADVAPI32(00000004,Test Output,00000000,?,00DCA5C2,?,?,00000000,?,00000004,00DCA5C2), ref: 00DCEBA9
    • RegQueryValueExA.ADVAPI32(00000004,Test Port,00000000,00000004,00DCA5C2,?,?,00000000,?,00000004,00DCA5C2), ref: 00DCEBED
    • RegQueryValueExA.ADVAPI32(00000004,Test Mask,00000000,00000004,00DCA5C2,00000004,?,00000000,?,00000004,00DCA5C2), ref: 00DCEC1F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ProfileQueryValue$CreateEventOpen
    • String ID: CZCanSrv$Internal_Address$ProcID_Max$ProcID_Min$SOFTWARE\Carl Zeiss\internal Test$Test Mask$Test Output$Test Port
    • API String ID: 3717609535-1695375518
    • Opcode ID: d16a5ba2ed7f3c02cc4f6ba772f611296a11181ba01669a20c221872bd288c47
    • Instruction ID: f630da95c65ae089582ac27d8fcac1c4d264fe9aec77728241ae97058ed066dd
    • Opcode Fuzzy Hash: d16a5ba2ed7f3c02cc4f6ba772f611296a11181ba01669a20c221872bd288c47
    • Instruction Fuzzy Hash: F2516EB5A00749AEEB20CFA5DC44EEBF7B8FB44704F04092EE556A3250D7716A44CB62
    Function 00DC498F Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 187registrysleeptimeCOMMON
    Download Yara Rule
    APIs
    • GetCommState.KERNEL32(?,?), ref: 00DC49C7
    • Sleep.KERNEL32(000001F4), ref: 00DC4A78
    • SetCommState.KERNEL32(?,?), ref: 00DC4A85
    • GetLastError.KERNEL32 ref: 00DC4A8F
    • wsprintfA.USER32 ref: 00DC4ABE
    • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?), ref: 00DC4AE1
    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00DC4AFA
    • RegQueryValueExA.ADVAPI32(?,Timeout between characters,00000000,?,?,?), ref: 00DC4B3E
    • RegQueryValueExA.ADVAPI32(?,Send Single Bytes,00000000,?,?,?), ref: 00DC4B7A
    • RegCloseKey.ADVAPI32(?), ref: 00DC4B97
    • SetCommTimeouts.KERNEL32 ref: 00DC4BF0
    • SetupComm.KERNEL32(?,000003E8,000003E8), ref: 00DC4C09
    Strings
    • Send Single Bytes, xrefs: 00DC4B6F
    • SOFTWARE\Carl Zeiss\Serial\COM%d, xrefs: 00DC4AB2
    • Timeout between characters, xrefs: 00DC4B33
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Comm$OpenQueryStateValue$CloseErrorLastSetupSleepTimeoutswsprintf
    • String ID: SOFTWARE\Carl Zeiss\Serial\COM%d$Send Single Bytes$Timeout between characters
    • API String ID: 3175716369-168431512
    • Opcode ID: 46513df3562eeed37b22e84f2dd0c5cc512e853535a4213b3c7cc659fd2077d8
    • Instruction ID: 0eed3a90397565334c0ac75016a304cdd39efea49b0287eb0bcda3d840f73183
    • Opcode Fuzzy Hash: 46513df3562eeed37b22e84f2dd0c5cc512e853535a4213b3c7cc659fd2077d8
    • Instruction Fuzzy Hash: D4719C7150070A9FDB218F65CC54FE6BBF9AF48714F18466EE5AAE3190D731AA84CF20
    Function 00DDCDF0 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 225COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_catch_GS.LIBCMT ref: 00DDCDFA
    • SysFreeString.OLEAUT32(?), ref: 00DDCE3D
    • SysFreeString.OLEAUT32(?), ref: 00DDCE6E
    • SafeArrayCreate.OLEAUT32 ref: 00DDCED6
    • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00DDCEF1
    • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00DDCF0C
    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00DDCF81
    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00DDCF95
    • wsprintfA.USER32 ref: 00DDCFF6
    • SysFreeString.OLEAUT32(?), ref: 00DDD0A4
      • Part of subcall function 00DD9FBB: __EH_prolog3.LIBCMT ref: 00DD9FC2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ArraySafe$Data$FreeString$AccessUnaccess$CreateH_prolog3H_prolog3_catch_wsprintf
    • String ID: 255.255.255.255$XCD-X IP Address = %s$XCDd$no XCD-X device found
    • API String ID: 233345406-1709565787
    • Opcode ID: b9278b0b4c2065e3a10822269daff37897b8b84b1e25154b820bb527e942f718
    • Instruction ID: 792a99bf009cbf2ce7ae8b1e6c77cb98debd9bed282198fbea212830c122d40f
    • Opcode Fuzzy Hash: b9278b0b4c2065e3a10822269daff37897b8b84b1e25154b820bb527e942f718
    • Instruction Fuzzy Hash: EC815A71D00218AFDF20EFA4CC49AAEBBB9FF08700F14456AF945A7292DB715A45CB71
    Function 00DE8BCE Relevance: 24.1, APIs: 16, Instructions: 82synchronizationCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_catch.LIBCMT ref: 00DE8BD5
    • CoInitializeEx.OLE32(00000000,00000000,00000004), ref: 00DE8BE4
    • WaitForSingleObject.KERNEL32(?,00000001), ref: 00DE8C07
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00DE8C0E
    • WaitForSingleObject.KERNEL32(?,000003E8), ref: 00DE8C1F
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00DE8C29
    • SetEvent.KERNEL32(?), ref: 00DE8C51
      • Part of subcall function 00DE8D44: __EH_prolog3_catch.LIBCMT ref: 00DE8D4B
      • Part of subcall function 00DE8D44: WaitForSingleObject.KERNEL32(?,00000000), ref: 00DE8EF3
      • Part of subcall function 00DE8D44: GetTickCount.KERNEL32 ref: 00DE8F38
    • SetEvent.KERNEL32(?), ref: 00DE8C44
    • SetEvent.KERNEL32(?), ref: 00DE8C49
    • SetEvent.KERNEL32(?), ref: 00DE8C56
    • CoUninitialize.OLE32 ref: 00DE8C86
    • SetEvent.KERNEL32(?), ref: 00DE8C97
    • SetEvent.KERNEL32(?), ref: 00DE8CC1
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Event$ObjectSingleWait$H_prolog3_catch$CountInitializeTickUninitialize
    • String ID:
    • API String ID: 519394346-0
    • Opcode ID: 16ceb0ee222f9f5bd6a18f443c1fcb8a341229ed93071bb44743ae6b519c189c
    • Instruction ID: bc5f233af0efc193875ff4dd0abd0f84094333e3badf0cf84454b9dd4305b431
    • Opcode Fuzzy Hash: 16ceb0ee222f9f5bd6a18f443c1fcb8a341229ed93071bb44743ae6b519c189c
    • Instruction Fuzzy Hash: 2E216070A01A5ABFDB167F32CD85B69BE62FF14780F140126E41856160CF71AD61EBF4
    Function 00DDB770 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274sleepCOMMON
    Download Yara Rule
    APIs
    • SysFreeString.OLEAUT32(?), ref: 00DDBA9D
      • Part of subcall function 00DCFCB9: __EH_prolog3_catch.LIBCMT ref: 00DCFCC0
      • Part of subcall function 00DCFCB9: WaitForSingleObject.KERNEL32(?,000003E8,0000000C,00DD9303,00000012,?), ref: 00DCFD03
    • VariantClear.OLEAUT32(?), ref: 00DDB828
    • VariantClear.OLEAUT32(?), ref: 00DDB8CE
    • SysFreeString.OLEAUT32(?), ref: 00DDB904
    • Sleep.KERNEL32(000001F4,00E3C9FA), ref: 00DDB918
    • SysFreeString.OLEAUT32(?), ref: 00DDB948
    • SysStringLen.OLEAUT32(?), ref: 00DDB958
    • SysStringLen.OLEAUT32(?), ref: 00DDB965
    • SysStringLen.OLEAUT32(?), ref: 00DDB97B
    • Sleep.KERNEL32(000001F4), ref: 00DDBA7A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: String$Free$ClearSleepVariant$H_prolog3_catchObjectSingleWait
    • String ID: >>> $FFI : No SerialNo received$ffi.serial
    • API String ID: 2594690671-4059326839
    • Opcode ID: b946eda2a09e6e1e2941b57efb1aded548ea57b87be6a9d62c0f7a91f5f302b7
    • Instruction ID: a72a2d00b607c795743f356b96d8a758ccd497d57de1a854f9519c24b780b8b6
    • Opcode Fuzzy Hash: b946eda2a09e6e1e2941b57efb1aded548ea57b87be6a9d62c0f7a91f5f302b7
    • Instruction Fuzzy Hash: 54A1CF31900249EFDF15DFA4C889BEE7BB4EF08314F0950ABE945AB291DB709A44CB71
    Function 00DE9E15 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 215COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00DE9E1C
    • SetEvent.KERNEL32(?), ref: 00DE9E67
      • Part of subcall function 00DE87ED: __EH_prolog3_catch.LIBCMT ref: 00DE87F4
      • Part of subcall function 00DE87ED: WaitForSingleObject.KERNEL32(?,000003E8,?,?,00000010,00DEA076,?,?), ref: 00DE885A
      • Part of subcall function 00DE87ED: Sleep.KERNEL32(00000064), ref: 00DE889A
      • Part of subcall function 00DE87ED: CloseHandle.KERNEL32(?), ref: 00DE8906
    • SetEvent.KERNEL32(?), ref: 00DE9E8B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Event$CloseH_prolog3H_prolog3_catchHandleObjectSingleSleepWait
    • String ID: Try to Open Ethernet
    • API String ID: 196572662-2238235510
    • Opcode ID: a57087c3f5eee60153916aec2e63646b60ab489f3b24196bb68908800b3e7db7
    • Instruction ID: d44bc1b8dfff82fd91d7dbccc8d9ab3546a9d8d77e4959e4caf68601b7e303ba
    • Opcode Fuzzy Hash: a57087c3f5eee60153916aec2e63646b60ab489f3b24196bb68908800b3e7db7
    • Instruction Fuzzy Hash: 4F817D74501645EFDB14AFAACC98AAABBB9FF08300F14446EF59AD7291DB319844CF31
    Function 00DCE4C3 Relevance: 21.4, APIs: 14, Instructions: 398networksynchronizationCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_catch.LIBCMT ref: 00DCE4CA
    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00DCE557
    • WSASetLastError.WS2_32(00000000), ref: 00DCE56D
    • sendto.WS2_32(?,?,?,00000000,?,00000010), ref: 00DCE594
    • WSAGetLastError.WS2_32(00000400,?,?,00000000), ref: 00DCE5C1
    • WSASetLastError.WS2_32(00000000), ref: 00DCE634
    • WSAGetLastError.WS2_32 ref: 00DCE653
    • WaitForSingleObject.KERNEL32(?,000003E8), ref: 00DCE672
    • WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00DCE69F
    • CloseHandle.KERNEL32(?), ref: 00DCE6CF
    • WSAGetLastError.WS2_32 ref: 00DCE6E4
    • WSASetLastError.WS2_32(00000000), ref: 00DCE709
    • GetTickCount.KERNEL32 ref: 00DCE737
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ErrorLast$CloseCountCreateEventH_prolog3_catchHandleObjectOverlappedResultSingleTickWaitsendto
    • String ID:
    • API String ID: 2503747273-0
    • Opcode ID: e007cc60cbbe959151579671eed6df181139d3e83b6013e0d071c9eb7a269c95
    • Instruction ID: 90918ded60a2e3b5507aafb7557d3ce4f065c4eeeaa6ca2ce8494669c5103fc3
    • Opcode Fuzzy Hash: e007cc60cbbe959151579671eed6df181139d3e83b6013e0d071c9eb7a269c95
    • Instruction Fuzzy Hash: 61E15DB090020AAFDF249FA5C885BAEBBB5FF48314F18852DF555A7291DB349980CB71
    Function 00DF5BB7 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 337COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: shared_ptr$operator+$Name::operator+Name::operator=
    • String ID: L2$\2
    • API String ID: 1464150960-1072133003
    • Opcode ID: 42b82496722559e4b8e30047d3601a350a338aedb796344a10b176d2e4673b25
    • Instruction ID: 708bef844b207c923c4cafafd18552f999bf7282132560a5b7d046ca08fc0efd
    • Opcode Fuzzy Hash: 42b82496722559e4b8e30047d3601a350a338aedb796344a10b176d2e4673b25
    • Instruction Fuzzy Hash: 43D15AB1C0160E9BCB04CFA4E8896FEBBB4AB45304F26C15AE711A7259D7748749CFB0
    Function 00DD04C2 Relevance: 21.3, APIs: 14, Instructions: 287synchronizationCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_catch.LIBCMT ref: 00DD04C9
    • WaitForSingleObject.KERNEL32(?,000003E8,00000018,00DD9861,?,?,?,00000001,00E3C9FA,?,?,00000001,00E3C9FA), ref: 00DD04EB
    • SetEvent.KERNEL32(?,00000000,00000000,?,?,00000001,00E3C9FA), ref: 00DD055E
      • Part of subcall function 00DE35CB: __EH_prolog3.LIBCMT ref: 00DE35D2
    • SysFreeString.OLEAUT32(?), ref: 00DD060E
    • SysFreeString.OLEAUT32(?), ref: 00DD0648
    • SetEvent.KERNEL32(?,?,?,?,?,00000000,00000000,?,?,00000001,00E3C9FA), ref: 00DD0663
    • SysFreeString.OLEAUT32(00000000), ref: 00DD066C
    • SysFreeString.OLEAUT32(?), ref: 00DD0671
      • Part of subcall function 00DCED82: SysFreeString.OLEAUT32(?), ref: 00DCEDA4
    • SysFreeString.OLEAUT32(?), ref: 00DD06F5
    • SysFreeString.OLEAUT32(?), ref: 00DD072F
    • SetEvent.KERNEL32(?,?,?,?,?,00000000,00000000,?,?,00000001,00E3C9FA), ref: 00DD084F
    • SysFreeString.OLEAUT32(00000000), ref: 00DD0858
    • SysFreeString.OLEAUT32(?), ref: 00DD085D
    • SysFreeString.OLEAUT32(?), ref: 00DD0873
      • Part of subcall function 00DCEDB2: __EH_prolog3_catch_GS.LIBCMT ref: 00DCEDDE
      • Part of subcall function 00DCEDB2: WaitForSingleObject.KERNEL32(?,000003E8,0000010C,00000000), ref: 00DCEDFA
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: FreeString$Event$ObjectSingleWait$H_prolog3H_prolog3_catchH_prolog3_catch_
    • String ID:
    • API String ID: 3867872575-0
    • Opcode ID: dedff8c2a51d41a809d2a3460eab4841579ec3437d0ceb975c661560f0e362bd
    • Instruction ID: 898027f5237ecb054638129db7b17ac0f2d2e69ba9765c63ea1a785e2b691e63
    • Opcode Fuzzy Hash: dedff8c2a51d41a809d2a3460eab4841579ec3437d0ceb975c661560f0e362bd
    • Instruction Fuzzy Hash: B1B18170A0020AAFCF15EF64C895BFE7BA5EF88304F58442DE946A7391DA31DA55CB70
    Function 00DF93D0 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • DName::operator+.LIBCMT ref: 00DF94AC
    • UnDecorator::getSignedDimension.LIBCMT ref: 00DF94B7
    • DName::DName.LIBVCRUNTIME ref: 00DF94CA
    • UnDecorator::getSignedDimension.LIBCMT ref: 00DF95B2
    • UnDecorator::getSignedDimension.LIBCMT ref: 00DF95CF
    • UnDecorator::getSignedDimension.LIBCMT ref: 00DF95EC
    • DName::operator+.LIBCMT ref: 00DF9601
    • UnDecorator::getSignedDimension.LIBCMT ref: 00DF961B
    • swprintf.LIBCMT ref: 00DF968E
    • DName::operator+.LIBCMT ref: 00DF96E2
      • Part of subcall function 00DF55A2: DName::DName.LIBVCRUNTIME ref: 00DF55B7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Decorator::getDimensionSigned$Name::operator+$NameName::$swprintf
    • String ID: h/$p/
    • API String ID: 3689813335-2108737729
    • Opcode ID: 2d1157a5f89cd85f61527625655cebad04faa00c57707f592b7e30b074a5b155
    • Instruction ID: b9cd84e9d85c13a38409eb14d689e8c2e17d6318a2198a6c9cad310c693d1e24
    • Opcode Fuzzy Hash: 2d1157a5f89cd85f61527625655cebad04faa00c57707f592b7e30b074a5b155
    • Instruction Fuzzy Hash: D591D771C0020E9ACB15EFB8D9A9BFEF778EF15300F26C119E701A6291DB659A09C671
    Function 00DC41D3 Relevance: 21.1, APIs: 14, Instructions: 134synchronizationfileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00DC4205
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00DC421A
    • WaitForSingleObject.KERNEL32(?,00000014), ref: 00DC422E
    • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 00DC424E
    • ReadFile.KERNEL32(?,?,00000001,?,?), ref: 00DC429D
    • GetTickCount.KERNEL32 ref: 00DC42DF
    • SetEvent.KERNEL32(?), ref: 00DC4328
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00DC4336
    • GetTickCount.KERNEL32 ref: 00DC4349
      • Part of subcall function 00DC4C2C: __EH_prolog3.LIBCMT ref: 00DC4C33
    • CloseHandle.KERNEL32(?), ref: 00DC435F
    • SetEvent.KERNEL32(?), ref: 00DC436B
    • SetEvent.KERNEL32(?), ref: 00DC4377
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Event$ObjectSingleWait$CountTick$CloseCreateFileH_prolog3HandleOverlappedReadResult
    • String ID:
    • API String ID: 1833575625-0
    • Opcode ID: 3e0a6366371b06fb3638be0eed14c35688e349cbd57f784e71047e33e321476a
    • Instruction ID: f185f023804c9f3711052451d28c6609a58c6ebe5060b29d031274330730ca47
    • Opcode Fuzzy Hash: 3e0a6366371b06fb3638be0eed14c35688e349cbd57f784e71047e33e321476a
    • Instruction Fuzzy Hash: 105117319002099FDB219FB1DC99FAEBBB9FB45301F18853DA59AE3061DB305988DF21
    Function 00DCD44E Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 123COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00DCD455
    • SysStringLen.OLEAUT32(?), ref: 00DCD4E8
    • SysFreeString.OLEAUT32(?), ref: 00DCD53A
    • SysFreeString.OLEAUT32(?), ref: 00DCD54F
    • ResetEvent.KERNEL32(?,?,?,?,00000000,EndSession()), ref: 00DCD572
    • SysFreeString.OLEAUT32(?), ref: 00DCD5A2
    • SysFreeString.OLEAUT32(?), ref: 00DCD5A7
      • Part of subcall function 00DC29B7: __EH_prolog3.LIBCMT ref: 00DC29BE
      • Part of subcall function 00DC2A23: SysFreeString.OLEAUT32(?), ref: 00DC2A74
    • SysFreeString.OLEAUT32(?), ref: 00DCD5C7
    • SysFreeString.OLEAUT32(?), ref: 00DCD5CC
    • SetEvent.KERNEL32(?), ref: 00DCD5D4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: String$Free$EventH_prolog3$Reset
    • String ID: 10000$EndSession()
    • API String ID: 3108919448-2092771842
    • Opcode ID: 188bb1b25678d3dcca7025af67f74229fc2d3626ef19124bedac3d68091b72df
    • Instruction ID: ef4a56e9c3753512e9b4f291f7497490a2f8af0bd6344c694367e536c91b7cc7
    • Opcode Fuzzy Hash: 188bb1b25678d3dcca7025af67f74229fc2d3626ef19124bedac3d68091b72df
    • Instruction Fuzzy Hash: 6E415770A0070A9FEB15AFA5CD49BAEBBB2FF48304F14053DE585A72A1DB759940CB30
    Function 00DCB4A1 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 79registryCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00DCB4A8
    • CoInitialize.OLE32(00000000), ref: 00DCB4B2
      • Part of subcall function 00DCC525: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00DCC550
      • Part of subcall function 00DCC525: MessageBoxA.USER32(00000000,Service could not be deleted,?,00000000), ref: 00DCC56A
    • RegCloseKey.ADVAPI32(00000000,80000000,AppID,00020006,?,00000064,00000001,00000000), ref: 00DCB594
      • Part of subcall function 00DCAA62: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00DCADD3,?,00000000,?,00000000,00000000), ref: 00DCAA8C
    • RegDeleteValueA.ADVAPI32(?,LocalService,?,{A3D51521-7C23-4FEB-851D-15636F49E2CD},00020006,80000000,AppID,00020006,?,00000064,00000001,00000000), ref: 00DCB531
    • CoUninitialize.OLE32(?,00000064,00000001,00000000), ref: 00DCB57A
      • Part of subcall function 00DCC340: _strlen.LIBCMT ref: 00DCC364
      • Part of subcall function 00DCC340: RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000000,?), ref: 00DCC382
    • RegCloseKey.ADVAPI32(?,?,{A3D51521-7C23-4FEB-851D-15636F49E2CD},00020006,80000000,AppID,00020006,?,00000064,00000001,00000000), ref: 00DCB585
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CloseOpenValue$DeleteH_prolog3InitializeManagerMessageUninitialize_strlen
    • String ID: -Service$AppID$CZCanSrv$LocalService$ServiceParameters${A3D51521-7C23-4FEB-851D-15636F49E2CD}
    • API String ID: 333840658-4210930217
    • Opcode ID: 68a0a9aef47bcb0a624d6269a4cfd6e8d85a3cbf30f1230fb3fc32f2cb933ed6
    • Instruction ID: 2265398ca10c44af321ff73e20d2de63fa15e820e6fcaabf577e635eadf7568f
    • Opcode Fuzzy Hash: 68a0a9aef47bcb0a624d6269a4cfd6e8d85a3cbf30f1230fb3fc32f2cb933ed6
    • Instruction Fuzzy Hash: F7219E30E4031AABCB21AFA58C4AFAEBEB5EF40720F14015DF501772D1CBB58905CAB1
    Function 00DED60F Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
    Download Yara Rule
    APIs
    • InitializeCriticalSectionAndSpinCount.KERNEL32(00E525F4,00000FA0,?,?,00DED5ED), ref: 00DED61B
    • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00DED5ED), ref: 00DED626
    • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00DED5ED), ref: 00DED637
    • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00DED649
    • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00DED657
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00DED5ED), ref: 00DED67A
    • DeleteCriticalSection.KERNEL32(00E525F4,00000007,?,?,00DED5ED), ref: 00DED696
    • CloseHandle.KERNEL32(00000000,?,?,00DED5ED), ref: 00DED6A6
    Strings
    • kernel32.dll, xrefs: 00DED632
    • WakeAllConditionVariable, xrefs: 00DED64F
    • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00DED621
    • SleepConditionVariableCS, xrefs: 00DED643
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
    • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
    • API String ID: 2565136772-3242537097
    • Opcode ID: 71e771783b1f3eeba094b02c8f97bf0c542423acc3a21660736fa962a0cc03b7
    • Instruction ID: 2e1cee06f7726a86aca8f4136bb0fe207420441282335454b26ca8836a8e66e6
    • Opcode Fuzzy Hash: 71e771783b1f3eeba094b02c8f97bf0c542423acc3a21660736fa962a0cc03b7
    • Instruction Fuzzy Hash: 4501D8F564131A6FDB142F73BC0CA263E59EB41741B0D052CFE54F2160EFA0C8889676
