Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
win32_remote.exe

Overview

General Information

Sample name:win32_remote.exe
Analysis ID:1431482
MD5:2783a76f46f07b45dcc4514bd67daeb4
SHA1:a2ec57d564f9b29cc9798ddad730ecda0af4fcc0
SHA256:9ca85bbfed42b252002390fe9c5dbbfbe2e76c6e69f681204dd1d403b8f1ce2d
Tags:APT44ARGUEPATCHexe
Infos:

Detection

Score:9
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to load drivers
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

  • System is w10x64
  • win32_remote.exe (PID: 6780 cmdline: "C:\Users\user\Desktop\win32_remote.exe" MD5: 2783A76F46F07B45DCC4514BD67DAEB4)
    • conhost.exe (PID: 6804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C193A0 DecryptMessage,0_2_00C193A0
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C18AE0 EncryptMessage,0_2_00C18AE0
Source: win32_remote.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: win32_remote.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: win32_remote.pdb source: win32_remote.exe
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C494A4 FindFirstFileExW,_free,0_2_00C494A4
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C3B5D6 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,0_2_00C3B5D6
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00BE25E0 GetMappedFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,GetModuleFileNameExW,GetSystemDirectoryA,GetCurrentDirectoryA,0_2_00BE25E0
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C172F0 recvfrom,WSAGetLastError,0_2_00C172F0
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00BE64D0 FreeLibrary,CloseHandle,NtUnloadDriver,0_2_00BE64D0
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00BE64D1 FreeLibrary,CloseHandle,NtUnloadDriver,0_2_00BE64D1
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00BE5500 NtSystemDebugControl,0_2_00BE5500
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00BE3C60 RtlAdjustPrivilege,RtlAdjustPrivilege,NtLoadDriver,NtCreateFile,NtDeviceIoControlFile,0_2_00BE3C60
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00BE6E20 NtSystemDebugControl,0_2_00BE6E20
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00BE3C60: RtlAdjustPrivilege,RtlAdjustPrivilege,NtLoadDriver,NtCreateFile,NtDeviceIoControlFile,0_2_00BE3C60
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00BE64D0 FreeLibrary,CloseHandle,NtUnloadDriver,0_2_00BE64D0
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C4712E0_2_00C4712E
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C2D2A50_2_00C2D2A5
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C3E4650_2_00C3E465
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C295E00_2_00C295E0
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C315B20_2_00C315B2
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C317DB0_2_00C317DB
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C2C7070_2_00C2C707
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C2D8F00_2_00C2D8F0
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C359CD0_2_00C359CD
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C379D00_2_00C379D0
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C4891A0_2_00C4891A
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00BFBA900_2_00BFBA90
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C48A460_2_00C48A46
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C2CA790_2_00C2CA79
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C1CD500_2_00C1CD50
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C2CD230_2_00C2CD23
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C2CFEA0_2_00C2CFEA
Source: C:\Users\user\Desktop\win32_remote.exeCode function: String function: 00C2ADD0 appears 54 times
Source: C:\Users\user\Desktop\win32_remote.exeCode function: String function: 00BD37C0 appears 92 times
Source: C:\Users\user\Desktop\win32_remote.exeCode function: String function: 00BD39E0 appears 37 times
Source: win32_remote.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: win32_remote.exeBinary string: JNtSystemDebugControlNtLoadDriverNtUnloadDriverRtlAdjustPrivilegeNtCreateFileNtDeviceIoControlFile\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\kldbgdrv\Device\kldbgdrv
Source: classification engineClassification label: clean9.winEXE@2/1@0/0
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00BE0E90 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,FindCloseChangeNotification,GetLastError,FreeLibrary,SetLastError,0_2_00BE0E90
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00BD5600 CoCreateInstance,SearchPathA,LoadLibraryA,GetProcAddress,FreeLibrary,0_2_00BD5600
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:120:WilError_03
Source: win32_remote.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\win32_remote.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: win32_remote.exeString found in binary or memory: on-stop-kill-process
Source: win32_remote.exeString found in binary or memory: 'Don-broken-connection-keep-sessionKeep debugger session alive when connection breakson-stop-kill-processKill debuggee when closing sessionCould not initialize subsystem!IDA_DBGSRV_PASSWDIDA Windows 32-bit remote debug server(MT) v%d.%d.%d. Hex-Rays (c) 2004-2020
Source: win32_remote.exeString found in binary or memory: ip-address
Source: win32_remote.exeString found in binary or memory: v8aH@aHpeDport-numberPort numberip-addressIP address to bind to (default to any)use-tlsUse TLScertchain-fileTLS certificate chain fileprivkey-fileTLS private key fileverboseVerbose mode0.0.0.0%s:%u: %s
Source: unknownProcess created: C:\Users\user\Desktop\win32_remote.exe "C:\Users\user\Desktop\win32_remote.exe"
Source: C:\Users\user\Desktop\win32_remote.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\win32_remote.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\win32_remote.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\win32_remote.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\win32_remote.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\win32_remote.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\win32_remote.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\win32_remote.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\win32_remote.exeSection loaded: rasadhlp.dllJump to behavior
Source: win32_remote.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: win32_remote.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: win32_remote.pdb source: win32_remote.exe
Source: win32_remote.exeStatic PE information: 0xF41F5250 [Wed Oct 14 20:36:32 2099 UTC]
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00BE3AA0 GetLastError,GetModuleHandleA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,GetModuleHandleA,GetProcAddress,GetProcAddress,0_2_00BE3AA0
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00BD70D8 push ebp; iretd 0_2_00BD70D9
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00BD71CE push ebp; iretd 0_2_00BD71CF
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00BD712B push ebp; iretd 0_2_00BD712C
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00BD717B push ebp; iretd 0_2_00BD717C
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00BD72E8 push ebp; iretd 0_2_00BD72E9
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00BD7228 push ebp; iretd 0_2_00BD7229
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00BD727B push ebp; iretd 0_2_00BD727C
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00BD7348 push ebp; iretd 0_2_00BD7349
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C2D66B pushfd ; retf 0_2_00C2D66C
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C01979 push 840FC085h; ret 0_2_00C0197F
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C2AE16 push ecx; ret 0_2_00C2AE29
Source: C:\Users\user\Desktop\win32_remote.exeAPI coverage: 8.4 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C494A4 FindFirstFileExW,_free,0_2_00C494A4
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C3B5D6 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,0_2_00C3B5D6
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00BE25E0 GetMappedFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,GetModuleFileNameExW,GetSystemDirectoryA,GetCurrentDirectoryA,0_2_00BE25E0
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00BE2E80 GetSystemInfo,VirtualQueryEx,VirtualQueryEx,0_2_00BE2E80
Source: win32_remote.exe, 00000000.00000002.2870212866.0000000000D6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C2F0D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C2F0D3
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00BE3AA0 GetLastError,GetModuleHandleA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,GetModuleHandleA,GetProcAddress,GetProcAddress,0_2_00BE3AA0
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C327C0 mov eax, dword ptr fs:[00000030h]0_2_00C327C0
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C40F50 mov eax, dword ptr fs:[00000030h]0_2_00C40F50
Source: C:\Users\user\