    Function 00DCE254 Relevance: 19.7, APIs: 13, Instructions: 182networksleepsynchronizationCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00DCE25E
    • closesocket.WS2_32(?), ref: 00DCE288
    • WaitForSingleObject.KERNEL32(?,00001388), ref: 00DCE2E2
    • closesocket.WS2_32(?), ref: 00DCE2F8
    • Sleep.KERNEL32(000001F4), ref: 00DCE30A
    • WSAStartup.WS2_32(00000101,?), ref: 00DCE31C
    • WSASocketA.WS2_32(00000002,00000001,00000000,00000000,00000000,00000001), ref: 00DCE329
    • WSAConnect.WS2_32(00000000,?,00000010,?,?,00000000,00000000), ref: 00DCE349
    • SetEvent.KERNEL32(?), ref: 00DCE35D
    • ResetEvent.KERNEL32(?), ref: 00DCE377
    • WSAEventSelect.WS2_32(?,?,00000020), ref: 00DCE38B
    • WSAGetLastError.WS2_32 ref: 00DCE405
    • closesocket.WS2_32(?), ref: 00DCE471
      • Part of subcall function 00DE9D2E: __EH_prolog3_catch.LIBCMT ref: 00DE9D35
      • Part of subcall function 00DE87ED: __EH_prolog3_catch.LIBCMT ref: 00DE87F4
      • Part of subcall function 00DE87ED: WaitForSingleObject.KERNEL32(?,000003E8,?,?,00000010,00DEA076,?,?), ref: 00DE885A
      • Part of subcall function 00DE87ED: Sleep.KERNEL32(00000064), ref: 00DE889A
      • Part of subcall function 00DE87ED: CloseHandle.KERNEL32(?), ref: 00DE8906
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Eventclosesocket$H_prolog3_catchObjectSingleSleepWait$CloseConnectErrorH_prolog3_HandleLastResetSelectSocketStartup
    • String ID:
    • API String ID: 4124300202-0
    • Opcode ID: 5e58e0c00b2351c8c3c1c54a4eaa83e74517f80d02c11b310c90e934ff6873d0
    • Instruction ID: f9c984b2bff54152a1b1af0ffb69a53aaa135422afa91ae944d0eb00045a54ae
    • Opcode Fuzzy Hash: 5e58e0c00b2351c8c3c1c54a4eaa83e74517f80d02c11b310c90e934ff6873d0
    • Instruction Fuzzy Hash: A661907060074BBFDB186FA5CD49FAABB6AFF04311F14422DB555561E0CB709860DBB1
    Function 00DC8B8C Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 288registrycomCOMMON
    Download Yara Rule
    APIs
    • CoCreateInstance.OLE32(00E41B80,00000000,00000001,00E3DA68,?,?,?,?), ref: 00DC8BE5
    • StringFromGUID2.OLE32(?,?,00000040), ref: 00DC8CA8
    • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,80000000,?,00020019), ref: 00DC8DF7
    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000000,?,?,00000003,?), ref: 00DC8E08
    • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,80000000,?,00020019), ref: 00DC8EC7
    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,80000000,?,00020019), ref: 00DC8ED8
    • RegCloseKey.ADVAPI32(?,80000000,?,00020019,?,?,?,?,?,?,?,?,?,80000000,?,00020019), ref: 00DC8F09
    • RegCloseKey.ADVAPI32(80000000,80000000,?,00020019,?,?,?,?,?,?,?,?,?,80000000,?,00020019), ref: 00DC8F14
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Close$InfoQuery$CreateFromInstanceString
    • String ID: CLSID\$\Implemented Categories$\Required Categories
    • API String ID: 939717369-4092563799
    • Opcode ID: 519eeb4e9509e5798289e202529ecd05c16256ba314b04806dc4fe2311f20607
    • Instruction ID: d602b422ef063a7f5160304ff1b6fcc4142ef5947a9777919c19c6d775e4062d
    • Opcode Fuzzy Hash: 519eeb4e9509e5798289e202529ecd05c16256ba314b04806dc4fe2311f20607
    • Instruction Fuzzy Hash: 02A14C7190021A9BDB249F55CD85FEAB7BCEF49300F14409DF649A7141EB309E819FB0
    Function 00DCC05A Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97threadwindowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00DCC061
    • GetCurrentThreadId.KERNEL32 ref: 00DCC068
    • CoInitializeEx.OLE32(00000000,00000000), ref: 00DCC077
    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000004,00000003,00000000,00000000,00000000), ref: 00DCC0A3
    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00DCC10B
    • CloseHandle.KERNEL32 ref: 00DCC128
    • CoUninitialize.OLE32 ref: 00DCC169
      • Part of subcall function 00DCA896: RegisterEventSourceA.ADVAPI32(00000000,?), ref: 00DCA8E2
      • Part of subcall function 00DCA896: ReportEventA.ADVAPI32(00000000,00000004,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 00DCA8FF
      • Part of subcall function 00DCA896: DeregisterEventSource.ADVAPI32(00000000), ref: 00DCA906
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Event$InitializeSource$CloseCurrentDeregisterH_prolog3HandleMessageRegisterReportSecurityThreadUninitialize
    • String ID: 0$$Service not started, initialization failed.$Service started
    • API String ID: 205031218-3672854496
    • Opcode ID: 7d893450798cd938e6961da9e51b761ec7293fe7eb0e1da8113b93019c5b82c2
    • Instruction ID: cb955e6867dda1a34acda6f4219f46c357622023ecb1f4728e463d0e0e56cf31
    • Opcode Fuzzy Hash: 7d893450798cd938e6961da9e51b761ec7293fe7eb0e1da8113b93019c5b82c2
    • Instruction Fuzzy Hash: 4A31353191431AAFCB257772AC0AFAE7B74EF82B01F14111EF601771A2DF7548858671
    Function 00DD4785 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00DD478C
      • Part of subcall function 00DC2AB0: SysFreeString.OLEAUT32(?), ref: 00DC2AB8
    • SysFreeString.OLEAUT32(?), ref: 00DD47F1
      • Part of subcall function 00DCEDB2: __EH_prolog3_catch_GS.LIBCMT ref: 00DCEDDE
      • Part of subcall function 00DCEDB2: WaitForSingleObject.KERNEL32(?,000003E8,0000010C,00000000), ref: 00DCEDFA
    • SysFreeString.OLEAUT32(?), ref: 00DD4818
    • SysFreeString.OLEAUT32(?), ref: 00DD4840
    • SysFreeString.OLEAUT32(?), ref: 00DD4883
    • SysFreeString.OLEAUT32(?), ref: 00DD48AA
    • SysFreeString.OLEAUT32(?), ref: 00DD48D2
    • SysFreeString.OLEAUT32(?), ref: 00DD4915
    • SysFreeString.OLEAUT32(?), ref: 00DD493C
    • SysFreeString.OLEAUT32(?), ref: 00DD4964
    • SysFreeString.OLEAUT32(?), ref: 00DD49C3
    • SysFreeString.OLEAUT32(?), ref: 00DD49E6
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: FreeString$H_prolog3_H_prolog3_catch_ObjectSingleWait
    • String ID:
    • API String ID: 2169596917-0
    • Opcode ID: 48dd5b445173e00c51e4c760cfb26e66dd7e078f5564441facda46fd11b6de91
    • Instruction ID: 9f2a7a0216c93a6e6b35d5561e8bd76640703e6059945353e21eba4d2e70d820
    • Opcode Fuzzy Hash: 48dd5b445173e00c51e4c760cfb26e66dd7e078f5564441facda46fd11b6de91
    • Instruction Fuzzy Hash: 2E7107B2D0025DAADF14EBA4CC46BEDBBB9BF08320F444159E462B32D1DB785A44DB71
    Function 00DC3111 Relevance: 18.1, APIs: 12, Instructions: 137threadCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00DC3118
    • GetTickCount.KERNEL32 ref: 00DC314A
    • CreateEventA.KERNEL32(00000000,00000000,00000001,00000000), ref: 00DC31B4
    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00DC31C0
    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00DC31CC
    • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00DC31DF
    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00DC3250
    • GetTickCount.KERNEL32 ref: 00DC32A0
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Create$Event$CountTick$H_prolog3Thread
    • String ID:
    • API String ID: 2325667992-0
    • Opcode ID: eb9f9c8492ffd8e9d72a9b05b960adce85954b789125b8b38cc89e9740794de7
    • Instruction ID: 33a2b54b4236fb73a0e6e092d2c8e24b74a378d7fdc9bfbaaf68f1047f096e28
    • Opcode Fuzzy Hash: eb9f9c8492ffd8e9d72a9b05b960adce85954b789125b8b38cc89e9740794de7
    • Instruction Fuzzy Hash: 74414071900785AFDB209BBA8C4CFABFAF9EF85700F14852EB185E7190DA759944CB30
    Function 00DD6CDA Relevance: 18.1, APIs: 12, Instructions: 73synchronizationsleepCOMMON
    Download Yara Rule
    APIs
    • CoInitializeEx.OLE32(00000000,00000000), ref: 00DD6CE4
    • Sleep.KERNEL32(00000001), ref: 00DD6CEF
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00DD6CFD
    • SetEvent.KERNEL32(?), ref: 00DD6D28
    • SetEvent.KERNEL32(?,00000000), ref: 00DD6D4E
    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00DD6D55
    • SetEvent.KERNEL32(?), ref: 00DD6D62
    • Sleep.KERNEL32(00000001), ref: 00DD6D66
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00DD6D71
    • CoUninitialize.OLE32 ref: 00DD6D82
    • SetEvent.KERNEL32(00000000), ref: 00DD6D8B
    • SetEvent.KERNEL32(?), ref: 00DD6D90
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Event$ObjectSingleWait$Sleep$InitializeUninitialize
    • String ID:
    • API String ID: 122623653-0
    • Opcode ID: b77925f9153c4a051886eb93187681bfcf7d65098a54874bd19168edfa0393b7
    • Instruction ID: 02f38abfe70cd813f1c2129dd0676b8c4ec5c77cc2304da2ff357586a49bf294
    • Opcode Fuzzy Hash: b77925f9153c4a051886eb93187681bfcf7d65098a54874bd19168edfa0393b7
    • Instruction Fuzzy Hash: 54214F31300704AFDB206F62EC49F1A7FA6EF44711F184439E696966A1DBB2E844CF61
    Function 00DDB327 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 218sleepCOMMON
    Download Yara Rule
    APIs
    • SysFreeString.OLEAUT32(?), ref: 00DDB5B4
      • Part of subcall function 00DCFCB9: __EH_prolog3_catch.LIBCMT ref: 00DCFCC0
      • Part of subcall function 00DCFCB9: WaitForSingleObject.KERNEL32(?,000003E8,0000000C,00DD9303,00000012,?), ref: 00DCFD03
    • VariantClear.OLEAUT32(?), ref: 00DDB3DF
    • SysFreeString.OLEAUT32(?), ref: 00DDB47D
    • Sleep.KERNEL32(000001F4,00E3C9FA), ref: 00DDB491
    • SysFreeString.OLEAUT32(?), ref: 00DDB4C1
    • SysStringLen.OLEAUT32(?), ref: 00DDB4CB
    • SysStringLen.OLEAUT32(?), ref: 00DDB4DE
    • SysStringLen.OLEAUT32(?), ref: 00DDB4EC
    • SysStringLen.OLEAUT32(?), ref: 00DDB52A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: String$Free$ClearH_prolog3_catchObjectSingleSleepVariantWait
    • String ID: ffi.firmware
    • API String ID: 4081980128-3553897946
    • Opcode ID: 52dffdc96a03ccbaf87bf984870e2f839d1172a98790fa60555e5b3613d89901
    • Instruction ID: 53c99bec4ad66c161f886173456750dd4236f4c65755089289835df23b28ad33
    • Opcode Fuzzy Hash: 52dffdc96a03ccbaf87bf984870e2f839d1172a98790fa60555e5b3613d89901
    • Instruction Fuzzy Hash: F781B071900249EFDF15DFA4D889BEE7BB5EF04314F4940AAE841AB392DB70DA44CB61
    Function 00DFA1B2 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 180COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • Replicator::operator[].LIBVCRUNTIME ref: 00DFA1EF
    • DName::operator=.LIBVCRUNTIME ref: 00DFA241
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Name::operator=Replicator::operator[]
    • String ID: $/$@$generic-type-$template-parameter-
    • API String ID: 3211817929-3887157309
    • Opcode ID: 1feb57c4e057b9cdf7168fb079ca40ab2fd8bdd656897a8343ecb6b72440a19b
    • Instruction ID: 11709fbd825b375a090800fe6844fce4ef2f8e09fe108dc3cc7f678238df6c43
    • Opcode Fuzzy Hash: 1feb57c4e057b9cdf7168fb079ca40ab2fd8bdd656897a8343ecb6b72440a19b
    • Instruction Fuzzy Hash: FE618FB190020D9FCB05DF99D845AFEBBB8EF45300F56801AE709B7291DB749949CBB1
    Function 00DC7ED4 Relevance: 16.8, APIs: 11, Instructions: 323COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00DCA94F: CharNextA.USER32(00000000,?,00000000,00000000,00DCB38D,00000000,?), ref: 00DCA976
      • Part of subcall function 00DCA94F: CharNextA.USER32(?,?,00000000,00000000,00DCB38D,00000000,?), ref: 00DCA9EA
      • Part of subcall function 00DCCCB2: lstrcmpiA.KERNEL32(00000022,00E3C6DC), ref: 00DCCCC4
    • _strlen.LIBCMT ref: 00DC7FCA
    • CharNextA.USER32(00000000,-00000002,?,?,3D2EC555,00000000,00000000,?,?,?,00E36D52,000000FF,?,00DCB98B,?,00000000), ref: 00DC801C
    • CharNextA.USER32(00000000,?,00DCB98B,?,00000000,00000000,00000000,?,00000000,0002001F), ref: 00DC8031
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CharNext$_strlenlstrcmpi
    • String ID:
    • API String ID: 214070177-0
    • Opcode ID: ee3174a208b99033d9e940669f7b7132859c7647c94f8794f5b214ce7d7fa919
    • Instruction ID: 2ff4c7169e53ea8d1b05bff8870e7b007a7f79382aba037e40291c743b9c7eed
    • Opcode Fuzzy Hash: ee3174a208b99033d9e940669f7b7132859c7647c94f8794f5b214ce7d7fa919
    • Instruction Fuzzy Hash: 2DC1817290026AABCB259B64CC45FE9F7B8EB09310F1800EDE749A3151DB349E859FB1
    Function 00DEA3FB Relevance: 16.7, APIs: 11, Instructions: 242synchronizationthreadCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00DEA402
    • WaitForSingleObject.KERNEL32(?,000003E8,00000008,00DE33B2,?), ref: 00DEA42E
    • CreateEventA.KERNEL32(00000000,00000000,00000001,00000000), ref: 00DEA492
    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00DEA49E
    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00DEA4AA
    • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00DEA4BD
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00DEA5BA
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00DEA5C4
    • CloseHandle.KERNEL32(?), ref: 00DEA5D5
    • CloseHandle.KERNEL32(?), ref: 00DEA5DD
    • CloseHandle.KERNEL32(?), ref: 00DEA5E5
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Create$CloseEventHandleObjectSingleWait$H_prolog3Thread
    • String ID:
    • API String ID: 2915550378-0
    • Opcode ID: 12ce834ce737645f73066ba79ccb8096ad1c96f6ea3d2f04887e5ff48d642c2d
    • Instruction ID: 22bdaf9c5986d5c27c21fc9995f524d30f019e83345b856bdbc8b57d424bfd0a
    • Opcode Fuzzy Hash: 12ce834ce737645f73066ba79ccb8096ad1c96f6ea3d2f04887e5ff48d642c2d
    • Instruction Fuzzy Hash: 9181AB71900657BFDB14AF6ACC44A69BBA9FB05350F18822DF51DA72D0DB30AC54CBB2
    Function 00DDBFD6 Relevance: 16.7, APIs: 11, Instructions: 218sleepCOMMON
    Download Yara Rule
    APIs
    • SysFreeString.OLEAUT32(?), ref: 00DDC26B
      • Part of subcall function 00DCFCB9: __EH_prolog3_catch.LIBCMT ref: 00DCFCC0
      • Part of subcall function 00DCFCB9: WaitForSingleObject.KERNEL32(?,000003E8,0000000C,00DD9303,00000012,?), ref: 00DCFD03
    • VariantClear.OLEAUT32(?), ref: 00DDC08E
    • SysFreeString.OLEAUT32(?), ref: 00DDC12C
    • Sleep.KERNEL32(000003E8,00E3C9FA), ref: 00DDC140
    • SysFreeString.OLEAUT32(?), ref: 00DDC170
    • SysStringLen.OLEAUT32(?), ref: 00DDC177
    • SysStringLen.OLEAUT32(?), ref: 00DDC18A
    • SysStringLen.OLEAUT32(?), ref: 00DDC198
    • SysStringLen.OLEAUT32(?), ref: 00DDC1CE
    • Sleep.KERNEL32(00000064), ref: 00DDC22E
    • Sleep.KERNEL32(000001F4), ref: 00DDC248
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: String$FreeSleep$ClearH_prolog3_catchObjectSingleVariantWait
    • String ID:
    • API String ID: 1614285448-0
    • Opcode ID: 4778a3f4367828869cc4c2191428e6efce813d86b633b9146a68cc0967fc46f4
    • Instruction ID: 6a337f176b15f644db4fed482d79828d9a5361ca4ef46d199ed4387a10722ea3
    • Opcode Fuzzy Hash: 4778a3f4367828869cc4c2191428e6efce813d86b633b9146a68cc0967fc46f4
    • Instruction Fuzzy Hash: 9681B43191024AEFDF15DFA4C848BEE7BB5EF04300F0851AAE855AB292DB709A44CB71
    Function 00DE87ED Relevance: 16.7, APIs: 11, Instructions: 202sleepsynchronizationCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_catch.LIBCMT ref: 00DE87F4
    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,00000010,00DEA076,?,?), ref: 00DE885A
    • Sleep.KERNEL32(00000064), ref: 00DE889A
    • CloseHandle.KERNEL32(?), ref: 00DE8906
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CloseH_prolog3_catchHandleObjectSingleSleepWait
    • String ID:
    • API String ID: 2234783460-0
    • Opcode ID: 9c15fb002045347bf0a5cbc6d7cfd2d2527a712717adff515bc991abd325da06
    • Instruction ID: 66f8a197bb563296edddc9c13a48d8f1d2abf8ba3441a28d13c4994dc8e0cee9
    • Opcode Fuzzy Hash: 9c15fb002045347bf0a5cbc6d7cfd2d2527a712717adff515bc991abd325da06
    • Instruction Fuzzy Hash: DD814D70900B46DFDB25AF26D88566ABBF1FF04310F14852EE5AE966A1DF30E940DF21
    Function 00DD0DF6 Relevance: 16.6, APIs: 11, Instructions: 122COMMON
    Download Yara Rule
    APIs
    • HidD_GetHidGuid.HID ref: 00DD0E1F
    • SetupDiGetClassDevsA.SETUPAPI(?,00000000,00000000,00000012), ref: 00DD0E2E
    • SetupDiEnumDeviceInterfaces.SETUPAPI(00000000,00000000,?,?,0000001C), ref: 00DD0E4D
    • SetupDiDestroyDeviceInfoList.SETUPAPI(00000000), ref: 00DD0E58
    • SetupDiGetDeviceInterfaceDetailA.SETUPAPI(00000000,0000001C,00000000,00000000,?,00000000), ref: 00DD0E77
    • SetupDiGetDeviceInterfaceDetailA.SETUPAPI(?,0000001C,00000000,?,?,00000000), ref: 00DD0E9B
    • SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00DD0EA4
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Setup$Device$DestroyDetailInfoInterfaceList$ClassDevsEnumGuidInterfaces
    • String ID:
    • API String ID: 1392612605-0
    • Opcode ID: 5a89bf1664818da567986656b6ad4b8acc87f2197b216e53771bb443ec4277c3
    • Instruction ID: 4305674bb70ece70c93eac0abee1887b237c3e83ee07008f7ca9b31a93728ddc
    • Opcode Fuzzy Hash: 5a89bf1664818da567986656b6ad4b8acc87f2197b216e53771bb443ec4277c3
    • Instruction Fuzzy Hash: EC41F771900208BFDB259FA6EC48EAF7BBCEF89710F14012AF915EA1A0D7305A45CB71
    Function 00DEA701 Relevance: 16.5, APIs: 11, Instructions: 42synchronizationCOMMON
    Download Yara Rule
    APIs
    • SetEvent.KERNEL32(?), ref: 00DEA71E
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00DEA72C
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00DEA736
    • CloseHandle.KERNEL32(?), ref: 00DEA742
    • CloseHandle.KERNEL32(?), ref: 00DEA74A
    • CloseHandle.KERNEL32(?), ref: 00DEA752
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00DEA762
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00DEA769
    • CloseHandle.KERNEL32(?), ref: 00DEA775
    • CloseHandle.KERNEL32(?), ref: 00DEA77A
    • CloseHandle.KERNEL32(?), ref: 00DEA77F
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CloseHandle$ObjectSingleWait$Event
    • String ID:
    • API String ID: 541887017-0
    • Opcode ID: 78116b67e5d96e2f5daed1b30f2571b8021332c494a94897a7ab2b261063ed0c
    • Instruction ID: 3a23648b39b6a55ade0c347523d99bda69d4e453244d553db910519a86424f36
    • Opcode Fuzzy Hash: 78116b67e5d96e2f5daed1b30f2571b8021332c494a94897a7ab2b261063ed0c
    • Instruction Fuzzy Hash: EF01C831004A55AFDB226B26DC48B56BBA1FF80325F154A29E1F6911F08F716859EF21
    Function 00DF2B1B Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsInExceptionSpec.LIBVCRUNTIME ref: 00DF2C18
    • type_info::operator==.LIBVCRUNTIME ref: 00DF2C3A
    • ___TypeMatch.LIBVCRUNTIME ref: 00DF2D49
    • IsInExceptionSpec.LIBVCRUNTIME ref: 00DF2E1B
    • _UnwindNestedFrames.LIBCMT ref: 00DF2E9F
    • CallUnexpected.LIBVCRUNTIME ref: 00DF2EBA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
    • String ID: csm$csm$csm
    • API String ID: 2123188842-393685449
    • Opcode ID: 29e6ea046344fae6b5f075bffc52e6132b8f377606161d72456c808a4ebe1020
    • Instruction ID: d24c04d0438887ffbf0d7bb8c098b5a60d383fc9d2dc4f84bd0bc1d080d32eca
    • Opcode Fuzzy Hash: 29e6ea046344fae6b5f075bffc52e6132b8f377606161d72456c808a4ebe1020
    • Instruction Fuzzy Hash: E3B16B7580020DAFCF19EFA4C8819BEBBB5FF04310B2A8559FA146B256D731DA51CBB1
    Function 00DC8849 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 265COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNEL32(?,?,00000104,?,00000000,?), ref: 00DC88A6
      • Part of subcall function 00DC877A: GetLastError.KERNEL32(00DC9B50,?,?,C000008C,00000001,?,00DC9297,00000000,?,?,00DC6E24,?,00DC7B3E,?,00000000,00DCC75B), ref: 00DC877A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ErrorFileLastModuleName
    • String ID: .tlb
    • API String ID: 2776309574-1487266626
    • Opcode ID: 5e8b5196622ef00f0f033eedc35f956393acd5af767e9b4a0a4a6f966250a377
    • Instruction ID: 9de6858290f54a8a17b1a9b879fffe15aeff4bacfa3edccac3aea0150b1f031b
    • Opcode Fuzzy Hash: 5e8b5196622ef00f0f033eedc35f956393acd5af767e9b4a0a4a6f966250a377
    • Instruction Fuzzy Hash: 2691F5B2A0021A9BCB259B64CC45FEE77BAEF49310F1845ADE54AE7241DE30DE41DB70
    Function 00DC32F9 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 222registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExA.ADVAPI32(80000002,HARDWARE\DEVICEMAP\SERIALCOMM,00000000,00020019,?), ref: 00DC3346
    • RegOpenKeyA.ADVAPI32(80000002,HARDWARE\DEVICEMAP\SERIALCOMM,?), ref: 00DC335D
    • RegEnumValueA.ADVAPI32(?,00000000,?,00000800,00000000,?,?,?), ref: 00DC33B7
    • RegCloseKey.ADVAPI32(?), ref: 00DC35FA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Open$CloseEnumValue
    • String ID: C$HARDWARE\DEVICEMAP\SERIALCOMM$M$P$V
    • API String ID: 1666552390-3353981412
    • Opcode ID: 6b5b7c5580056e417a4ef85fd239a5154522f54a4266bb262d9de77b139eb3b3
    • Instruction ID: 5f5eaa1955eaf1e0245f9a15e7e630039b3fb70967a98ad3c468c9301cb0e0a7
    • Opcode Fuzzy Hash: 6b5b7c5580056e417a4ef85fd239a5154522f54a4266bb262d9de77b139eb3b3
    • Instruction Fuzzy Hash: E6811774A1459A4FDB398B18D869FFA77E6AB04301F68C4ADD289D3191C7748FC88F60
    Function 00DCFDEE Relevance: 15.2, APIs: 10, Instructions: 197synchronizationCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_catch.LIBCMT ref: 00DCFDF5
      • Part of subcall function 00DD087F: __EH_prolog3.LIBCMT ref: 00DD0886
      • Part of subcall function 00DD087F: SysFreeString.OLEAUT32(?), ref: 00DD08DE
    • WaitForSingleObject.KERNEL32(?,000003E8,?,00000000,00000018,00DD9657,?,00000012,?,?,00000001,00E3C9FA), ref: 00DCFE4A
    • SetEvent.KERNEL32(?,?,?,00000001,00E3C9FA), ref: 00DCFEBC
    • SysFreeString.OLEAUT32(00000000), ref: 00DCFEC5
    • SysFreeString.OLEAUT32(?), ref: 00DCFF14
    • SetEvent.KERNEL32(?,?,?,00000001,00E3C9FA), ref: 00DD007E
    • SysFreeString.OLEAUT32(?), ref: 00DD0087
    • SysFreeString.OLEAUT32(?), ref: 00DD0094
    • SysFreeString.OLEAUT32(?), ref: 00DD0099
    • SysFreeString.OLEAUT32(?), ref: 00DD00AF
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: FreeString$Event$H_prolog3H_prolog3_catchObjectSingleWait
    • String ID:
    • API String ID: 1767751425-0
    • Opcode ID: aaf8b4f19f21d4d1f809deb578305558767f7972a8e9d36278ce71dde9a37b5c
    • Instruction ID: 4e1c886d28970bfeda0854518a045dae7708af5367c5f886eda238317157d077
    • Opcode Fuzzy Hash: aaf8b4f19f21d4d1f809deb578305558767f7972a8e9d36278ce71dde9a37b5c
    • Instruction Fuzzy Hash: 17815CB06003099FCF16DF64C881BEE7BA6EF44304F14446DEA46A7362DB34D955CBA5
    Function 00DFB9CF Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 487COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: __aulldiv
    • String ID: :$f$f$f$p$p$p
    • API String ID: 3732870572-1434680307
    • Opcode ID: 3c507ff5d2408038340ad0c68cc8c9b27ec973e1d6d225973943b0e772cac77f
    • Instruction ID: 1091e2eee5fc86f73bb153feb949bc77f29384d38ce3038455874a6cdf508f09
    • Opcode Fuzzy Hash: 3c507ff5d2408038340ad0c68cc8c9b27ec973e1d6d225973943b0e772cac77f
    • Instruction Fuzzy Hash: A1025735A0014CAADF208FA8C8456FDB7B2FF40B24FA6C556E6567B280D7318E858F75
    Function 00DDA256 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 460COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00DDA25D
    • SafeArrayCreate.OLEAUT32(00000011,00000001,?), ref: 00DDA4D9
    • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00DDA4EF
    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00DDA50C
    • SysFreeString.OLEAUT32(00000000), ref: 00DDA69A
    • SysFreeString.OLEAUT32(00000000), ref: 00DDA6A1
    • SafeArrayDestroy.OLEAUT32(00000000), ref: 00DDA788
      • Part of subcall function 00DDADBB: __EH_prolog3.LIBCMT ref: 00DDADC2
      • Part of subcall function 00DDADBB: EnterCriticalSection.KERNEL32(00000000,00000020,00DDA6E8,?,00000000,00000000,00000000,00000000,00000000,?), ref: 00DDAE14
      • Part of subcall function 00DDADBB: LeaveCriticalSection.KERNEL32(?,00000000), ref: 00DDAE38
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ArraySafe$CriticalDataFreeH_prolog3SectionString$AccessCreateDestroyEnterLeaveUnaccess
    • String ID: 10000
    • API String ID: 329818122-2008841541
    • Opcode ID: b5a61cfcd98395ece3f8039704aeb18d0b06475c25129f70f44752d3089f8c82
    • Instruction ID: f85aa526620cceb78d3999fd8d8cb952d5aa8b4370a989026da5397da79bb0e9
    • Opcode Fuzzy Hash: b5a61cfcd98395ece3f8039704aeb18d0b06475c25129f70f44752d3089f8c82
    • Instruction Fuzzy Hash: 03F19E70900214AADF259FACC885BBE77BAEF45301F18C45BE8519A296E734DD81C773
    Function 00DC9B58 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 203COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00DC9B62
    • EnterCriticalSection.KERNEL32(00E52420,00000120,00DC9E2E,?,?,?,?,00DC4E13,?,?), ref: 00DC9B8E
    • GetModuleFileNameA.KERNEL32(?,00000104), ref: 00DC9BF4
    • _strlen.LIBCMT ref: 00DC9C1D
    • LoadTypeLib.OLEAUT32(00000000,?), ref: 00DC9C93
    • LeaveCriticalSection.KERNEL32(?), ref: 00DC9DF0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CriticalSection$EnterFileH_prolog3_LeaveLoadModuleNameType_strlen
    • String ID: 0$
    • API String ID: 1175553456-1012964649
    • Opcode ID: c1a52a17d6073e6ab36cf3ae87a085f13133d55c2ed3da1cbd9cdd0583d4999d
    • Instruction ID: 913dcc5452f55961661efa607337c717a719d542d5012043d362f218e2c021e1
    • Opcode Fuzzy Hash: c1a52a17d6073e6ab36cf3ae87a085f13133d55c2ed3da1cbd9cdd0583d4999d
    • Instruction Fuzzy Hash: B0716E71A0021AAFDB25DB64CD59FE9B7B8AF09300F1480D9E54AA7241DB70DE94CFB1
    Function 00DF595C Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 151COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • DName::operator+.LIBCMT ref: 00DF59EA
    • DName::operator+.LIBCMT ref: 00DF5A3D
      • Part of subcall function 00DF44C8: shared_ptr.LIBCMT ref: 00DF44E4
      • Part of subcall function 00DF43B7: DName::operator+.LIBCMT ref: 00DF43D8
    • DName::operator+.LIBCMT ref: 00DF5A2E
    • DName::operator+.LIBCMT ref: 00DF5A8E
    • DName::operator+.LIBCMT ref: 00DF5A9B
    • DName::operator+.LIBCMT ref: 00DF5AE2
    • DName::operator+.LIBCMT ref: 00DF5AEF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Name::operator+$shared_ptr
    • String ID: 2
    • API String ID: 1037112749-1163837044
    • Opcode ID: feca8e912c816d08ccfb3242bc209dd6d9431d93fd8f994fc5ff3d6b04baf9e6
    • Instruction ID: af8ec590b8b1fced307d2f5684fea79bd00a5c88f43223d8f8c2370647969a92
    • Opcode Fuzzy Hash: feca8e912c816d08ccfb3242bc209dd6d9431d93fd8f994fc5ff3d6b04baf9e6
    • Instruction Fuzzy Hash: 2551537190061CABDB15DB94D885EFEBBB8EF48710F06815AF705B7285EB70A644CBB0
    Function 00DC8F2E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 116libraryloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00DC8849: GetModuleFileNameA.KERNEL32(?,?,00000104,?,00000000,?), ref: 00DC88A6
    • SysStringLen.OLEAUT32(?), ref: 00DC8FAF
    • CharNextW.USER32(?), ref: 00DC8FEE
    • GetModuleHandleW.KERNEL32(OLEAUT32.DLL), ref: 00DC9046
    • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00DC9056
    • SysFreeString.OLEAUT32(?), ref: 00DC907C
    • SysFreeString.OLEAUT32(?), ref: 00DC9098
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: String$FreeModule$AddressCharFileHandleNameNextProc
    • String ID: OLEAUT32.DLL$RegisterTypeLibForUser
    • API String ID: 2012197027-2666564778
    • Opcode ID: 9f75b85880afceed2301bc380d9e5ad4a3d4b5460bf09bc14f64577fec86278b
    • Instruction ID: 8377298a0997a3c85451149f9a7995a0402760c1bf9b89fc4dfd1fd365f8f541
    • Opcode Fuzzy Hash: 9f75b85880afceed2301bc380d9e5ad4a3d4b5460bf09bc14f64577fec86278b
    • Instruction Fuzzy Hash: 5441B071A0022DAFCB209B65CC8CFEABB79EF54310F1446A9E409A7150DA718EC4DB71
    Function 00DF6CBE Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 102COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • DName::DName.LIBVCRUNTIME ref: 00DF6CE6
    • DName::DName.LIBVCRUNTIME ref: 00DF6D13
      • Part of subcall function 00DF4131: __aulldvrm.LIBCMT ref: 00DF4162
    • DName::operator+.LIBCMT ref: 00DF6D2E
    • DName::DName.LIBVCRUNTIME ref: 00DF6D4B
    • DName::DName.LIBVCRUNTIME ref: 00DF6D7B
    • DName::DName.LIBVCRUNTIME ref: 00DF6D85
    • DName::DName.LIBVCRUNTIME ref: 00DF6DAC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: NameName::$Name::operator+__aulldvrm
    • String ID: 8/
    • API String ID: 4069495278-3675345385
    • Opcode ID: fc035b1151e164542ba1c19f61e24e38a6d9626c2ad2ac2f03e3b28c14b1f1d6
    • Instruction ID: 10d01251e2e538044f4a76521eb4d80e42ab8ee0a32ca8040b3593e9e38197f0
    • Opcode Fuzzy Hash: fc035b1151e164542ba1c19f61e24e38a6d9626c2ad2ac2f03e3b28c14b1f1d6
    • Instruction Fuzzy Hash: 8631D071A0520C9ADB09CB64CC91BFD7BB4FF05310F1A8409E68667A92DB70E9899B30
    Function 00DF8C90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 95COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00DFA1B2: Replicator::operator[].LIBVCRUNTIME ref: 00DFA1EF
    • DName::operator=.LIBVCRUNTIME ref: 00DF8D36
      • Part of subcall function 00DF88DE: DName::operator+.LIBCMT ref: 00DF8949
      • Part of subcall function 00DF88DE: DName::operator+.LIBCMT ref: 00DF8C07
    • DName::operator+.LIBCMT ref: 00DF8CF1
    • DName::operator+.LIBCMT ref: 00DF8CFD
    • DName::DName.LIBVCRUNTIME ref: 00DF8D4A
    • DName::operator+.LIBCMT ref: 00DF8D59
    • DName::operator+.LIBCMT ref: 00DF8D65
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]
    • String ID: .$.
    • API String ID: 955152517-758550460
    • Opcode ID: 603acd3e2119ab2f5458bc48c7bfc31617b3ebcdd310d0ca71d92b8a2110e764
    • Instruction ID: 454570504dc3001c38050428c9c116ad3200b3db20021de80d474ae1209d3372
    • Opcode Fuzzy Hash: 603acd3e2119ab2f5458bc48c7bfc31617b3ebcdd310d0ca71d92b8a2110e764
    • Instruction Fuzzy Hash: FF3181B1A003089FCB18DF94D8919FABBF9EF59300F15845DE686A7381DB309945DB31
    Function 00DDBB8E Relevance: 13.7, APIs: 9, Instructions: 218sleepCOMMON
    Download Yara Rule
    APIs
    • SysFreeString.OLEAUT32(?), ref: 00DDBE1A
      • Part of subcall function 00DCFCB9: __EH_prolog3_catch.LIBCMT ref: 00DCFCC0
      • Part of subcall function 00DCFCB9: WaitForSingleObject.KERNEL32(?,000003E8,0000000C,00DD9303,00000012,?), ref: 00DCFD03
    • VariantClear.OLEAUT32(?), ref: 00DDBC46
    • SysFreeString.OLEAUT32(?), ref: 00DDBCE4
    • Sleep.KERNEL32(000003E8,00E3C9FA), ref: 00DDBCF8
    • SysFreeString.OLEAUT32(?), ref: 00DDBD28
    • SysStringLen.OLEAUT32(?), ref: 00DDBD2F
    • SysStringLen.OLEAUT32(?), ref: 00DDBD42
    • SysStringLen.OLEAUT32(?), ref: 00DDBD50
    • SysStringLen.OLEAUT32(?), ref: 00DDBD90
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: String$Free$ClearH_prolog3_catchObjectSingleSleepVariantWait
    • String ID:
    • API String ID: 4081980128-0
    • Opcode ID: 5cf769d40f377ba90ef8db523c355e28c4ac5a01cd882ae8e9c18d041cfc766a
    • Instruction ID: 8614421e42116d1ccbea253ef39bb6441c29b3badb953356a3a3396eb5d5ff20
    • Opcode Fuzzy Hash: 5cf769d40f377ba90ef8db523c355e28c4ac5a01cd882ae8e9c18d041cfc766a
    • Instruction Fuzzy Hash: 24819131900249EFDF15DF64C889BEE7BB5EF04314F0940AAE946AB296DB709A44CB71
    Function 00DD8973 Relevance: 13.6, APIs: 9, Instructions: 134threadCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00DD897A
    • SysFreeString.OLEAUT32(?), ref: 00DD8A84
    • SysFreeString.OLEAUT32(?), ref: 00DD8A9E
    • CreateEventA.KERNEL32(?,?,?,?,?,?,00000000,00000000,00000000,00000000), ref: 00DD8AC2
    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,00000000), ref: 00DD8ACE
    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,00000000), ref: 00DD8ADA
    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,00000000), ref: 00DD8AE6
    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,00000000), ref: 00DD8AF2
    • CreateThread.KERNEL32(00000000,00000000,00DDC873,?,00000000,?), ref: 00DD8B13
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Create$Event$FreeString$H_prolog3Thread
    • String ID:
    • API String ID: 657308054-0
    • Opcode ID: 913216ff06c244837d14bd0219ce54e894a4f73d777148882c7c1d59107960cc
    • Instruction ID: e1a0a9e2166cd00202b9a0a43a8ce0028303ca8242888b0c4861fedf6a191546
    • Opcode Fuzzy Hash: 913216ff06c244837d14bd0219ce54e894a4f73d777148882c7c1d59107960cc
    • Instruction Fuzzy Hash: 86511EB1A10B46BEE708DF75C885BA6FBE8FF44344F00862AE01D93650D770A954CFA5
    Function 00DE5CD5 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 288COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: H_prolog3_
    • String ID: d$d
    • API String ID: 2427045233-195624457
    • Opcode ID: c81ab4880ef1f45bac2cdb0a0de46a41177d2e54bc084b663b426f854783d3df
    • Instruction ID: 8094e780711dae179cbd19704e4f4bcb6685965a8d641dc88a99922822f17dda
    • Opcode Fuzzy Hash: c81ab4880ef1f45bac2cdb0a0de46a41177d2e54bc084b663b426f854783d3df
    • Instruction Fuzzy Hash: 89B1F470500B9A87DB32EB26CC45BDEB7B9EF54344F0449AAE45AE2191DB71DE84CB30
    Function 00DC3ABC Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103filesleepCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,40000000,00000000), ref: 00DC3B25
    • GetLastError.KERNEL32 ref: 00DC3B3C
    • Sleep.KERNEL32(00000064), ref: 00DC3B4A
    • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,40000000,00000000), ref: 00DC3B69
    • GetLastError.KERNEL32 ref: 00DC3B7A
    • CloseHandle.KERNEL32(?), ref: 00DC3BC6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CreateErrorFileLast$CloseHandleSleep
    • String ID: \.\C
    • API String ID: 1085951872-1805059742
    • Opcode ID: f9bf6182dfb439f7f2842caba73669ff2e622f40b249044767dd2bbd89e12776
    • Instruction ID: 0851f16ec3f3c227efa7d6a12a613c4e415c74673f0eab3f25da226077ed59b5
    • Opcode Fuzzy Hash: f9bf6182dfb439f7f2842caba73669ff2e622f40b249044767dd2bbd89e12776
    • Instruction Fuzzy Hash: B731E831240755AFD7209B75DC49F76B7E9EF58360F20892DF2BAD72D0D670AA008B25
    Function 00DDA0CC Relevance: 12.1, APIs: 8, Instructions: 122sleepsynchronizationCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00DDA0D3
    • Sleep.KERNEL32(00000032,00000004,00DC7466,3D2EC555,?,?,00E36AC2,000000FF,?,00DC5B75), ref: 00DDA0F0
    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,000000FF,?,00000004,00DC7466,3D2EC555), ref: 00DDA20E
    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,000000FF,?,00000004,00DC7466,3D2EC555), ref: 00DDA21E
    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,000000FF,?,00000004,00DC7466,3D2EC555), ref: 00DDA22C
    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,000000FF,?,00000004,00DC7466,3D2EC555), ref: 00DDA23E
    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,000000FF,?,00000004,00DC7466,3D2EC555), ref: 00DDA246
    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,000000FF,?,00000004,00DC7466,3D2EC555), ref: 00DDA24E
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CloseHandle$EventH_prolog3ObjectSingleSleepWait
    • String ID:
    • API String ID: 101088899-0
    • Opcode ID: 6c289cbdde7f5ab130414dc35ec9b3bb61a217861d35488dba886b5534331c5b
    • Instruction ID: 0cf345ff46b83a234539aefac88d4fad4d6cad176c91cdfe1283250c88771564
    • Opcode Fuzzy Hash: 6c289cbdde7f5ab130414dc35ec9b3bb61a217861d35488dba886b5534331c5b
    • Instruction Fuzzy Hash: 05414F715007419BDB246F798C45B6AB6E2FF40310F19892FE59AA7391DF71A840DB31
    Function 00DE8AB3 Relevance: 12.1, APIs: 8, Instructions: 98synchronizationthreadCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00DE8ABA
    • WaitForSingleObject.KERNEL32(?,000003E8,00000000,00DD9BA7,?,?,?,?,00000001,00E3C9FA), ref: 00DE8ADB
    • CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,?,?,00000001,00E3C9FA), ref: 00DE8B21
    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000001,00E3C9FA), ref: 00DE8B2C
    • CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,?,?,00000001,00E3C9FA), ref: 00DE8B38
    • CreateThread.KERNEL32(00000000,00000000,00DE8BCE,?,00000000,?), ref: 00DE8B4F
    • SetEvent.KERNEL32(?,?,?,00000001,00E3C9FA), ref: 00DE8BA3
    • SetEvent.KERNEL32(?,?,?,00000001,00E3C9FA), ref: 00DE8BBE
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Event$Create$H_prolog3ObjectSingleThreadWait
    • String ID:
    • API String ID: 2425735666-0
    • Opcode ID: b60e9493483dc0d6441027f61bcbb8bd400b9007fe85eb135f4fb8cc5ec5c1fe
    • Instruction ID: fc3f7a5a7cb8f966a9ae61cfacc6c44a73794e48aa1dfa8cce5b46369b3dc587
    • Opcode Fuzzy Hash: b60e9493483dc0d6441027f61bcbb8bd400b9007fe85eb135f4fb8cc5ec5c1fe
    • Instruction Fuzzy Hash: DB3160B0A11655AFDB14AF36CC48A66BBA9FF08750B14416AF819DB290DB70D850DFB0
    Function 00DC22FE Relevance: 12.1, APIs: 8, Instructions: 55sleepsynchronizationCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00DC230D
    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00DC2340
    • Sleep.KERNEL32(00000001), ref: 00DC234A
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00DC2358
    • SetEvent.KERNEL32(?), ref: 00DC2378
    • CloseHandle.KERNEL32(00000000), ref: 00DC237D
    • SetEvent.KERNEL32(?), ref: 00DC2389
    • SetEvent.KERNEL32(?), ref: 00DC2391
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Event$Wait$CloseCreateHandleMultipleObjectObjectsSingleSleep
    • String ID:
    • API String ID: 1757603259-0
    • Opcode ID: 076c85808b212af134a5c72fe0060de303098a0ad5c63d0ff8f0a625aecb5f6a
    • Instruction ID: 377db156ea193ace76a33ecfb93c8d77c31fb5d4a160807e7894c2a9ca422227
    • Opcode Fuzzy Hash: 076c85808b212af134a5c72fe0060de303098a0ad5c63d0ff8f0a625aecb5f6a
    • Instruction Fuzzy Hash: 14115A71200209AFD7256F61DC48FBABAA9FB44750F14443DE99AA22A0DB75A8848B61
    Function 00DDE14A Relevance: 10.7, APIs: 7, Instructions: 238COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: String$Free
    • String ID:
    • API String ID: 1391021980-0
    • Opcode ID: ae0e66a3d0f8b931a2b7875ec3fc5f83b42107dc59198767b29b251da1548858
    • Instruction ID: 9d1f15a2f7c471863bf294bad78ef9e993db05cf8fcd7502fdff2af72a314c33
    • Opcode Fuzzy Hash: ae0e66a3d0f8b931a2b7875ec3fc5f83b42107dc59198767b29b251da1548858
    • Instruction Fuzzy Hash: CF819C31200249EBDF15AF65CC45EAE7BB5EF48704F04442AFA86EB291DB71DA41CB70
    Function 00DDDEA0 Relevance: 10.7, APIs: 7, Instructions: 222COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: String$Free
    • String ID:
    • API String ID: 1391021980-0
    • Opcode ID: 981f23dbeb5c38e7c0e6ea5e9e7f7c72f68633f0d7d86a84c7fdf94e87c37129
    • Instruction ID: 36caceba858ae88528b4a6abe58a90b903e826b720da26a75aa673ea639d82eb
    • Opcode Fuzzy Hash: 981f23dbeb5c38e7c0e6ea5e9e7f7c72f68633f0d7d86a84c7fdf94e87c37129
    • Instruction Fuzzy Hash: 5071B13120024AEBDF11AF65CC46FAE7BB6EF44700F04402AFA469B291DB71D951DB70
    Function 00DF6A54 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 201COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00DF6A5B
    • UnDecorator::getSymbolName.LIBCMT ref: 00DF6AE9
    • DName::operator+.LIBCMT ref: 00DF6BED
      • Part of subcall function 00DF44C8: shared_ptr.LIBCMT ref: 00DF44E4
    • DName::DName.LIBVCRUNTIME ref: 00DF6CAA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Name$Decorator::getH_prolog3Name::Name::operator+Symbolshared_ptr
    • String ID: .$.
    • API String ID: 334624791-758550460
    • Opcode ID: f7eb9b32b9e96e5af796c0f4bd46bcd650bfa06fd60980f402831490ef413af2
    • Instruction ID: facb3c20dbfb0a40e7f8f0fea0fdd540e339ac5980c0aaca163171783fbbf173
    • Opcode Fuzzy Hash: f7eb9b32b9e96e5af796c0f4bd46bcd650bfa06fd60980f402831490ef413af2
    • Instruction Fuzzy Hash: CB8155B180120D9FDB05DF94D881AFEBBB4FB49311F1A806AE685AB652D734D944CBB0
    Function 00DF829E Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 178COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: operator+shared_ptr
    • String ID: (1$41
    • API String ID: 864562889-2401943120
    • Opcode ID: ad2f1aadb3a62a7bc218c895770a3baefffbb094c79091523c076d9e3b88ab05
    • Instruction ID: dd6d98d3c8fd574abb06ad0c104f7b2f384629efac66725ecac0f65059404f64
    • Opcode Fuzzy Hash: ad2f1aadb3a62a7bc218c895770a3baefffbb094c79091523c076d9e3b88ab05
    • Instruction Fuzzy Hash: AB618D7180020EEFCB05CFA8C8449BE7BF5FB45304F1AC55AE645AB221DB31D645EB62
    Function 00DE7896 Relevance: 10.6, APIs: 7, Instructions: 134COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00DE789D
      • Part of subcall function 00DD1D35: __EH_prolog3.LIBCMT ref: 00DD1D3C
      • Part of subcall function 00DD1D35: CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,00000008,00DE78BD,00000008,00DCD1FE,00000004,8007000E,?,?,00DD8A73,00E3C9FA), ref: 00DD1D68
    • CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,00000008,00DCD1FE,00000004,8007000E,?,?,00DD8A73,00E3C9FA), ref: 00DE78E3
    • CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,?,00DD8A73,00E3C9FA), ref: 00DE78ED
    • CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,?,00DD8A73,00E3C9FA), ref: 00DE79B0
    • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,00DD8A73,00E3C9FA), ref: 00DE79BE
    • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,00DD8A73,00E3C9FA), ref: 00DE79CC
    • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,00DD8A73,00E3C9FA), ref: 00DE79DA
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CreateEvent$H_prolog3
    • String ID:
    • API String ID: 206838378-0
    • Opcode ID: f2ea681492062761775248fe249b5da053e528e339867e101448501ac9e953ab
    • Instruction ID: d0844db45734c43fc350d4841f76416a70a6f96e695c0598e2c85638bdbb457d
    • Opcode Fuzzy Hash: f2ea681492062761775248fe249b5da053e528e339867e101448501ac9e953ab
    • Instruction Fuzzy Hash: 6A5193B0955B449ED7609F7A88C9B97FBE4FF18300F90892EE1AED7291D770A440CB25
    Function 00DDC873 Relevance: 10.6, APIs: 7, Instructions: 106COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00DDC87A
    • CoInitializeEx.OLE32(00000000,00000000,00000010), ref: 00DDC883
    • SetEvent.KERNEL32(?), ref: 00DDC895
    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00DDC989
    • CoUninitialize.OLE32 ref: 00DDC999
    • SetEvent.KERNEL32(?), ref: 00DDC9A5
    • SysFreeString.OLEAUT32(?), ref: 00DDC9AE
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Event$FreeH_prolog3InitializeMultipleObjectsStringUninitializeWait
    • String ID:
    • API String ID: 3120712212-0
    • Opcode ID: 90452043dc1bc2c4ab9deecba16e0fcc40f8b3a812b66f6b82521e035ad83a51
    • Instruction ID: a0b59be5c2e83a8568623a616db53f511b71653368ef9b680766ec285f9a6d5f
    • Opcode Fuzzy Hash: 90452043dc1bc2c4ab9deecba16e0fcc40f8b3a812b66f6b82521e035ad83a51
    • Instruction Fuzzy Hash: 86410030500616AFDB25AF64CC1ABBEBBB5FF04311F04461BF4A5A2290DB35A840DFB1
    Function 00DC40B8 Relevance: 10.6, APIs: 7, Instructions: 87filesynchronizationCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00DC40BF
    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0000001C,00DC4031,00000002,?), ref: 00DC40E8
    • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 00DC4109
    • GetLastError.KERNEL32 ref: 00DC410F
    • WaitForSingleObject.KERNEL32(?,000003E8), ref: 00DC4124
    • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 00DC413A
    • CloseHandle.KERNEL32(?), ref: 00DC4150
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CloseCreateErrorEventFileH_prolog3HandleLastObjectOverlappedResultSingleWaitWrite
    • String ID:
    • API String ID: 2912037231-0
    • Opcode ID: 225da6b26a67e3b823326e24aeb33bad00f950db6cb80792f6b48f320350a19e
    • Instruction ID: f9ea39f9bf7ac7de80738ed2ec5ee7f59998871820ca388ff7285788b6cd6c2a
    • Opcode Fuzzy Hash: 225da6b26a67e3b823326e24aeb33bad00f950db6cb80792f6b48f320350a19e
    • Instruction Fuzzy Hash: 4D318F3190031AAFDB119FA1CC49BEE7EB9FF58710F188229F945A7190DB708984CBB1
    Function 00DF7316 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: NameName::
    • String ID: %lf$A
    • API String ID: 1333004437-43661536
    • Opcode ID: 2e87e3da65d8b21d3d9e0611979e3dc1e622aac1947ba447c08510020fc34019
    • Instruction ID: d6508914a0b2d89b7b32fa6009d8a88f57f0d88172466c0064cf2c5f7b92ec71
    • Opcode Fuzzy Hash: 2e87e3da65d8b21d3d9e0611979e3dc1e622aac1947ba447c08510020fc34019
    • Instruction Fuzzy Hash: DD317EB090825CEFCF18DFA5C841AEDBBF5FB49300F06805EEA95AB241C7709985DB61
    Function 00DD0395 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83synchronizationCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_catch.LIBCMT ref: 00DD039C
    • WaitForSingleObject.KERNEL32(?,000003E8,00000004,00DDC456,?,?,?,?,00E3C9FA,00E3C9FA), ref: 00DD03B3
      • Part of subcall function 00DCEDB2: __EH_prolog3_catch_GS.LIBCMT ref: 00DCEDDE
      • Part of subcall function 00DCEDB2: WaitForSingleObject.KERNEL32(?,000003E8,0000010C,00000000), ref: 00DCEDFA
    • SysFreeString.OLEAUT32(?), ref: 00DD043A
    • SysFreeString.OLEAUT32(?), ref: 00DD0491
    • SetEvent.KERNEL32(?,00000000,00000000), ref: 00DD049C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: FreeObjectSingleStringWait$EventH_prolog3_catchH_prolog3_catch_
    • String ID: (
    • API String ID: 1783023859-3887548279
    • Opcode ID: 7ac46af0aa120a3f4baeb074e7f1b4711617addf6ac37a440ba089cd23a94d19
    • Instruction ID: 2eb7990b02450b6a784a1036acd0948a9fdaad71aaf174ecc6ce6312e35daef6
    • Opcode Fuzzy Hash: 7ac46af0aa120a3f4baeb074e7f1b4711617addf6ac37a440ba089cd23a94d19
    • Instruction Fuzzy Hash: 5E319F30600219ABCF169F20C844FA97F62FF84714F18812AEA456B361DB71ED91CBB0
    Function 00E22B21 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID: C:\Users\user\Desktop\czcansrv.exe$S-
    • API String ID: 0-2132305666
    • Opcode ID: e5d2266fbed90b9f46acab531de9fa94c8c99c73fc82d08289fc5d23ed9bb819
    • Instruction ID: a0368e8c2c394f956dfbbaeff4ef5ec49a94318409d89c8aa4605cf79279d22d
    • Opcode Fuzzy Hash: e5d2266fbed90b9f46acab531de9fa94c8c99c73fc82d08289fc5d23ed9bb819
    • Instruction Fuzzy Hash: 2821C371200229BFCB20AF75EC85DABB7AEEF40368711992CFA15B7140EB31EC518760
    Function 00DCD5E2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00DCD5E9
    • ResetEvent.KERNEL32(?,?,?,?,00000000,StartSession(), ref: 00DCD6A6
    • SysFreeString.OLEAUT32(?), ref: 00DCD6DE
    • SysFreeString.OLEAUT32(?), ref: 00DCD6E3
      • Part of subcall function 00DC29B7: __EH_prolog3.LIBCMT ref: 00DC29BE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: FreeH_prolog3String$EventReset
    • String ID: 10000$StartSession(
    • API String ID: 3193639618-1013227415
    • Opcode ID: f07debe6a67eef9f7cfe135403e409c21538737e5d860fdcc2338642b2ab4d42
    • Instruction ID: 27d7e4cb1ae4c9d8a5ebd2f756b6ce8811bf4313215fa5360e15a39623e3d072
    • Opcode Fuzzy Hash: f07debe6a67eef9f7cfe135403e409c21538737e5d860fdcc2338642b2ab4d42
    • Instruction Fuzzy Hash: A521507190020AAFDB10EFA5CD45FAE7BB2EF04340F14413DE949AB2A1DB709A05CB71
    Function 00DD13C3 Relevance: 10.5, APIs: 7, Instructions: 41synchronizationCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00DD13D1
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00DD13EA
    • SetEvent.KERNEL32(?), ref: 00DD1401
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00DD140B
    • CloseHandle.KERNEL32(?), ref: 00DD1414
    • SetEvent.KERNEL32(?), ref: 00DD1420
    • SetEvent.KERNEL32(?), ref: 00DD1428
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Event$ObjectSingleWait$CloseCreateHandle
    • String ID:
    • API String ID: 2339940433-0
    • Opcode ID: 248e7fe7699b9a7054dc5a2719501ab5a5df52ae70a81eb5afab19f3832cd642
    • Instruction ID: 980b4b431dacdfbfcbf1af305ff14ce99f8e981d60d71df2541242a2edf58dc9
    • Opcode Fuzzy Hash: 248e7fe7699b9a7054dc5a2719501ab5a5df52ae70a81eb5afab19f3832cd642
    • Instruction Fuzzy Hash: 7CF04F75100608BFDB116F76DC88F9B7A69FF40350F448435F589A2160CE31AC499B70
    Function 00E30B6A Relevance: 9.3, APIs: 6, Instructions: 298COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fed9a0fcd10df43c8251ac4eb11d19191c44e8b6d64afe0d9f3776a3eb82dd1b
    • Instruction ID: 612fff529803792bf2023a22c73d46fdd128efa3a9a61373970bee1f79b03db0
    • Opcode Fuzzy Hash: fed9a0fcd10df43c8251ac4eb11d19191c44e8b6d64afe0d9f3776a3eb82dd1b
    • Instruction Fuzzy Hash: C4B10270A04249AFDF16DFAAC8A8BBEBFF2EF45314F149558E500B7292C7709945CB60
    Function 00E329A9 Relevance: 9.2, APIs: 6, Instructions: 248COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: __freea$Info
    • String ID:
    • API String ID: 541289543-0
    • Opcode ID: a851e8470caa5f53b8e891a7485367d4d7a793bc58d696b5ec9b8a449919324d
    • Instruction ID: 7db35923086a154541ed79ff048d35313c491d8519807a1d72ce066f7d9d07ca
    • Opcode Fuzzy Hash: a851e8470caa5f53b8e891a7485367d4d7a793bc58d696b5ec9b8a449919324d
    • Instruction Fuzzy Hash: 3D71F47290021A6BDF219E648C49FEEBFF9AF49714F28645DEA85B7281D7359C00C760
    Function 00DDF0D8 Relevance: 9.2, APIs: 6, Instructions: 196COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Variant$ClearFreeInitString
    • String ID:
    • API String ID: 2508483829-0
    • Opcode ID: f9e8a6c853be42526beeeab79ecba7a823d27b45ba88188c2c8fa82276fe48ce
    • Instruction ID: 2237264c502014ffe02a29628491a0a48bf7943ba5ef8bcf1ea2bcba6e10a7ae
    • Opcode Fuzzy Hash: f9e8a6c853be42526beeeab79ecba7a823d27b45ba88188c2c8fa82276fe48ce
    • Instruction Fuzzy Hash: A951CF35200206ABDF15AF64CC82BAEBBA5EF44710F14413AFA06DB391DB71E911CBB4
    Function 00DC9EA6 Relevance: 9.1, APIs: 6, Instructions: 130COMMON
    Download Yara Rule
    APIs
    • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,?,?,?,?,?,00DC9B3B,?,?,?), ref: 00DC9ED5
    • GetLastError.KERNEL32(?,?,?,00DC9B3B,?,?,?,?,?,C000008C,00000001,?,00DC9297,00000000,?,?), ref: 00DC9EDB
    • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?,?,?,?,00DC9B3B,?,?,?,?,?,C000008C,00000001), ref: 00DC9F05
    • GetTokenInformation.ADVAPI32(?,00000005(TokenIntegrityLevel),00000000,00000000,?,?,?,?,?,?,00DC9B3B,?,?,?), ref: 00DC9F59
    • GetLastError.KERNEL32(?,?,?,00DC9B3B,?,?,?,?,?,C000008C,00000001,?,00DC9297,00000000,?,?), ref: 00DC9F5F
    • GetTokenInformation.ADVAPI32(?,00000005(TokenIntegrityLevel),00000000,?,?,?,?,?,00DC9B3B,?,?,?,?,?,C000008C,00000001), ref: 00DC9F89
      • Part of subcall function 00DC877A: GetLastError.KERNEL32(00DC9B50,?,?,C000008C,00000001,?,00DC9297,00000000,?,?,00DC6E24,?,00DC7B3E,?,00000000,00DCC75B), ref: 00DC877A
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: InformationToken$ErrorLast
    • String ID:
    • API String ID: 2567405617-0
    • Opcode ID: 9aa802b233ecc9fbed3e23bfbcc5f96a2f5d1940dec37170c645f9ec4f417d76
    • Instruction ID: 1f65b928130a5951bf2eae80575f83100413a1aac5279c275cf35b831195d894
    • Opcode Fuzzy Hash: 9aa802b233ecc9fbed3e23bfbcc5f96a2f5d1940dec37170c645f9ec4f417d76
    • Instruction Fuzzy Hash: 01418F7280411ABBDF155FA4DC5DF6AFB69EF00721F29406DF900EB150EB718D409A70
    Function 00DFA05C Relevance: 9.1, APIs: 6, Instructions: 120COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • DName::operator+.LIBCMT ref: 00DFA0A0
    • DName::operator+.LIBCMT ref: 00DFA0AC
      • Part of subcall function 00DF44C8: shared_ptr.LIBCMT ref: 00DF44E4
    • DName::operator+=.LIBCMT ref: 00DFA16C
      • Part of subcall function 00DF88DE: DName::operator+.LIBCMT ref: 00DF8949
      • Part of subcall function 00DF88DE: DName::operator+.LIBCMT ref: 00DF8C07
      • Part of subcall function 00DF43B7: DName::operator+.LIBCMT ref: 00DF43D8
    • DName::operator+.LIBCMT ref: 00DFA127
      • Part of subcall function 00DF4520: DName::operator=.LIBVCRUNTIME ref: 00DF4541
    • DName::DName.LIBVCRUNTIME ref: 00DFA190
    • DName::operator+.LIBCMT ref: 00DFA19C
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
    • String ID:
    • API String ID: 2795783184-0
    • Opcode ID: f0599b4ad4e2c44adf30d58402a66ca55f814e3b3f94346b751bd2e425bc43de
    • Instruction ID: cdba3b4875c982d4a76282a4b906ace816eabaaa31aa5edb8d50a6a786dfc980
    • Opcode Fuzzy Hash: f0599b4ad4e2c44adf30d58402a66ca55f814e3b3f94346b751bd2e425bc43de
    • Instruction Fuzzy Hash: 8941A4B0A0034C6FDB15DBACD851BBE7BE9EB06300F068459E389AB351DB749984C775
    Function 00DD49F0 Relevance: 9.1, APIs: 6, Instructions: 103COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00DD49F7
    • SafeArrayCreate.OLEAUT32(00000011,00000001,?), ref: 00DD4AA7
    • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00DD4ABB
    • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00DD4ADD
    • SafeArrayDestroy.OLEAUT32(00000000), ref: 00DD4B09
    • SysFreeString.OLEAUT32(?), ref: 00DD4B12
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ArraySafe$Data$AccessCreateDestroyFreeH_prolog3StringUnaccess
    • String ID:
    • API String ID: 3146411487-0
    • Opcode ID: 970cef157565276032aa677b1ecc36e828c9e6e22bab0b54c99cb2e09db03986
    • Instruction ID: cad52db37b343f13716b42413c055db35ece88bd89a750e880458b624c620f0f
    • Opcode Fuzzy Hash: 970cef157565276032aa677b1ecc36e828c9e6e22bab0b54c99cb2e09db03986
    • Instruction Fuzzy Hash: 404189309006199BCB21DF94C8845BEBBB5FF14709B29816BFC54AB215D731DD82CBB0
    Function 00DEAFD0 Relevance: 9.1, APIs: 6, Instructions: 63COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(?), ref: 00DEAFF4
    • DeviceIoControl.KERNEL32(00000000,?,00000000,00DE3B7B,00000000,00000000,00000000,?), ref: 00DEB014
    • LeaveCriticalSection.KERNEL32(?), ref: 00DEB058
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CriticalSection$ControlDeviceEnterLeave
    • String ID:
    • API String ID: 3815106556-0
    • Opcode ID: abc2d7cfbae69256845bc7a9fa8d81d0f07a09912a86ee7386a6eab6fb54a8cb
    • Instruction ID: cf53ad806075cac41b34e242cf79606387e5700c615349bffd165fbbf243d969
    • Opcode Fuzzy Hash: abc2d7cfbae69256845bc7a9fa8d81d0f07a09912a86ee7386a6eab6fb54a8cb
    • Instruction Fuzzy Hash: 97117C72501109BFDB119FA6CC48AEFBBA8FB09320F148126F915E2520D731FD54DBA0
    Function 00DF27AD Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,00DF27A4,00DEF10A,00DED8B0), ref: 00DF27BB
    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00DF27C9
    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00DF27E2
    • SetLastError.KERNEL32(00000000,?,00DF27A4,00DEF10A,00DED8B0), ref: 00DF2834
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ErrorLastValue___vcrt_
    • String ID:
    • API String ID: 3852720340-0
    • Opcode ID: e03a7dc8aa91f14051ae2fe82b4e4a9126f61275d914f8d893c47a2742c1f82c
    • Instruction ID: 5119c70cad0fbd532780ce09c760ef50a47efa7bd8d63a9ad4aa59f62f936bb1
    • Opcode Fuzzy Hash: e03a7dc8aa91f14051ae2fe82b4e4a9126f61275d914f8d893c47a2742c1f82c
    • Instruction Fuzzy Hash: C0019C3210A7099EDA1627BABCC99773B84EF01B71F268239F718510F0FF014C0491B2
    Function 00DDA796 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 187COMMON
    Download Yara Rule
    APIs
    • SafeArrayCreate.OLEAUT32(00000011,00000001,?), ref: 00DDA914
    • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00DDA92C
    • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00DDA98B
    • SafeArrayDestroy.OLEAUT32(00000000), ref: 00DDA9C7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ArraySafe$Data$AccessCreateDestroyUnaccess
    • String ID: 10000
    • API String ID: 3004631453-2008841541
    • Opcode ID: 47bb2f4deb2b680fbf1327203a3a27f3914af3f5d00c8cc4cc981cdff7f1fc39
    • Instruction ID: 6c558c38093de6768a4e5ec6481b3e71e5acadc65e551f69c3bc289631142f9d
    • Opcode Fuzzy Hash: 47bb2f4deb2b680fbf1327203a3a27f3914af3f5d00c8cc4cc981cdff7f1fc39
    • Instruction Fuzzy Hash: C6619830A00B01CBDB358F5DC5546BAB7E1EF84700F6AC92BD88266751D375A886DBB3
    Function 00DF70FE Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • DName::DName.LIBVCRUNTIME ref: 00DF7186
      • Part of subcall function 00DF4131: __aulldvrm.LIBCMT ref: 00DF4162
    • DName::operator+.LIBCMT ref: 00DF7193
    • DName::operator=.LIBVCRUNTIME ref: 00DF7213
    • DName::DName.LIBVCRUNTIME ref: 00DF7233
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: NameName::$Name::operator+Name::operator=__aulldvrm
    • String ID: T3
    • API String ID: 2448499823-2635867010
    • Opcode ID: 3254c38306e2de6bf21dba5e85ed65fe934ef5409217d1e1ea045854d735ac54
    • Instruction ID: 4b7c38eb04a5445d16557e1523cd7eb877ac22d55b5a6e13c19d1d57fdb98f71
    • Opcode Fuzzy Hash: 3254c38306e2de6bf21dba5e85ed65fe934ef5409217d1e1ea045854d735ac54
    • Instruction Fuzzy Hash: D0517C7090421DEFDB15CF98D880AFEBBB4FB46301F1AC05AE651AB351D7709A85DBA0
    Function 00DC90B6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 66libraryloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00DC8849: GetModuleFileNameA.KERNEL32(?,?,00000104,?,00000000,?), ref: 00DC88A6
    • GetModuleHandleW.KERNEL32(OLEAUT32.DLL), ref: 00DC90FE
    • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00DC910E
    • SysFreeString.OLEAUT32(00000000), ref: 00DC9154
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Module$AddressFileFreeHandleNameProcString
    • String ID: OLEAUT32.DLL$UnRegisterTypeLibForUser
    • API String ID: 815855407-2196524522
    • Opcode ID: 7c9c0a0222724555bab9dcb371d1f5d21e0eb2e6a2a30ab94943a23b490f9f17
    • Instruction ID: 557bd844bae08f5b05ade922352829a1f00d12ebb34d5e680516cf3768f4355b
    • Opcode Fuzzy Hash: 7c9c0a0222724555bab9dcb371d1f5d21e0eb2e6a2a30ab94943a23b490f9f17
    • Instruction Fuzzy Hash: 23215E7260021ABFCB15DF91CC5DEAA7BB9EF48325B284098F805EB151DB31DE45DB60
    Function 00DFA90B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • FreeLibrary.KERNEL32(00000000,?,?,?,00DFA9CC,?,?,00000000,?,?,00DFAB3A,00000002,FlsGetValue,00E4357C,FlsGetValue,?), ref: 00DFA99B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: FreeLibrary
    • String ID: api-ms-
    • API String ID: 3664257935-2084034818
    • Opcode ID: 007da811ad8f7bbd3ecab6648040c5f39a6c75f0057eb444df5c2f2084969500
    • Instruction ID: 46df4a17bd14726b96c842d6d77abcaed0b4e2d3cbb47561949ed1569ac340f0
    • Opcode Fuzzy Hash: 007da811ad8f7bbd3ecab6648040c5f39a6c75f0057eb444df5c2f2084969500
    • Instruction Fuzzy Hash: 22110AB1A41229AFDF224B6D9C4476937949F01770F6B8130EA58FB190D7A4ED008EF3
    Function 00E190E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,3D2EC555,?,?,00000000,00E39354,000000FF,?,00E1906B,00E191BA,?,00E1903F,00000000), ref: 00E19119
    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E1912B
    • FreeLibrary.KERNEL32(00000000,?,?,00000000,00E39354,000000FF,?,00E1906B,00E191BA,?,00E1903F,00000000), ref: 00E1914D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: AddressFreeHandleLibraryModuleProc
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 4061214504-1276376045
    • Opcode ID: fb17b54e91a7d970c5d402d8b6b6ee2b0a16c20ea0f5944f528f2dcaa6003c1c
    • Instruction ID: cb09bbd966887f3e99dd9bfcc844202bdb6975046663e7ac20f01aa02c7e87c5
    • Opcode Fuzzy Hash: fb17b54e91a7d970c5d402d8b6b6ee2b0a16c20ea0f5944f528f2dcaa6003c1c
    • Instruction Fuzzy Hash: A301A271A44659BFDB058B51DC0DBAEBBB8FB04B15F040525F811B22E0DB749984CA91
    Function 00DC9856 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(Advapi32.dll,00000000,?,00DCBB9F,?), ref: 00DC987D
    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExA), ref: 00DC988D
      • Part of subcall function 00DCAED9: GetModuleHandleA.KERNEL32(Advapi32.dll,00000000,?,?,00DC986D,?,00000000,00000000,?,00DCBB9F,?), ref: 00DCAEEB
      • Part of subcall function 00DCAED9: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedA), ref: 00DCAEFB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: Advapi32.dll$RegDeleteKeyExA
    • API String ID: 1646373207-1984814126
    • Opcode ID: d191f79dbebea2a0329295fa9701f2b3de4baadb6d930af90a9d20c2cc220bf6
    • Instruction ID: ef9741ab42064687c5035b8225fd36a8f47de7f8b1c4e950a1c912e9ad7501c2
    • Opcode Fuzzy Hash: d191f79dbebea2a0329295fa9701f2b3de4baadb6d930af90a9d20c2cc220bf6
    • Instruction Fuzzy Hash: 4F018F35204306EFDB155F62DC58F59BFA5AF0A392F18042DF596A3060C672C498EB71
    Function 00E1E7BE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00E1E777), ref: 00E1E7CD
    • GetLastError.KERNEL32(?,00E1E777), ref: 00E1E7D7
    • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00E1E815
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID: api-ms-$ext-ms-
    • API String ID: 3177248105-537541572
    • Opcode ID: ab9b833f065999038bb3af4480150ea983bced8e68f617c9558504ddbb983ca9
    • Instruction ID: 363682a5727a3198c48045e130c813a23739764660a50bc49d5cababf4708cef
    • Opcode Fuzzy Hash: ab9b833f065999038bb3af4480150ea983bced8e68f617c9558504ddbb983ca9
    • Instruction Fuzzy Hash: 36F08C70780348BBEF202F22EC0AFA93E559B50B45F289030FD0CB81F1EB66D9D08981
    Function 00DECA7C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33COMMON
    Download Yara Rule
    APIs
    • _wprintf.LEGACY_STDIO_DEFINITIONS ref: 00DECA99
      • Part of subcall function 00DEC143: __vfwprintf_l.LEGACY_STDIO_DEFINITIONS ref: 00DEC158
    • _wprintf.LEGACY_STDIO_DEFINITIONS ref: 00DECAAC
    • _wprintf.LEGACY_STDIO_DEFINITIONS ref: 00DECABD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: _wprintf$__vfwprintf_l
    • String ID: >$%d
    • API String ID: 906848274-2915014584
    • Opcode ID: 90cc20942422df8725eb54b4c5d0340fa343056b30da48d7d142d27c12dac208
    • Instruction ID: ae1dee22f8a5eafd715ab795b8e7a335f408fd622ed5dd5e0fa59df2f743d39f
    • Opcode Fuzzy Hash: 90cc20942422df8725eb54b4c5d0340fa343056b30da48d7d142d27c12dac208
    • Instruction Fuzzy Hash: DEE02B332543547F4110FA9EF882C15F7DCFA05B713602037FA04A35829571EA4281F8
    Function 00DC23BE Relevance: 7.9, APIs: 5, Instructions: 448COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00DC23C5
    • EnterCriticalSection.KERNEL32(00E51CF4), ref: 00DC24A8
    • LeaveCriticalSection.KERNEL32(00E51CF4), ref: 00DC24D8
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CriticalSection$EnterH_prolog3_Leave
    • String ID:
    • API String ID: 4216991881-0
    • Opcode ID: f4c9712719021cbbdf202869755be65d33394f54b16cf47348e48b15fa2f12f7
    • Instruction ID: 3e1280461e6570d044d60200ef5ab8ff9b9f8ee373b12b18321274c099d54f36
    • Opcode Fuzzy Hash: f4c9712719021cbbdf202869755be65d33394f54b16cf47348e48b15fa2f12f7
    • Instruction Fuzzy Hash: 40028E70E0020ADFDB18DFA8C895ABDBBF5FF48310F14852EE995A7281DB719845CB20
    Function 00DE1469 Relevance: 7.7, APIs: 5, Instructions: 243synchronizationCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00DE1470
    • VariantInit.OLEAUT32(?), ref: 00DE148F
    • VariantClear.OLEAUT32(?), ref: 00DE16E6
      • Part of subcall function 00DC29B7: __EH_prolog3.LIBCMT ref: 00DC29BE
      • Part of subcall function 00DCD2B4: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00DCD2C1
      • Part of subcall function 00DCD2B4: CreateEventA.KERNEL32(00000000,00000000,00000001,00000000), ref: 00DCD2CE
      • Part of subcall function 00DEA7E3: WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00DD3051,00000000), ref: 00DEA7FD
      • Part of subcall function 00DEA7E3: SetEvent.KERNEL32(?,?,?,?,00DD3051,00000000), ref: 00DEA82D
      • Part of subcall function 00DEA7E3: SetEvent.KERNEL32(?,?,?,?,00DD3051,00000000), ref: 00DEA835
    • WaitForSingleObject.KERNEL32(?,?,00000000,?,00000020,?,00000000), ref: 00DE1626
    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00DE167A
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Event$ObjectSingleWait$CreateH_prolog3Variant$ClearInit
    • String ID:
    • API String ID: 3159597242-0
    • Opcode ID: c8eb6ad3665edc61769ffdd718f021c5eaf75517ee4db608b775e769a88cc1de
    • Instruction ID: 565fbf0be0a07d95a29026e633506143df0854b579e45e2d25a2e0ee4120ec88
    • Opcode Fuzzy Hash: c8eb6ad3665edc61769ffdd718f021c5eaf75517ee4db608b775e769a88cc1de
    • Instruction Fuzzy Hash: 9281E039700295ABDB24AF668841BAE77B5FF48310F18452EF94ADB290DB30D901CBB5
    Function 00DE11C7 Relevance: 7.7, APIs: 5, Instructions: 235COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00DE11CE
    • VariantInit.OLEAUT32(?), ref: 00DE11ED
    • VariantClear.OLEAUT32(?), ref: 00DE1458
      • Part of subcall function 00DDC7BD: __EH_prolog3.LIBCMT ref: 00DDC7C4
      • Part of subcall function 00DDC7BD: VariantClear.OLEAUT32(?), ref: 00DDC85F
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Variant$ClearH_prolog3$Init
    • String ID:
    • API String ID: 2628449074-0
    • Opcode ID: 45fd3f6ac823f1b1faba587d139e070a11fe569d40b4933cc203754d508ee98e
    • Instruction ID: daeb5ec00e5eb51cb331f9047c32edfbe2570cefd9e67d2c69d79ca25354adec
    • Opcode Fuzzy Hash: 45fd3f6ac823f1b1faba587d139e070a11fe569d40b4933cc203754d508ee98e
    • Instruction Fuzzy Hash: BE818C75B002869BDB15EFA6C882BAE77A5EF04300F14412AFA55EB281DB70D901CBB5
    Function 00DDFC35 Relevance: 7.7, APIs: 5, Instructions: 206COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: String$Free
    • String ID:
    • API String ID: 1391021980-0
    • Opcode ID: da223db84a2d3ad52b81dd418ed158231e1de2e49692e070d6dc5729b36731d6
    • Instruction ID: 6601b5f3291e2f45124181edbb03089c56d2e0963eab2dac14d516f3a30c9f94
    • Opcode Fuzzy Hash: da223db84a2d3ad52b81dd418ed158231e1de2e49692e070d6dc5729b36731d6
    • Instruction Fuzzy Hash: 1861A131200245ABDF15EF2ADC85EAA77A5EF84710F14443AFA46CB3A6DB31D981CB30
    Function 00DDFE93 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: String$Free
    • String ID:
    • API String ID: 1391021980-0
    • Opcode ID: d0624584f9c3ecbcecf1f2f5f0febc0f7eb199399f7c9101dacf9b3c5c32686b
    • Instruction ID: 82a72c804e162b423879d68c93b8bdf7b36936bcdae122dcf1dcc3eccf839b56
    • Opcode Fuzzy Hash: d0624584f9c3ecbcecf1f2f5f0febc0f7eb199399f7c9101dacf9b3c5c32686b
    • Instruction Fuzzy Hash: 7461A03120024BABCF25AF25CC41FAA7F61FF15750F04402AFA569B291DB71D9A6CBB1
    Function 00DE3973 Relevance: 7.6, APIs: 5, Instructions: 138COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CountTick$H_prolog3
    • String ID:
    • API String ID: 49165580-0
    • Opcode ID: 1c3e37a95c454ea702e9092b91762898f9b81c2d5563772d28421349f238c493
    • Instruction ID: 0632737015b90e9581aa24d98664f84479975c0d15c86930387d8e52a38f5d33
    • Opcode Fuzzy Hash: 1c3e37a95c454ea702e9092b91762898f9b81c2d5563772d28421349f238c493
    • Instruction Fuzzy Hash: B64130706007818FD725AF7AC88CA7ABBE5AF88705F14492DE186C7291DB71D981CF71
    Function 00DE7A73 Relevance: 7.6, APIs: 6, Instructions: 131COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNEL32(?,?,?,?,00DC1762), ref: 00DE7B31
    • CloseHandle.KERNEL32(?,?,?,?,00DC1762), ref: 00DE7BB2
    • CloseHandle.KERNEL32(?,?,?,?,00DC1762), ref: 00DE7BBA
    • CloseHandle.KERNEL32(?,?,?,?,00DC1762), ref: 00DE7BC2
    • CloseHandle.KERNEL32(?,?,?,?,00DC1762), ref: 00DE7BCA
    • CloseHandle.KERNEL32(?,?,?,?,00DC1762), ref: 00DE7BD2
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: cae9c6ad0b460e317719cb91f2d10bdd97b9b0c9ecae382d6ba4d4e6d5d8cf90
    • Instruction ID: 080dd8451e1e28ec90e240b3d803841974b345c330c3ddaa974acf915cd2772e
    • Opcode Fuzzy Hash: cae9c6ad0b460e317719cb91f2d10bdd97b9b0c9ecae382d6ba4d4e6d5d8cf90
    • Instruction Fuzzy Hash: 82419036109B409AD3357F3AAC46F6AF3E2EF84B10F24451EE19A56292DE31B8018E34
    Function 00DD1B80 Relevance: 7.6, APIs: 5, Instructions: 80sleepfileCOMMON
    Download Yara Rule
    APIs
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00DD1BD9
    • Sleep.KERNEL32(000002BC), ref: 00DD1BF4
    • Sleep.KERNEL32(00000064), ref: 00DD1BFF
      • Part of subcall function 00DD19C8: __EH_prolog3.LIBCMT ref: 00DD19CF
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00DD1C2C
    • Sleep.KERNEL32(000002BC), ref: 00DD1C43
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Sleep$FileWrite$H_prolog3
    • String ID:
    • API String ID: 4149856356-0
    • Opcode ID: bbdb1bdcd54e5d0a4b349fb0a970ceb88d1974d0243e2587d43c6977cb5e43fc
    • Instruction ID: 0ec906bd50e1021bd48ca193bda365d261271a291b123b712ab261e6f74cb6be
    • Opcode Fuzzy Hash: bbdb1bdcd54e5d0a4b349fb0a970ceb88d1974d0243e2587d43c6977cb5e43fc
    • Instruction Fuzzy Hash: D121D175240704BFE7219BA6CC44EBBBAADEF45B40F10042FF65692280E630AA418B74
    Function 00DD6C57 Relevance: 7.6, APIs: 5, Instructions: 53synchronizationthreadCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32(00000000,000003E8,8007000E,?,00DD39CB,00000000,00000000,0000000C,?,00DC93B8,00000008), ref: 00DD6C65
    • CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,?,?,00DD39CB,00000000,00000000,0000000C,?,00DC93B8,00000008), ref: 00DD6C87
    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00DD39CB,00000000,00000000,0000000C,?,00DC93B8,00000008), ref: 00DD6C94
    • CreateThread.KERNEL32(00000000,00000000,00DD6CDA,00E52588,00000000,?), ref: 00DD6CAA
    • SetEvent.KERNEL32(00000000,?,?,00DD39CB,00000000,00000000,0000000C,?,00DC93B8,00000008), ref: 00DD6CCE
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CreateEvent$ObjectSingleThreadWait
    • String ID:
    • API String ID: 2051137058-0
    • Opcode ID: 59593b4012961b45d3d078f2d8a00cd90ee43b803531d6d241f95ba333e19281
    • Instruction ID: f11671c38f6455dab40924f5e594bf4016fa09a3d963ff1c0d2e261d743b7990
    • Opcode Fuzzy Hash: 59593b4012961b45d3d078f2d8a00cd90ee43b803531d6d241f95ba333e19281
    • Instruction Fuzzy Hash: 18110CB0200209BFD7048F6ADC88D26BFACFB54359714812AB54986640D771EC948BF0
    Function 00DED6D1 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(00E525F4,00E51D18,?,00DC1A7A,00E51D18), ref: 00DED6DB
    • LeaveCriticalSection.KERNEL32(00E525F4,?,00DC1A7A,00E51D18), ref: 00DED70E
    • RtlWakeAllConditionVariable.NTDLL ref: 00DED791
    • SetEvent.KERNEL32(?,00E51D18), ref: 00DED79B
    • ResetEvent.KERNEL32(?,00E51D18), ref: 00DED7A7
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
    • String ID:
    • API String ID: 3916383385-0
    • Opcode ID: 265adad5faf9ef91c14a6a5b5ef659a66d4430441287d2c791115bcee6eb69c1
    • Instruction ID: ab5997b607de7a7fc45d3ef3ec553970ad9ed3f55de74f58acb7de95ec7193fd
    • Opcode Fuzzy Hash: 265adad5faf9ef91c14a6a5b5ef659a66d4430441287d2c791115bcee6eb69c1
    • Instruction Fuzzy Hash: AD016D71502624DFC709AF16FC5C9987BA5FB0A7027094469FA42A7320DB715C48CF96
    Function 00DF6E3D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 125COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • DName::operator+.LIBCMT ref: 00DF6E70
      • Part of subcall function 00DF448C: DName::operator+=.LIBCMT ref: 00DF44A2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Name::operator+Name::operator+=
    • String ID: p2
    • API String ID: 382699925-300010787
    • Opcode ID: 4a106d39fbf9f62d9574592a1fbe804acff7d0b77c37d94ec78ae26f2233276d
    • Instruction ID: fd0628d5790477efb9127194516ab6e14eee25091e2f60106a714a9fd5a896b0
    • Opcode Fuzzy Hash: 4a106d39fbf9f62d9574592a1fbe804acff7d0b77c37d94ec78ae26f2233276d
    • Instruction Fuzzy Hash: AA4128B5C0020E9BCB04CFA8E5865FEBBB8FF44304F15851AE605B7651D774DA888BA0
    Function 00DF84ED Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: operator+$Name::operator+
    • String ID: P1
    • API String ID: 1198235884-3264564681
    • Opcode ID: a72e4ed2f0ef7875d927c1c4f7cb0149ec9272ff6742d0baa190b4c910d979dd
    • Instruction ID: 477a3b4925d1b65d83f78ce699901f7c7ee5ccb94aabbf5b39d7cd98a8dd6725
    • Opcode Fuzzy Hash: a72e4ed2f0ef7875d927c1c4f7cb0149ec9272ff6742d0baa190b4c910d979dd
    • Instruction Fuzzy Hash: DE414BB190420DAFDF15CF90D849BBEBBB1AB00304F19C449E655AB251DBB49A88EB61
    Function 00DEB0BE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97fileCOMMON
    Download Yara Rule
    APIs
    • wsprintfA.USER32 ref: 00DEB0F6
    • CreateFileA.KERNEL32(00000000,C0000000,00000003,00000000,00000003,40000000,00000000,?,?,?,?), ref: 00DEB131
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CreateFilewsprintf
    • String ID: \\.\USBIO_Device%d
    • API String ID: 4000511911-2422119442
    • Opcode ID: ef7d2e98e3b04b2b733b81fcc7e1b1eba031e0bf56fec31941965a95a3a8f029
    • Instruction ID: 618e2d3b5243557a3bb870b8a2acde0286e18ae0b562976c74042926372172f0
    • Opcode Fuzzy Hash: ef7d2e98e3b04b2b733b81fcc7e1b1eba031e0bf56fec31941965a95a3a8f029
    • Instruction Fuzzy Hash: 5431E371600749AFEB14AF66DD95AAB77A9EB44378F14042AF942D7280DB34FE008B70
    Function 00DCFAAA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: String$FreeH_prolog3
    • String ID: Z
    • API String ID: 315669285-1505515367
    • Opcode ID: 646b14df63c6c78049ad7801fe61356f7b7c7e544ca0afdab2ed5abb3990808b
    • Instruction ID: 559c76414fbc36d697f2a62dbb834b35f8669eb18af5c6effa080b64bf889272
    • Opcode Fuzzy Hash: 646b14df63c6c78049ad7801fe61356f7b7c7e544ca0afdab2ed5abb3990808b
    • Instruction Fuzzy Hash: 543103312042868FDB219F68C8D5BED7BA3EF59310F28807DD8899B262CB309D41CB74
    Function 00DCF9E8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: String$FreeH_prolog3
    • String ID: Z
    • API String ID: 315669285-1505515367
    • Opcode ID: 08a093cf60d255102e8cd099bc4e2e746948dc32b5b28c5413958fffdef348be
    • Instruction ID: 25497759197215822ba24b9954b4bae98c2e3bddee22434db13916b5488e2f72
    • Opcode Fuzzy Hash: 08a093cf60d255102e8cd099bc4e2e746948dc32b5b28c5413958fffdef348be
    • Instruction Fuzzy Hash: 4B21D8355056D69FDB169F78C885BD9BF939F4A310F1884BCE8888F262CA30CA42C771
    Function 00DEF063 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63COMMON
    Download Yara Rule
    APIs
    • __is_exception_typeof.LIBVCRUNTIME ref: 00DEF0F7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: __is_exception_typeof
    • String ID: MOC$RCC$csm
    • API String ID: 3140442014-2671469338
    • Opcode ID: 5036ff1f19b1d745749d52698a912dd99f79608e9c8df7bfbd46851ff7a5574e
    • Instruction ID: b7974c36a1287cdd01bef724e6aebdbdc56d54ea1d2c17ccd9289dd9e283155c
    • Opcode Fuzzy Hash: 5036ff1f19b1d745749d52698a912dd99f79608e9c8df7bfbd46851ff7a5574e
    • Instruction Fuzzy Hash: 55118235104388DFD718BF65C402BA9B7E8EF44325F1A44AAE9449B262E774ED40CBB2
    Function 00DCAE76 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(Advapi32.dll,0002001F,?,00DCB914,?,00000000,00000000,00000000,00000000,0002001F,00000000,00000001,?,?,00000000,00020019), ref: 00DCAE86
    • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedA), ref: 00DCAE96
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: Advapi32.dll$RegCreateKeyTransactedA
    • API String ID: 1646373207-1184998024
    • Opcode ID: 398dcb0828418fd21768696dca54cc2350886b5538b2d8a1fa4acc6c3c523e4e
    • Instruction ID: 14cb3911ba3fe3fd04367cfea4c7085abad3600550c998d04bd971d8d30d0620
    • Opcode Fuzzy Hash: 398dcb0828418fd21768696dca54cc2350886b5538b2d8a1fa4acc6c3c523e4e
    • Instruction Fuzzy Hash: 36F03C3220020EEFCF114F94DC08FDA7FA9AB08755F084429FA94A1060C372C4B0EBA2
    Function 00DCAED9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(Advapi32.dll,00000000,?,?,00DC986D,?,00000000,00000000,?,00DCBB9F,?), ref: 00DCAEEB
    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedA), ref: 00DCAEFB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: Advapi32.dll$RegDeleteKeyTransactedA
    • API String ID: 1646373207-1972538232
    • Opcode ID: cadc5cba5645b6c9dffb92037c4d73370258245b3ad9fa69f1f70ab602d6e586
    • Instruction ID: b60da9a331b5472d5f60cba1b12f5f1f28d632b3d6497f8fcf48784797f42f11
    • Opcode Fuzzy Hash: cadc5cba5645b6c9dffb92037c4d73370258245b3ad9fa69f1f70ab602d6e586
    • Instruction Fuzzy Hash: 4BF08272248209AE87221F5AAC08D677BBCEFD5B66708453EF595D2010D6318894DB72
    Function 00DE254A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
    Download Yara Rule
    APIs
    • wsprintfA.USER32 ref: 00DE2584
    • WriteProfileStringA.KERNEL32(CZCanSrv,Internal_Address,?), ref: 00DE259B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ProfileStringWritewsprintf
    • String ID: CZCanSrv$Internal_Address
    • API String ID: 609129029-1854094473
    • Opcode ID: 10033d6f260dbb21339cd59e595e0194e2d4883eaed9b87f6e33f7a25d4d5f68
    • Instruction ID: a2f5dcfd9b1eaa166c201b7d1e794b752a36ae6b7454e879db1100815ed2a79e
    • Opcode Fuzzy Hash: 10033d6f260dbb21339cd59e595e0194e2d4883eaed9b87f6e33f7a25d4d5f68
    • Instruction Fuzzy Hash: 24F0967161024DAFD700FB65DC0ADFEBBECEF48310F854476E441E3190DAA49A45C7A6
    Function 00DE2777 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON
    Download Yara Rule
    APIs
    • wsprintfA.USER32 ref: 00DE27AF
    • WriteProfileStringA.KERNEL32(CZCanSrv,sPID_Min,?), ref: 00DE27C6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ProfileStringWritewsprintf
    • String ID: CZCanSrv$sPID_Min
    • API String ID: 609129029-2102269617
    • Opcode ID: 8a0fde86b9d36eb434ef2ea0d8a4c8fa1ed08c7970c8d359363c5ca296e0b8c0
    • Instruction ID: 0b98e4d0d6a5be52e82ad181c09ffc938a5705e0ab38bd3a90ce6ccd65074cd9
    • Opcode Fuzzy Hash: 8a0fde86b9d36eb434ef2ea0d8a4c8fa1ed08c7970c8d359363c5ca296e0b8c0
    • Instruction Fuzzy Hash: 52F09A61610248AE8710BBA99C0A9FFBBA8EF09700F450432E441E3280EAB09948C7A6
    Function 00DE270C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON
    Download Yara Rule
    APIs
    • wsprintfA.USER32 ref: 00DE2744
    • WriteProfileStringA.KERNEL32(CZCanSrv,sPID_Max,?), ref: 00DE275B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ProfileStringWritewsprintf
    • String ID: CZCanSrv$sPID_Max
    • API String ID: 609129029-1094920680
    • Opcode ID: 23f6f53469adc060f5a026d60ad79344a4d2d21a2dc61756ac8bd610ef19a9c8
    • Instruction ID: e041f3aa251e616ee70dba4fd9a63702e1e3e2c0918b07901b365f5d36f302dd
    • Opcode Fuzzy Hash: 23f6f53469adc060f5a026d60ad79344a4d2d21a2dc61756ac8bd610ef19a9c8
    • Instruction Fuzzy Hash: ECF03071A10349AF9710FB659D0A9FF7BACEF08B00F850436A441E7291EAB49948C7A6
    Function 00DCAF2B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(Advapi32.dll,00000000,?,00DCAA8A,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00DCADD3,?,00000000), ref: 00DCAF3B
    • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedA), ref: 00DCAF4B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: Advapi32.dll$RegOpenKeyTransactedA
    • API String ID: 1646373207-496252237
    • Opcode ID: e1ea1154cadbd266475deb74b235710e12fbbf2e5034ea70a9d267636e0be121
    • Instruction ID: a556700ca23b7cf5a992336cc7126d21b64a88807e92544d688534f0283a7508
    • Opcode Fuzzy Hash: e1ea1154cadbd266475deb74b235710e12fbbf2e5034ea70a9d267636e0be121
    • Instruction Fuzzy Hash: 25F0307114420EABCB215FA5AC08F963FA9AF14755F08042DF586E1060C772D4A0EF62
    Function 00DF9E0A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: NameName::
    • String ID: 2$2$2
    • API String ID: 1333004437-4005278346
    • Opcode ID: 23ab8e02418db1f35c46a696513cfe4df666d2c59df41fbfc35e2dfbf9e8e192
    • Instruction ID: 69c194d79fbc72559f02493bc6b5438f70a8996e5f472fe736bd40a41dc384b5
    • Opcode Fuzzy Hash: 23ab8e02418db1f35c46a696513cfe4df666d2c59df41fbfc35e2dfbf9e8e192
    • Instruction Fuzzy Hash: A6F0907050120CAFD705DF44D466BEA7BE4AB01359F05C049F6099B252C7B0DA84C760
    Function 00DFAA5F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00DFAA1A), ref: 00DFAA6C
    • GetLastError.KERNEL32(?,00DFAA1A), ref: 00DFAA76
    • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00DFAA9E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID: api-ms-
    • API String ID: 3177248105-2084034818
    • Opcode ID: 4c859f6b519cf8b46b597e2b644ab8724c56fecfa7387541e09f761e05500f24
    • Instruction ID: 015854e702ecf0972a5f3b7e01fd1a543eb60e0a520f8684b85d8f73bfc5689a
    • Opcode Fuzzy Hash: 4c859f6b519cf8b46b597e2b644ab8724c56fecfa7387541e09f761e05500f24
    • Instruction Fuzzy Hash: 7EE0127078020CBBDB201F65EC4AF693F949B10B51F288030FA4CB80B0D76699949996
    Function 00DD2BC6 Relevance: 6.4, APIs: 4, Instructions: 403synchronizationCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00DD2BCD
      • Part of subcall function 00DC29B7: __EH_prolog3.LIBCMT ref: 00DC29BE
      • Part of subcall function 00DD6EE2: __EH_prolog3.LIBCMT ref: 00DD6EE9
    • WaitForSingleObject.KERNEL32(?,000003E8,00000000,00DD2BB2,00000000,00000000,00000000,00000000,?), ref: 00DD3094
    • SetEvent.KERNEL32(?,?,?,000003E8,00000000,00DD2BB2,00000000,00000000,00000000,00000000,?), ref: 00DD30AF
    • SetEvent.KERNEL32(?,?,?,?,000003E8,00000000,00DD2BB2,00000000,00000000,00000000,00000000,?), ref: 00DD30BE
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: H_prolog3$Event$ObjectSingleWait
    • String ID:
    • API String ID: 3109296122-0
    • Opcode ID: f03f1e357c010f53e8608fdf1462859de766433e5093cf71ae833e41aa036547
    • Instruction ID: 4dc254e8dab63aadfd8f6bb0129fe670b33f9d91ae1750fdeedc01bd195a929d
    • Opcode Fuzzy Hash: f03f1e357c010f53e8608fdf1462859de766433e5093cf71ae833e41aa036547
    • Instruction Fuzzy Hash: E4F17B706013419FDB68DF69C591B29BBF5AF18310F24855EE846CB392DB71ED81CBA0
    Function 00DE7F2B Relevance: 6.4, APIs: 4, Instructions: 370synchronizationCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00DE7F32
    • WaitForSingleObject.KERNEL32(?,00000000,0000000C,00DE8D66,00000024,00DEA3B2), ref: 00DE7F51
    • SetEvent.KERNEL32(?), ref: 00DE7F72
      • Part of subcall function 00DE846A: GetTickCount.KERNEL32 ref: 00DE84C1
    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,0000000C,00DE8D66,00000024,00DEA3B2), ref: 00DE83D0
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Event$CountH_prolog3ObjectSingleTickWait
    • String ID:
    • API String ID: 3120870372-0
    • Opcode ID: 6939072095fd1f95d3685324a4e21374a022be5445962c55870a0634ca9d68bc
    • Instruction ID: 5242ff219147c12bac3497c774266b34fc66521549f745c5fb46866be1bc68a4
    • Opcode Fuzzy Hash: 6939072095fd1f95d3685324a4e21374a022be5445962c55870a0634ca9d68bc
    • Instruction Fuzzy Hash: CBD1AD70600B42DFEB28AF66C855B7AB2E1FF08700F18452EE54A972D1DB74D845EB71
    Function 00DCA94F Relevance: 6.4, APIs: 5, Instructions: 109COMMON
    Download Yara Rule
    APIs
    • CharNextA.USER32(00000000,?,00000000,00000000,00DCB38D,00000000,?), ref: 00DCA976
    • CharNextA.USER32(00000000,?,00000000,00000000,00DCB38D,00000000,?), ref: 00DCA993
    • CharNextA.USER32(00000000,?,00000000,00000000,00DCB38D,00000000,?), ref: 00DCA99E
    • CharNextA.USER32(?,?,00000000,00000000,00DCB38D,00000000,?), ref: 00DCA9EA
    • CharNextA.USER32(00000000,00000000,?,00000000,00000000,00DCB38D,00000000,?), ref: 00DCAA06
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CharNext
    • String ID:
    • API String ID: 3213498283-0
    • Opcode ID: 5ccd15c604d65ac17bbae4f80c31dbfe2b0241885715893f66f67d869d0cc56d
    • Instruction ID: e059ab7122a10232fc8c7f2a7915da04e7b06ba192ae4ac84509d7b2bc1ebe44
    • Opcode Fuzzy Hash: 5ccd15c604d65ac17bbae4f80c31dbfe2b0241885715893f66f67d869d0cc56d
    • Instruction Fuzzy Hash: 7431C434A0424B9FDB158F3CC590B6DBFB1AF59348F28946DD4C697312E6308881CB32
    Function 00E2985A Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetConsoleOutputCP.KERNEL32(3D2EC555,?,00000000,?), ref: 00E298BD
      • Part of subcall function 00E23C97: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000001,0000FDE9,00000000,?,?,?,00E2093C,?,00000000,?), ref: 00E23D43
    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00E29B18
    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00E29B60
    • GetLastError.KERNEL32 ref: 00E29C03
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
    • String ID:
    • API String ID: 2112829910-0
    • Opcode ID: 2e41e2bbbfd5ebf35aa58a8aad644b2f22549ba7212cc7b6c99317717c190fd4
    • Instruction ID: 308977308840420da92678b6c6f8d655e8fc99dfb4a5d83c647fdba176cc65d1
    • Opcode Fuzzy Hash: 2e41e2bbbfd5ebf35aa58a8aad644b2f22549ba7212cc7b6c99317717c190fd4
    • Instruction Fuzzy Hash: 83D149B5D002689FCF15CFA8E8809ADBBF5FF48314F18552AE856FB352D630A945CB50
    Function 00DD85DD Relevance: 6.3, APIs: 4, Instructions: 303COMMON
    Download Yara Rule
    APIs
    • SysStringLen.OLEAUT32(?), ref: 00DD85F8
    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00DD8780
    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00DD887B
    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00DD8911
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ArrayDataSafe$Unaccess$AccessString
    • String ID:
    • API String ID: 204065322-0
    • Opcode ID: 6fd334fb7a60d83615d3fa115293d45687c15f2edbf1adf38d26b1b86f4d989d
    • Instruction ID: 18423a8f52f9bf140197431175052ae10d81b43b269f4e327923e8af02697a2c
    • Opcode Fuzzy Hash: 6fd334fb7a60d83615d3fa115293d45687c15f2edbf1adf38d26b1b86f4d989d
    • Instruction Fuzzy Hash: 15A1E035505340AEDB26AF14DD41A7ABBA1EF44710F68445BE9C28BB92DE31E881EB30
    Function 00DE0EA9 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: H_prolog3
    • String ID:
    • API String ID: 431132790-0
    • Opcode ID: 755e262cf42073285a3f6733512378ef087fd1f75b27590dba9f8ade04bf1941
    • Instruction ID: f4ab7ca2aff82872af74b2d4d168318e2578a3738a6e7d0003669e9fe6097a84
    • Opcode Fuzzy Hash: 755e262cf42073285a3f6733512378ef087fd1f75b27590dba9f8ade04bf1941
    • Instruction Fuzzy Hash: DAA1487470028A9FDB15AF65C892BBE77A6FF04304F180029FA15AB291DB71AD51CB71
    Function 00DDE421 Relevance: 6.3, APIs: 4, Instructions: 255COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: String
    • String ID:
    • API String ID: 2568140703-0
    • Opcode ID: e1502ffa6ac7c8df97c78148f7549365876670311aa1d4c52a9c1479c20f885d
    • Instruction ID: e7a5e7b4431c895884870f68b532bf3b4fba456dd2bfa2f30c317c978382cb17
    • Opcode Fuzzy Hash: e1502ffa6ac7c8df97c78148f7549365876670311aa1d4c52a9c1479c20f885d
    • Instruction Fuzzy Hash: FF91AE71600205ABCB15EF65CC81EAA7BB5EF94300F14846AF946DF391EB31D981CB74
    Function 00DDDBE7 Relevance: 6.2, APIs: 4, Instructions: 233COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: String
    • String ID:
    • API String ID: 2568140703-0
    • Opcode ID: 534673c6a28c053654f8bcd4d4bb52f3eaa9af7cbf60215d3c94a24b7083f25e
    • Instruction ID: 6a039d894ee9fbb6d99d330b76c24189362acc30c3800b770e255e4dc38a597e
    • Opcode Fuzzy Hash: 534673c6a28c053654f8bcd4d4bb52f3eaa9af7cbf60215d3c94a24b7083f25e
    • Instruction Fuzzy Hash: 4C819C71600205EBDF15EF69DC81EAA7BB6EF94300F14406AFA86DB291DB70D981CB70
    Function 00DDECB6 Relevance: 6.2, APIs: 4, Instructions: 182COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Variant$ClearInit
    • String ID:
    • API String ID: 2610073882-0
    • Opcode ID: c7d059815dcae02a45ee06c9ba2afa0dda27ac47f228b93834eda8d039b99ac8
    • Instruction ID: e6ea5c18630686be21f4412ed6e976e5334f8e7e71a032c61ac4f02a5a8d762a
    • Opcode Fuzzy Hash: c7d059815dcae02a45ee06c9ba2afa0dda27ac47f228b93834eda8d039b99ac8
    • Instruction Fuzzy Hash: 88519071600606AFDB11EF69C981AAAB7E5FF08704F14452AF949EB391EB71ED00CB71
    Function 00DDEAB6 Relevance: 6.2, APIs: 4, Instructions: 181COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Variant$ClearInit
    • String ID:
    • API String ID: 2610073882-0
    • Opcode ID: 51cd33de9645824641caa2e1c753f2a3043c7ea962fc37df2809f1c5373b25b1
    • Instruction ID: fa1f61cfefe6b2c21e5f4105b086e768d53771cf647e034ee1ace32a2ed4d944
    • Opcode Fuzzy Hash: 51cd33de9645824641caa2e1c753f2a3043c7ea962fc37df2809f1c5373b25b1
    • Instruction Fuzzy Hash: CE517F7161060AEFDB15EF69C981EAAB7A9FF04300F04412AFA46DB291DB71EC50CB71
    Function 00DE33CA Relevance: 6.2, APIs: 4, Instructions: 179COMMON
    Download Yara Rule
    APIs
    • SysStringLen.OLEAUT32(?), ref: 00DE3403
    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00DE3488
    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00DE34CF
    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00DE357B
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ArrayDataSafe$Unaccess$AccessString
    • String ID:
    • API String ID: 204065322-0
    • Opcode ID: ecaa2e6a2cdbdffa45bf11f0a3fa8075a4024a0ca040aec6a035010c472d46e3
    • Instruction ID: 674834a0ce69f9cb1eb4580882e7a307dde7d6e103c6b222231e88a7183f13cc
    • Opcode Fuzzy Hash: ecaa2e6a2cdbdffa45bf11f0a3fa8075a4024a0ca040aec6a035010c472d46e3
    • Instruction Fuzzy Hash: 6B51F675604291EFCB15FF2AC84897977E6EF88310768846AF946CB390DA30DE42CB71
    Function 00DDC9BE Relevance: 6.2, APIs: 4, Instructions: 172COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ClearVariant
    • String ID:
    • API String ID: 1473721057-0
    • Opcode ID: 0b8929caab720a6ad0226aec08575a315715d2013e51f186f86ae536e0f71c88
    • Instruction ID: 5f5efa2881dd847df847c9640059568a639c44e12eaef9bf745335706b10083b
    • Opcode Fuzzy Hash: 0b8929caab720a6ad0226aec08575a315715d2013e51f186f86ae536e0f71c88
    • Instruction Fuzzy Hash: 7A5160316153469BDB14EF79CC92BAABBA8EF05700F05212BB945DB392DB70D804CBB0
    Function 00DF28C4 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: AdjustPointer
    • String ID:
    • API String ID: 1740715915-0
    • Opcode ID: faffa5496ab821627418f5d80a6b951b693ffcaa19b0301d538b0e39a38d37b4
    • Instruction ID: f80e72a8fdcc085b4364ce3d7b5f08f4fa6fb34c8789aee55b96235777e5e010
    • Opcode Fuzzy Hash: faffa5496ab821627418f5d80a6b951b693ffcaa19b0301d538b0e39a38d37b4
    • Instruction Fuzzy Hash: D451E17264174A9FDB299F10D881B7A77A4FF04310F1AC12DEA8547291D7B1ED81DBB0
    Function 00DDF30A Relevance: 6.2, APIs: 4, Instructions: 167COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Variant$ClearInit
    • String ID:
    • API String ID: 2610073882-0
    • Opcode ID: be4f3b97e6daae0a8647852170a33d7f57315115e2226cb9059bc6acf511c71c
    • Instruction ID: 72f961d0dbcc4b396640696e5596bc5ec88c8bc15286852cac8db3371e90cfdb
    • Opcode Fuzzy Hash: be4f3b97e6daae0a8647852170a33d7f57315115e2226cb9059bc6acf511c71c
    • Instruction Fuzzy Hash: A051C071200706AFEB21AF65DC81EAB77A6EF04714F04452EFA469B290DB71E844CB70
    Function 00DDE719 Relevance: 6.2, APIs: 4, Instructions: 164COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Variant$ClearInit
    • String ID:
    • API String ID: 2610073882-0
    • Opcode ID: 28d6f2286e3d91da30aae7369848a00ebc44674e11341db6424675a597c4f465
    • Instruction ID: c1e85dac3f8138a5cb5776edc6bbd7419b0c5c7150029fa59ddc41929e6b640b
    • Opcode Fuzzy Hash: 28d6f2286e3d91da30aae7369848a00ebc44674e11341db6424675a597c4f465
    • Instruction Fuzzy Hash: 8D519171600606AFDB21BF65DC81BAA77AAEF44714F04052EFA45DB390EB71E801DB71
    Function 00DDE8ED Relevance: 6.2, APIs: 4, Instructions: 162COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Variant$ClearInit
    • String ID:
    • API String ID: 2610073882-0
    • Opcode ID: cf2a7a92af3c5e1253c6ad582b0b308d19f090a53b6385474a64adcacf4a66c6
    • Instruction ID: a591bd0acd7a697e9e2adde5f1e5a970419d1f9762c32260aeab920e88965402
    • Opcode Fuzzy Hash: cf2a7a92af3c5e1253c6ad582b0b308d19f090a53b6385474a64adcacf4a66c6
    • Instruction Fuzzy Hash: F5519071600606AFDF11EF65CC81AAAB7AAFF04300F44542AFA45DB291DB71E850CB70
    Function 00DDEEC0 Relevance: 6.2, APIs: 4, Instructions: 162COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Variant$ClearInit
    • String ID:
    • API String ID: 2610073882-0
    • Opcode ID: f18579b4141a0b302c40b6f011fd44e834ae76e2962798a4ad6179810a770c91
    • Instruction ID: 3c975095b80109adf591fa336e3eb62dd1407ea5d84fba31b6063632c72e170a
    • Opcode Fuzzy Hash: f18579b4141a0b302c40b6f011fd44e834ae76e2962798a4ad6179810a770c91
    • Instruction Fuzzy Hash: 9A518F71600706ABDB21AF65D881BBA77A9EF04704F04052AF946DB391DB75E801CB70
    Function 00DD6A01 Relevance: 6.2, APIs: 4, Instructions: 160COMMON
    Download Yara Rule
    APIs
    • SysStringLen.OLEAUT32(?), ref: 00DD6A37
    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00DD6ABF
    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00DD6B0E
    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00DD6B86
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ArrayDataSafe$Unaccess$AccessString
    • String ID:
    • API String ID: 204065322-0
    • Opcode ID: 7483bf02ebfef20eb715c3fd6a1f2af0d4cca9147e60f1819562bf3b275f4c83
    • Instruction ID: cb60d9fd149fb63747bad0b3e536cdc09f1eeaab2b3b13ad903e2df29625e947
    • Opcode Fuzzy Hash: 7483bf02ebfef20eb715c3fd6a1f2af0d4cca9147e60f1819562bf3b275f4c83
    • Instruction Fuzzy Hash: DB51D679300302ABCB28EF68D84497977A4FF58314B55902BE986DBB51EB31ED4287F4
    Function 00DD0103 Relevance: 6.1, APIs: 4, Instructions: 133synchronizationCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_catch.LIBCMT ref: 00DD010A
    • WaitForSingleObject.KERNEL32(?,000003E8,00000004,00DD9A24,?,?,?,00000001,?,?,00000001,00E3C9FA), ref: 00DD0126
    • SetEvent.KERNEL32(?,?,?,00000001,00E3C9FA), ref: 00DD01A2
    • SetEvent.KERNEL32(?,?,?,00000001,00E3C9FA), ref: 00DD029D
      • Part of subcall function 00DD0CA0: __EH_prolog3.LIBCMT ref: 00DD0CA7
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Event$H_prolog3H_prolog3_catchObjectSingleWait
    • String ID:
    • API String ID: 1505417302-0
    • Opcode ID: abdeaeb998b56ca5512114ee17a8195c0e295f4f550b3c8b309ae729ed16a03f
    • Instruction ID: 16e615815c69359546391b924a7555acb0eaced38dba371ca9e3ceacb7c6b085
    • Opcode Fuzzy Hash: abdeaeb998b56ca5512114ee17a8195c0e295f4f550b3c8b309ae729ed16a03f
    • Instruction Fuzzy Hash: 4B416A34601745EBDB259F659894BAA7FA1EF88349F58442EEC9ACB340DB30ED01DB31
    Function 00DCA731 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00DCA738
    • SysFreeString.OLEAUT32(00000000), ref: 00DCA834
    • SysStringLen.OLEAUT32(00000000), ref: 00DCA840
    • SysFreeString.OLEAUT32(?), ref: 00DCA864
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: String$Free$H_prolog3
    • String ID:
    • API String ID: 2834181473-0
    • Opcode ID: 21647988a46326bb4352ef57eba0a724a8b1b7accc258bc6a658a453eb82280e
    • Instruction ID: 2821475a85938199b67c87fc333502ee194051b9b0a58c562257f932c8964519
    • Opcode Fuzzy Hash: 21647988a46326bb4352ef57eba0a724a8b1b7accc258bc6a658a453eb82280e
    • Instruction Fuzzy Hash: AD412C71A0020AEFDB04CFA9C885EAEBBB4FF48354B10851EE955EB250D774DA41CBB1
    Function 00DDB5C3 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00DC32F9: RegOpenKeyExA.ADVAPI32(80000002,HARDWARE\DEVICEMAP\SERIALCOMM,00000000,00020019,?), ref: 00DC3346
      • Part of subcall function 00DC32F9: RegOpenKeyA.ADVAPI32(80000002,HARDWARE\DEVICEMAP\SERIALCOMM,?), ref: 00DC335D
    • VarBstrCmp.OLEAUT32(?,?,00000400,00000000), ref: 00DDB64F
    • SysFreeString.OLEAUT32(?), ref: 00DDB6D8
    • SysFreeString.OLEAUT32(?), ref: 00DDB6DD
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: FreeOpenString$Bstr
    • String ID:
    • API String ID: 3277079221-0
    • Opcode ID: 2e64f71acb0d3d055782beca89e0a7a187f782858bd476395ad78e4f405790d4
    • Instruction ID: e78ed6cee76931344ac4a21be3fa5a5e8a5cdc5ca4a6365b9807e7e45ece3214
    • Opcode Fuzzy Hash: 2e64f71acb0d3d055782beca89e0a7a187f782858bd476395ad78e4f405790d4
    • Instruction Fuzzy Hash: 45317838500219EBCB14EF5ADD81DAE7BB5EF49324B19841BF905AB260D770EE11DB70
    Function 00DDBE29 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    • VarBstrCmp.OLEAUT32(?,?,00000400,00000000), ref: 00DDBEB5
    • SysFreeString.OLEAUT32(?), ref: 00DDBF3E
    • SysFreeString.OLEAUT32(?), ref: 00DDBF43
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: FreeString$Bstr
    • String ID:
    • API String ID: 4030336018-0
    • Opcode ID: 299dd8b1922047ed1f628df92df435ac6bb25d92199e848a473c311031b6fb2b
    • Instruction ID: 9bde84a6b86c7119496749aef02b808b0a93f818ce4c66bc4ec2e7d697e790c8
    • Opcode Fuzzy Hash: 299dd8b1922047ed1f628df92df435ac6bb25d92199e848a473c311031b6fb2b
    • Instruction Fuzzy Hash: 0531867460021AEBCB14DF65DC80EAE77B9EF49364B15845BFA01AB360EB719E00DB70
    Function 00DE7E02 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
    Download Yara Rule
    APIs
    • GetTickCount.KERNEL32 ref: 00DE7E24
    • GetTickCount.KERNEL32 ref: 00DE7E51
    • GetTickCount.KERNEL32 ref: 00DE7E89
    • GetTickCount.KERNEL32 ref: 00DE7ED5
      • Part of subcall function 00DE9D2E: __EH_prolog3_catch.LIBCMT ref: 00DE9D35
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CountTick$H_prolog3_catch
    • String ID:
    • API String ID: 1685357072-0
    • Opcode ID: 09fd2a60a0f3f0f093e23af2ed707b5bce76fbe76ae82a191394754605e04da8
    • Instruction ID: cbbb111272550a1c7a1f094daf308f09bdc913587bd85b0f4b48db2ff431e5f3
    • Opcode Fuzzy Hash: 09fd2a60a0f3f0f093e23af2ed707b5bce76fbe76ae82a191394754605e04da8
    • Instruction Fuzzy Hash: FB319E75604792DAD770AB27C888BABB7F5FF84B10F28098DF45A96181D770AD80CB71
    Function 00DEC302 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
    Download Yara Rule
    APIs
    • SetupDiEnumDeviceInterfaces.SETUPAPI(?,00000000,?,?,0000001C), ref: 00DEC363
    • GetLastError.KERNEL32 ref: 00DEC36D
    • SetupDiGetDeviceInterfaceDetailA.SETUPAPI(?,0000001C,00000000,00000000,?,00000000), ref: 00DEC38A
    • SetupDiGetDeviceInterfaceDetailA.SETUPAPI(?,0000001C,?,00000000,00000000,00000000), ref: 00DEC3D3
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: DeviceSetup$DetailInterface$EnumErrorInterfacesLast
    • String ID:
    • API String ID: 71021248-0
    • Opcode ID: caf6377076b84fafbe81290a16aa114c28e484b8997b23d4e255f105d6fb6929
    • Instruction ID: 1401086aadc666f782fed8188fda8270fb577738bb14cd87ce60f2cc3e970e90
    • Opcode Fuzzy Hash: caf6377076b84fafbe81290a16aa114c28e484b8997b23d4e255f105d6fb6929
    • Instruction Fuzzy Hash: 2A317871A00249AFEB10EFA6CD85FEEB7FCEB08704F145429E501A2180D775ED059B31
    Function 00DD8E3D Relevance: 6.1, APIs: 4, Instructions: 89memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: String$AllocFree
    • String ID:
    • API String ID: 344208780-0
    • Opcode ID: a1e52ffc537e732eaf3007be999ab4871961693f0300b1f63d8ff8a737d7ab71
    • Instruction ID: 0486112adc539e1446bf29c07a73a5643a07d79f2d217992994d5c22e98d4718
    • Opcode Fuzzy Hash: a1e52ffc537e732eaf3007be999ab4871961693f0300b1f63d8ff8a737d7ab71
    • Instruction Fuzzy Hash: 8421C171900209FBDB119FA4DC45F5ABBBDEF04344F14842AF944E6311EA36DA549B70
    Function 00E21AD4 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E23C97: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000001,0000FDE9,00000000,?,?,?,00E2093C,?,00000000,?), ref: 00E23D43
    • GetLastError.KERNEL32 ref: 00E21B38
    • __dosmaperr.LIBCMT ref: 00E21B3F
    • GetLastError.KERNEL32(?,?,?,?), ref: 00E21B79
    • __dosmaperr.LIBCMT ref: 00E21B80
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
    • String ID:
    • API String ID: 1913693674-0
    • Opcode ID: e4d31b30fd251003ffb0feb41b4062aaf56297509f6b2b2bae2f82e6639a144e
    • Instruction ID: 1a87e8679d718552cab32cf10bf8b47ef883b7102bcd4ef8a71e7ba7c9d141b7
    • Opcode Fuzzy Hash: e4d31b30fd251003ffb0feb41b4062aaf56297509f6b2b2bae2f82e6639a144e
    • Instruction Fuzzy Hash: 1221C271600229FF9B20AF71A885C7BB7BEFF243687119569F919A7150E730ED008BA0
    Function 00E23DE9 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
    Download Yara Rule
    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 00E23DF1
      • Part of subcall function 00E23C97: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000001,0000FDE9,00000000,?,?,?,00E2093C,?,00000000,?), ref: 00E23D43
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E23E29
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E23E49
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: EnvironmentStrings$Free$ByteCharMultiWide
    • String ID:
    • API String ID: 158306478-0
    • Opcode ID: ee5253029ee8a76ad7c6acc3ce8b4d2a6e925a6b259dd6a18f0543e5b39773a6
    • Instruction ID: f4c3fc22bf1e55b79289b0aa51d2c033b6dd4a2e1bc8549402be1838bde4db10
    • Opcode Fuzzy Hash: ee5253029ee8a76ad7c6acc3ce8b4d2a6e925a6b259dd6a18f0543e5b39773a6
    • Instruction Fuzzy Hash: DB11C8F1A066297EA61127726C8DCBFAD9CDF893947151128F802F2101FA78CF458A71
    Function 00DD0AA2 Relevance: 6.1, APIs: 4, Instructions: 57networksynchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32(?,000003E8), ref: 00DD0AC7
    • SetEvent.KERNEL32(?), ref: 00DD0B01
    • WSACleanup.WS2_32 ref: 00DD0B0C
    • WSAStartup.WS2_32(00000101,?), ref: 00DD0B1E
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CleanupEventObjectSingleStartupWait
    • String ID:
    • API String ID: 1154366343-0
    • Opcode ID: 86c72382f19f13272470191e9a95ed2b71cde73cf3fc369fa0ef8e5c94767afe
    • Instruction ID: 60db562ee2f8984a88da93aeccc53bf56e6fad4860fae9ad12e201154deb38e3
    • Opcode Fuzzy Hash: 86c72382f19f13272470191e9a95ed2b71cde73cf3fc369fa0ef8e5c94767afe
    • Instruction Fuzzy Hash: 831170317003159FDB149F65CC85BAEBBA8EB95705F19443BE946D2240DAB09C49CBA1
    Function 00DD8C94 Relevance: 6.1, APIs: 4, Instructions: 56synchronizationCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00DD8C9B
    • WaitForSingleObject.KERNEL32(?,00000064,?,00000004,00DDA01E,00000000,00000000,?,?,00000000,?,00000000,00000004,00DE9DCB,?,?), ref: 00DD8CE5
    • SetEvent.KERNEL32(?), ref: 00DD8D19
    • SetEvent.KERNEL32(?), ref: 00DD8D21
      • Part of subcall function 00DD6EE2: __EH_prolog3.LIBCMT ref: 00DD6EE9
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: EventH_prolog3$ObjectSingleWait
    • String ID:
    • API String ID: 4164459053-0
    • Opcode ID: fd0c83f7d3900955ef71ad4b8f39cc794722992e1079df82a02e66e6ba24fc68
    • Instruction ID: 741c5629bf7c2733740b77b440d5d78a8b24747b4561fdb0fdf29273a55171de
    • Opcode Fuzzy Hash: fd0c83f7d3900955ef71ad4b8f39cc794722992e1079df82a02e66e6ba24fc68
    • Instruction Fuzzy Hash: B0119130A01655AFDB2AAF759C05B9DBA62BF10750F04422BF854AB3D1DF719810EBB0
    Function 00DC2BB7 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationCOMMON
    Download Yara Rule
    APIs
    • SetEvent.KERNEL32(?,?,00DC2A6E,00000000,00000000,?,?,00000000,00DE7AFD,?,?,?,00DC1762), ref: 00DC2C14
    • SetEvent.KERNEL32(?,?,00DC2A6E,00000000,00000000,?,?,00000000,00DE7AFD,?,?,?,00DC1762), ref: 00DC2C19
    • SetEvent.KERNEL32(00000000,?,00DC2A6E,00000000,00000000,?,?,00000000,00DE7AFD,?,?,?,00DC1762), ref: 00DC2C24
    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00DC2A6E,00000000,00000000,?,?,00000000,00DE7AFD,?,?,?,00DC1762), ref: 00DC2BC6
      • Part of subcall function 00DD6F6F: SysFreeString.OLEAUT32(?), ref: 00DD6FA0
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Event$FreeObjectSingleStringWait
    • String ID:
    • API String ID: 695210798-0
    • Opcode ID: 4167e1d7984f11b7233108d5744010b518a9e7816240bf84d9096e79ceea14a4
    • Instruction ID: e2d2a3eb4cddcf975f6379beb49c43f56e8ed5f728ad5a24bcd739dc7986592d
    • Opcode Fuzzy Hash: 4167e1d7984f11b7233108d5744010b518a9e7816240bf84d9096e79ceea14a4
    • Instruction Fuzzy Hash: 3D01CE31240B049FC7256F22DD01F3EB7A2EF90B11F18852DE485272A0CF71E9448BA0
    Function 00E30178 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?), ref: 00E3018E
    • GetLastError.KERNEL32(?,?,?,?), ref: 00E3019B
    • SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 00E301C1
    • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 00E301E7
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: FilePointer$ErrorLast
    • String ID:
    • API String ID: 142388799-0
    • Opcode ID: cc2f05793a5059ef204caac507ebe030e23c17fce78a83003f93ac15b5c523e5
    • Instruction ID: 983ebb7ec30fd4c5326664a1c9e9696dab2fad1e36fc156d0bd3719f3d4db619
    • Opcode Fuzzy Hash: cc2f05793a5059ef204caac507ebe030e23c17fce78a83003f93ac15b5c523e5
    • Instruction Fuzzy Hash: 92115771802159BFDF109F66CC4C9EF7FB9EF05364F108554F864A22A0CB318A80DBA0
    Function 00DC2AE7 Relevance: 6.1, APIs: 4, Instructions: 51memoryCOMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,?,00000000,00000000,?,00000000,?,?,?,00DC2AC8,?,000000FF), ref: 00DC2B06
    • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00DC2B1B
    • MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,?,00000000,00000001,?,?,00DC2AC8,?,000000FF,?,?,00DD6F1B,00E3C9FA,00000004), ref: 00DC2B32
    • SysFreeString.OLEAUT32(00000000), ref: 00DC2B3E
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ByteCharMultiStringWide$AllocFree
    • String ID:
    • API String ID: 447844807-0
    • Opcode ID: 7ddd702a21678ac5a6410d1ee1608f7d78a1a0dc849364133a2117212d6e1132
    • Instruction ID: e35ddc36ecfa6e85c523f504e3782b8915a96b46445913bd2f83d47c4a5b1550
    • Opcode Fuzzy Hash: 7ddd702a21678ac5a6410d1ee1608f7d78a1a0dc849364133a2117212d6e1132
    • Instruction Fuzzy Hash: 8301713120011ABFDB214FA68C8CFABBF6AEB457A0F140128F549A71A4D6319D40C6B0
    Function 00DEA376 Relevance: 6.0, APIs: 4, Instructions: 49synchronizationCOMMON
    Download Yara Rule
    APIs
    • GetTickCount.KERNEL32 ref: 00DEA3B2
    • GetTickCount.KERNEL32 ref: 00DEA3BB
    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00DEA3D1
    • GetTickCount.KERNEL32 ref: 00DEA3E2
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CountTick$ObjectSingleWait
    • String ID:
    • API String ID: 2051767920-0
    • Opcode ID: dfe95da358ecf341a2a3fa4745bcf7d7933e423b44ba3e034ef384f6cb079876
    • Instruction ID: f1a3bd363299ec0ec20b364b75a7d7e68f8fd28041133b7fb1a087f2281ae2e0
    • Opcode Fuzzy Hash: dfe95da358ecf341a2a3fa4745bcf7d7933e423b44ba3e034ef384f6cb079876
    • Instruction Fuzzy Hash: C0016131A013569FDB14AF9AD8C895DFBB5EF04710B194069E405A7260DB70BD849B61
    Function 00DE16F6 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
    Download Yara Rule
    APIs
    • VariantInit.OLEAUT32(?), ref: 00DE1703
    • SafeArrayCreate.OLEAUT32(00000008,00000001,?), ref: 00DE1724
    • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00DE1734
    • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00DE1756
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ArraySafe$Data$AccessCreateInitUnaccessVariant
    • String ID:
    • API String ID: 433220036-0
    • Opcode ID: 185b16af49b5c638c5c0458f150d8f876160e65b94493df7abeb3c192ac73316
    • Instruction ID: 5afc4c831094bbe52da8db900d485de6d915246f87e57729b09db55c1201d08d
    • Opcode Fuzzy Hash: 185b16af49b5c638c5c0458f150d8f876160e65b94493df7abeb3c192ac73316
    • Instruction Fuzzy Hash: 84010879A00258AFCB10DF99D88899EBBB8FB89700F148069FE55E7211D6319A45CBA1
    Function 00DEC0B5 Relevance: 6.0, APIs: 4, Instructions: 44threadCOMMON
    Download Yara Rule
    APIs
    • CreateThread.KERNEL32(00000000,00000000,Function_0002BF9B,?,00000000,?), ref: 00DEC0E0
    • EnterCriticalSection.KERNEL32(?,?,00000000,?), ref: 00DEC0F0
    • CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 00DEC104
    • LeaveCriticalSection.KERNEL32(?,?,00000000,?), ref: 00DEC10E
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CriticalSection$CloseCreateEnterHandleLeaveThread
    • String ID:
    • API String ID: 350334177-0
    • Opcode ID: 470c7bf2bb200852ffa35b8c26740759b09a52c451b815035f9868f4ee131abb
    • Instruction ID: b98433f07f3ba676ded04bdfa3024be2b151ed39b806b8372db3541f2f979edb
    • Opcode Fuzzy Hash: 470c7bf2bb200852ffa35b8c26740759b09a52c451b815035f9868f4ee131abb
    • Instruction Fuzzy Hash: 60018BB2601B2ABFC3119FA7CC48896FFACFF057617401126F20582511C771E461CBE0
    Function 00DEBCE6 Relevance: 6.0, APIs: 4, Instructions: 44threadCOMMON
    Download Yara Rule
    APIs
    • CreateThread.KERNEL32(00000000,00000000,00DEBD54,?,00000000,?), ref: 00DEBD17
    • EnterCriticalSection.KERNEL32(?,?,00000000,?), ref: 00DEBD27
    • CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 00DEBD38
    • LeaveCriticalSection.KERNEL32(?,?,00000000,?), ref: 00DEBD42
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CriticalSection$CloseCreateEnterHandleLeaveThread
    • String ID:
    • API String ID: 350334177-0
    • Opcode ID: e24953afccdef459df350bd0aedb53f0bef5de8047a7b50ea68a4c8a6bc15845
    • Instruction ID: 81996cf8f12c81d6d81aabf4b78f387ba63c468126000608e63de45583375bc4
    • Opcode Fuzzy Hash: e24953afccdef459df350bd0aedb53f0bef5de8047a7b50ea68a4c8a6bc15845
    • Instruction Fuzzy Hash: 010146B2601A6ABFC3259FAADC48D97FBACFB19761B440127F24AC2510C771B455CBE0
    Function 00DEC056 Relevance: 6.0, APIs: 4, Instructions: 40synchronizationCOMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(?,00000000,?,00000000,?,?,00DE3F01), ref: 00DEC066
    • LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,00DE3F01), ref: 00DEC07D
    • WaitForSingleObject.KERNEL32(?,000007D0,?,00000000,?,?,00DE3F01), ref: 00DEC09A
    • CloseHandle.KERNEL32(?,?,00000000,?,?,00DE3F01), ref: 00DEC0A8
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CriticalSection$CloseEnterHandleLeaveObjectSingleWait
    • String ID:
    • API String ID: 1093235439-0
    • Opcode ID: 8b18b11843ad519144bbc1a11855d243b5a2a45a1ec6dc04cc6bcfc6332d9037
    • Instruction ID: 9c6a530d9f2b1fe9fa69d5867f361a1ae76895a793e3893ae23b214b8b2795f2
    • Opcode Fuzzy Hash: 8b18b11843ad519144bbc1a11855d243b5a2a45a1ec6dc04cc6bcfc6332d9037
    • Instruction Fuzzy Hash: 9FF0C871701214EFCB094F26DC8DAAA7BECFF89311B45007AE906EB215CB719C09CAA1
    Function 00DEBC8A Relevance: 6.0, APIs: 4, Instructions: 40synchronizationCOMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,00000000,?,?,00DE3B8C,00000000), ref: 00DEBC9A
    • LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,00DE3B8C,00000000), ref: 00DEBCAE
    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?,?,00DE3B8C,00000000), ref: 00DEBCCB
    • CloseHandle.KERNEL32(?,?,00000000,?,?,00DE3B8C,00000000), ref: 00DEBCD9
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CriticalSection$CloseEnterHandleLeaveObjectSingleWait
    • String ID:
    • API String ID: 1093235439-0
    • Opcode ID: 3ff3c53afb30493af479f258ede8dc225be03509399ef732b70af04e8931c0f5
    • Instruction ID: ee12d3862ce60d0404ef1e8951b67e6abcae0422de00c8296eff0ad5d4718e3b
    • Opcode Fuzzy Hash: 3ff3c53afb30493af479f258ede8dc225be03509399ef732b70af04e8931c0f5
    • Instruction Fuzzy Hash: 23F0C871601214AFCB095F2ADC8C9AA7BA8FF89321705017AE906D7244DB319C09CAA1
    Function 00DE3106 Relevance: 6.0, APIs: 4, Instructions: 38memoryCOMMON
    Download Yara Rule
    APIs
    • inet_ntoa.WS2_32(?), ref: 00DE3123
    • SysStringByteLen.OLEAUT32(?), ref: 00DE3141
    • SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 00DE3149
    • SysFreeString.OLEAUT32(?), ref: 00DE3157
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: String$Byte$AllocFreeinet_ntoa
    • String ID:
    • API String ID: 501375900-0
    • Opcode ID: 1bc0578040b63962e69eae73dd11502841ebc248db182892fc234d513fdc87b3
    • Instruction ID: 06f23cad4850a542c363a4e0f7839a092d13a065379e5e943711cf73e470396d
    • Opcode Fuzzy Hash: 1bc0578040b63962e69eae73dd11502841ebc248db182892fc234d513fdc87b3
    • Instruction Fuzzy Hash: F5F04F72601114AF8B11AF56DC4CCAF7BACEF897117194169F80AE7220CB31DE41DBA1
    Function 00E3310F Relevance: 6.0, APIs: 4, Instructions: 32COMMON
    Download Yara Rule
    APIs
    • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 00E33129
    • GetLastError.KERNEL32 ref: 00E33135
      • Part of subcall function 00E331DE: CloseHandle.KERNEL32(FFFFFFFE,00E33228,?,00E3050A,00000000,00000001,00000000,?,?,00E29C57,?,?,00000000,?,?), ref: 00E331EE
    • ___initconout.LIBCMT ref: 00E33145
      • Part of subcall function 00E331A0: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00E331CF,00E304F7,?,?,00E29C57,?,?,00000000,?), ref: 00E331B3
    • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 00E33159
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
    • String ID:
    • API String ID: 2744216297-0
    • Opcode ID: 4ac180f08fc9469802c1da5b2ca45bd6ca3c804ed8cba50b562aba872918acf6
    • Instruction ID: dbb327c11a9d37cdc1f3952f59bb93896814da46a2b540f07c8e17308548a5f9
    • Opcode Fuzzy Hash: 4ac180f08fc9469802c1da5b2ca45bd6ca3c804ed8cba50b562aba872918acf6
    • Instruction Fuzzy Hash: C4F05E36502104BFCB221BAADC0CD467FFAEBC9312F250424FA89A2131CA329854DF61
    Function 00DCA6CD Relevance: 6.0, APIs: 4, Instructions: 30serviceCOMMON
    Download Yara Rule
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,?,?,00DCA4DC), ref: 00DCA6DB
    • OpenServiceA.ADVAPI32(00000000,?,00000001,?,?,?,00DCA4DC), ref: 00DCA6EE
    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00DCA4DC), ref: 00DCA700
    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00DCA4DC), ref: 00DCA703
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Service$CloseHandleOpen$Manager
    • String ID:
    • API String ID: 4196757001-0
    • Opcode ID: 9459b51dbfb760ad327541cac1dc41a057481fe08978934a209f70d251464824
    • Instruction ID: bccf73e92b3cc6b3f32105a97ca0b794293d09cd6cd64cf8aaa78bef309fca99
    • Opcode Fuzzy Hash: 9459b51dbfb760ad327541cac1dc41a057481fe08978934a209f70d251464824
    • Instruction Fuzzy Hash: D8E04F763012292FD221565A9CCCEBB6A6CEB85A957080029FA40D2151EB55CC4196B6
    Function 00E331F5 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00E3050A,00000000,00000001,00000000,?,?,00E29C57,?,?,00000000), ref: 00E3320C
    • GetLastError.KERNEL32(?,00E3050A,00000000,00000001,00000000,?,?,00E29C57,?,?,00000000,?,?,?,00E2A226,?), ref: 00E33218
      • Part of subcall function 00E331DE: CloseHandle.KERNEL32(FFFFFFFE,00E33228,?,00E3050A,00000000,00000001,00000000,?,?,00E29C57,?,?,00000000,?,?), ref: 00E331EE
    • ___initconout.LIBCMT ref: 00E33228
      • Part of subcall function 00E331A0: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00E331CF,00E304F7,?,?,00E29C57,?,?,00000000,?), ref: 00E331B3
    • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00E3050A,00000000,00000001,00000000,?,?,00E29C57,?,?,00000000,?), ref: 00E3323D
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
    • String ID:
    • API String ID: 2744216297-0
    • Opcode ID: f2d0a24bf7e0a689b17b761cc09ffafd6f04dc12bff8e1a800f7c4923c6ad052
    • Instruction ID: d94cd698a6a5690c8e57479899d5816a61bdd063ef33836c277a86c87e1092bd
    • Opcode Fuzzy Hash: f2d0a24bf7e0a689b17b761cc09ffafd6f04dc12bff8e1a800f7c4923c6ad052
    • Instruction Fuzzy Hash: 45F03736502118BFCF621FA6DC0DE9A3F65FB55761F144050FA59B5170C6328960DF91
    Function 00DC1B17 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00DC219C), ref: 00DC1B20
    • ResetEvent.KERNEL32(00000000,?,00DC219C), ref: 00DC1B36
    • CloseHandle.KERNEL32(?,?,00DC219C), ref: 00DC1B52
    • InitializeCriticalSection.KERNEL32(00E51CF4,?,00DC219C), ref: 00DC1B5F
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Event$CloseCreateCriticalHandleInitializeResetSection
    • String ID:
    • API String ID: 4043969509-0
    • Opcode ID: 929d6eadf07a962f6382d0b46208ee4bd224ad7e5f309d89897f9819193ac14e
    • Instruction ID: 8792c35242e0de8fef372a517bb49f1f8b81482e8e16557396eee24093a75ef0
    • Opcode Fuzzy Hash: 929d6eadf07a962f6382d0b46208ee4bd224ad7e5f309d89897f9819193ac14e
    • Instruction Fuzzy Hash: AFE06D70101611AFDB101BB5FC0CFB77EADAF15311B140969B896E20A0EB21DC458E21
    Function 00DED7BB Relevance: 6.0, APIs: 4, Instructions: 25COMMON
    Download Yara Rule
    APIs
    • SleepConditionVariableCS.KERNELBASE(?,00DED740,00000064), ref: 00DED7DE
    • LeaveCriticalSection.KERNEL32(00E525F4,?,?,00DED740,00000064,?,00E51D18,?,00DC1A4F,00E51D18), ref: 00DED7E8
    • WaitForSingleObjectEx.KERNEL32(?,00000000,?,00DED740,00000064,?,00E51D18,?,00DC1A4F,00E51D18), ref: 00DED7F9
    • EnterCriticalSection.KERNEL32(00E525F4,?,00DED740,00000064,?,00E51D18,?,00DC1A4F,00E51D18), ref: 00DED800
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
    • String ID:
    • API String ID: 3269011525-0
    • Opcode ID: 9f4eca20bdec1c1db21b434b8b75d3039cb1d1d58d23f66d240cd5fe390b27eb
    • Instruction ID: 47859d4da7876f4af31455252f7b22c053f1daecabd8fdf0197d91984d6cd8c6
    • Opcode Fuzzy Hash: 9f4eca20bdec1c1db21b434b8b75d3039cb1d1d58d23f66d240cd5fe390b27eb
    • Instruction Fuzzy Hash: 67E09272501328BFCB062B53EC1DA9D3F19EB06B52B080024FF4576130DA624948ABD6
    Function 00DD6EAD Relevance: 6.0, APIs: 4, Instructions: 21synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32(00000000,000000FF,00E52588,00000000,00DD6E7F,?,?,00DD39ED,?,?,?,00DC7407,3D2EC555,?,?,00E36AA5), ref: 00DD6EC2
    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00DD39ED,?,?,?,00DC7407,3D2EC555,?,?,00E36AA5,000000FF,?,00DC5D30), ref: 00DD6EC9
    • CloseHandle.KERNEL32(00000000,?,?,00DD39ED,?,?,?,00DC7407,3D2EC555,?,?,00E36AA5,000000FF,?,00DC5D30), ref: 00DD6ED8
    • CloseHandle.KERNEL32(00000000,?,?,00DD39ED,?,?,?,00DC7407,3D2EC555,?,?,00E36AA5,000000FF,?,00DC5D30), ref: 00DD6EDD
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CloseHandleObjectSingleWait
    • String ID:
    • API String ID: 528846559-0
    • Opcode ID: dd49d3aac5e0c3c40b4eb80d52fefea6cd76374a69d9abd1b46a090d91625aba
    • Instruction ID: a9784de9e16c39e0105811abf99af77876b72f897f465e44fc59b4299b7a320f
    • Opcode Fuzzy Hash: dd49d3aac5e0c3c40b4eb80d52fefea6cd76374a69d9abd1b46a090d91625aba
    • Instruction Fuzzy Hash: C2E09232414526BBCA115B5AEC08A56FF65FB41371F284326A028625F4CB62A8A5DFC0
    Function 00E24B6B Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 306COMMONLIBRARYCODE
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID: P9
    • API String ID: 0-119629094
    • Opcode ID: eee051c6d0fe593f85fe4e9d8c02d9dbf94aeb9e5ef3a8ac5683f0810ed77830
    • Instruction ID: 1f444da00ba2a61e85072e9c3c6f1c4cc19e21cde8dfb7ee47288c46937f65eb
    • Opcode Fuzzy Hash: eee051c6d0fe593f85fe4e9d8c02d9dbf94aeb9e5ef3a8ac5683f0810ed77830
    • Instruction Fuzzy Hash: 6FA1D1B2E002358FEF25EB6CF8866ECB7E1AB95318F166029E4017B2D1D7719C80CB51
    Function 00DFB707 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 291COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: __aulldiv
    • String ID: +$-
    • API String ID: 3732870572-2137968064
    • Opcode ID: 3dbd7c94e99418b410cc843f596b987c190fb6383cc3624eb6be620d183257aa
    • Instruction ID: 6eccd3cdc33299a0497275b3e8691d989edc96eb4c35b0c3040473b699daa001
    • Opcode Fuzzy Hash: 3dbd7c94e99418b410cc843f596b987c190fb6383cc3624eb6be620d183257aa
    • Instruction Fuzzy Hash: A6A1AF30E0025CAEDB24DE79C8506FE7BA5EF95370F1AC55BEAA59B291D330D9018B70
    Function 00DF1C80 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
    Download Yara Rule
    APIs
    • ___except_validate_context_record.LIBVCRUNTIME ref: 00DF1CBF
    • __IsNonwritableInCurrentImage.LIBCMT ref: 00DF1D73
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CurrentImageNonwritable___except_validate_context_record
    • String ID: csm
    • API String ID: 3480331319-1018135373
    • Opcode ID: 745389edb5b60e90c016d5f16aaa134aeafe93fceeda5bb622598594318018a8
    • Instruction ID: ae5bbe1c3a859e7de254b6421c8c462a74401e3424083ef34345fe32290d27e7
    • Opcode Fuzzy Hash: 745389edb5b60e90c016d5f16aaa134aeafe93fceeda5bb622598594318018a8
    • Instruction Fuzzy Hash: 3241CF38A0021CEBCF14DF69C884AAEBBB5EF05314F16C055EA146B352C731EA55CBB1
    Function 00E1938B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID:
    • String ID: P+$P+
    • API String ID: 0-2823912113
    • Opcode ID: 67a786a4c15bf079400f4c28606f204cc34081e624cbff822221ad43743d5b1e
    • Instruction ID: f0a76f9dd5c8ade05ccede030ccf287b33017ef5a63ac9a6e6572f48cf742f2f
    • Opcode Fuzzy Hash: 67a786a4c15bf079400f4c28606f204cc34081e624cbff822221ad43743d5b1e
    • Instruction Fuzzy Hash: 5431D5B1A00214FFCB259FA98CC19DFBBBDEB45754B10506AF515B7242D6708E818760
    Function 00DF2EC5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00DF2EEA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: EncodePointer
    • String ID: MOC$RCC
    • API String ID: 2118026453-2084237596
    • Opcode ID: df1da919e96ba12f14cafce8d6deaf54c561d16769472d46274cb8c873091757
    • Instruction ID: 438591155f967e3712b833459b9d2cf7c1b655368dfc26d1f2ba9f53bf30fa35
    • Opcode Fuzzy Hash: df1da919e96ba12f14cafce8d6deaf54c561d16769472d46274cb8c873091757
    • Instruction Fuzzy Hash: 7141783190024DAFCF16DF99CC81ABEBBB5FF08304F1A8159FA04A7265D3359990DB61
    Function 00DF5615 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • Replicator::operator[].LIBVCRUNTIME ref: 00DF5681
    • DName::operator=.LIBVCRUNTIME ref: 00DF5716
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Name::operator=Replicator::operator[]
    • String ID: T3
    • API String ID: 3211817929-2635867010
    • Opcode ID: c6a2fb5c0dc91bfd217ddaa1069505aadee09d73b04fddb407a1ba7f56540932
    • Instruction ID: 9f3a21fb8a98459dd5fbf2ee2117f3f337f9fecaee64e9d63c50176971eea03e
    • Opcode Fuzzy Hash: c6a2fb5c0dc91bfd217ddaa1069505aadee09d73b04fddb407a1ba7f56540932
    • Instruction Fuzzy Hash: FB31583160170C9FD715EB64F845BBE73A8EB42316F19840ED391D7286C7709889C7B0
    Function 00DF5722 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 90COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00DF5615: Replicator::operator[].LIBVCRUNTIME ref: 00DF5681
    • DName::operator+.LIBCMT ref: 00DF57B6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Name::operator+Replicator::operator[]
    • String ID: `1$l1
    • API String ID: 1405650943-3955409648
    • Opcode ID: 01f60b3107fc092da88879a96deeb2f58764418d818873d79eaedbbc5a243e09
    • Instruction ID: aa32eb7f3807e011e62115222c3b47bed5b04293d144d4e3d559a6b5f2ca82df
    • Opcode Fuzzy Hash: 01f60b3107fc092da88879a96deeb2f58764418d818873d79eaedbbc5a243e09
    • Instruction Fuzzy Hash: DE31A9B0A00609DFCB05CF48E8556AABBF0FB85344F05C589D701AB352C770DA49CFA0
    Function 00DF697D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00DF4014: pDNameNode::pDNameNode.LIBCMT ref: 00DF403A
    • DName::DName.LIBVCRUNTIME ref: 00DF6A3C
    • DName::operator+.LIBCMT ref: 00DF6A4A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: Name$Name::Name::operator+NodeNode::p
    • String ID: 1
    • API String ID: 3257498322-994553094
    • Opcode ID: 5759fd9f5905e8f956a45445d73d15a1bf8f01159b8ed54f785537bd57fe4afb
    • Instruction ID: 9c207e40410b1de82f88108acd04938c50f4e71b91c787b76186e23c8ae088f4
    • Opcode Fuzzy Hash: 5759fd9f5905e8f956a45445d73d15a1bf8f01159b8ed54f785537bd57fe4afb
    • Instruction Fuzzy Hash: E0210AB580020DAFDB05DF90D8569FE7BB8FB04304F51805AEB55A7251EB70AB88DB71
    Function 00DEE129 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00DEE134
    • ___raise_securityfailure.LIBCMT ref: 00DEE237
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: FeaturePresentProcessor___raise_securityfailure
    • String ID: @&
    • API String ID: 3761405300-1874572653
    • Opcode ID: 23373cc239d4d00239d1c7ebb885d0eed13a0fdec2cb88286ea91ff7ed6b4377
    • Instruction ID: a7dfdf864a41b76cabe15b608f9f24acc51c127b7dcc66cfa570ca400e142795
    • Opcode Fuzzy Hash: 23373cc239d4d00239d1c7ebb885d0eed13a0fdec2cb88286ea91ff7ed6b4377
    • Instruction Fuzzy Hash: 9031C874900348DFCB18DF5AE9806587BF4FB1E312F10985EEA19A7360D3749A89CF55
    Function 00DF81AD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: NameName::
    • String ID: .$.
    • API String ID: 1333004437-758550460
    • Opcode ID: 74a32add3d1909621a60fd525a4694da8babf9dabc4dfc59bad017aeb5a7e39c
    • Instruction ID: 8389a2bdbc8c016472e3ca0ada98fea0b68383dd8f8b40b91e282fc6e2f4b601
    • Opcode Fuzzy Hash: 74a32add3d1909621a60fd525a4694da8babf9dabc4dfc59bad017aeb5a7e39c
    • Instruction Fuzzy Hash: 872165B1C0120CAFDB05DF94E845AEE7FB4FB45304F05848AE605AB352DB749A85DBB1
    Function 00DECC4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00DECC53
    • _wprintf.LEGACY_STDIO_DEFINITIONS ref: 00DECCA8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: H_prolog3_wprintf
    • String ID: CZCom_Error_Transmit
    • API String ID: 473686354-1306197342
    • Opcode ID: cb5b9fdf0315b8813ddd9b0407ee3d6be1eec23aebc2d2978fc01533df24ac2b
    • Instruction ID: 77e704d5dfea8fc0b5c1eb27329402b6ac0bba62736b487b23ebfb20907e4ed4
    • Opcode Fuzzy Hash: cb5b9fdf0315b8813ddd9b0407ee3d6be1eec23aebc2d2978fc01533df24ac2b
    • Instruction Fuzzy Hash: BB11CC357603C1A7DB157B7B4C0262D7696DF94B61F24952AF804E62D1DF70CA428670
    Function 00DEDD31 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00DEDF5F
    • ___raise_securityfailure.LIBCMT ref: 00DEE047
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: FeaturePresentProcessor___raise_securityfailure
    • String ID: @&
    • API String ID: 3761405300-1874572653
    • Opcode ID: d38565b5dab29885a3cdf2b1ca858f875ec56246264d5797ec2d667be5612a07
    • Instruction ID: 882a5bbd382d7418fff4cfe83eaa77aed6baed2d79734f0bfa27fba6b88d2b48
    • Opcode Fuzzy Hash: d38565b5dab29885a3cdf2b1ca858f875ec56246264d5797ec2d667be5612a07
    • Instruction Fuzzy Hash: F82114B5A003448FD71CCF17E9966407BE4FB1E312F10582FE609A73B0E7B088898B95
    Function 00DEE05A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00DEE065
    • ___raise_securityfailure.LIBCMT ref: 00DEE122
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: FeaturePresentProcessor___raise_securityfailure
    • String ID: @&
    • API String ID: 3761405300-1874572653
    • Opcode ID: 30dcf006804382ac7f934a57dc565fcf99a86192de1b9e641b84b85852e8e48e
    • Instruction ID: d772a61a19bf577ed487d082186935b879e6ab9e45ce6411aea58cc29318f04f
    • Opcode Fuzzy Hash: 30dcf006804382ac7f934a57dc565fcf99a86192de1b9e641b84b85852e8e48e
    • Instruction Fuzzy Hash: 0C119DB5A103449FC71DDF27E9916407BE4FB1E352B00A82FEA08A7370E3B495498B95
    Function 00DCC17D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32registryCOMMON
    Download Yara Rule
    APIs
    • RegisterServiceCtrlHandlerA.ADVAPI32(?), ref: 00DCC193
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CtrlHandlerRegisterService
    • String ID: Handler not installed$Service stopped
    • API String ID: 1823773585-1763181911
    • Opcode ID: 8c06028328d29093e21be8c35e3123dc84dc2974a47994560e4dd12b07025557
    • Instruction ID: 192df8e92dfc4c2f483486c4f0425cf693932f0f613ac3471198d710ebedfdaa
    • Opcode Fuzzy Hash: 8c06028328d29093e21be8c35e3123dc84dc2974a47994560e4dd12b07025557
    • Instruction Fuzzy Hash: FCF082706247128FD766AB34581AFDA6AD8EF45300F00582EF59FD7281EFB0A8418B71
    Function 00DED18A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00DC1AF0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00DC1849,?,?,?,00DC165A), ref: 00DC1AF5
      • Part of subcall function 00DC1AF0: GetLastError.KERNEL32(?,00DC1849,?,?,?,00DC165A), ref: 00DC1AFF
    • IsDebuggerPresent.KERNEL32(?,?,?,00DC15EA), ref: 00DED1BD
    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00DC15EA), ref: 00DED1CC
    Strings
    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00DED1C7
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
    • API String ID: 450123788-631824599
    • Opcode ID: 9a010d61509cb96dcb37035958d3ebdde01d4bf20d3bc3e1a0f3ffc2dd480810
    • Instruction ID: bcf896f53afe50871351fee676e6699f653e823f6befbf12c771ea2bcb8a6f8f
    • Opcode Fuzzy Hash: 9a010d61509cb96dcb37035958d3ebdde01d4bf20d3bc3e1a0f3ffc2dd480810
    • Instruction Fuzzy Hash: 6BE092706003518FC360AF26E4087027FE1AF04305F05CC2DE892E3651DBB2E449CBB2
    Function 00DCCCB2 Relevance: 5.0, APIs: 4, Instructions: 45stringCOMMON
    Download Yara Rule
    APIs
    • lstrcmpiA.KERNEL32(00000022,00E3C6DC), ref: 00DCCCC4
    • lstrcmpiA.KERNEL32(00E3C6E4,00E3C6E4), ref: 00DCCCE0
    • lstrcmpiA.KERNEL32(00E3C6EC,00E3C6EC), ref: 00DCCCF5
    • lstrcmpiA.KERNEL32(00E3C6F4,00E3C6F4), ref: 00DCCD07
    Memory Dump Source
    • Source File: 00000000.00000002.1670852103.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
    • Associated: 00000000.00000002.1670833998.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670901440.0000000000E3A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670925099.0000000000E50000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1670943823.0000000000E54000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_dc0000_czcansrv.jbxd
    Similarity
    • API ID: lstrcmpi
    • String ID:
    • API String ID: 1586166983-0
    • Opcode ID: d8cc0e906652854ed741cf32962a153bfdbaac9b5e1c2407550f4f7a7329be09
    • Instruction ID: d250f96d549ac9d31d94bfe93daeb459d754734a70c5e56b6549e8da864f668b
    • Opcode Fuzzy Hash: d8cc0e906652854ed741cf32962a153bfdbaac9b5e1c2407550f4f7a7329be09
    • Instruction Fuzzy Hash: D6F0A4322A430BBBDB002A29DD02F663F949F90B94F106039FA0DFB1A0E671C8429774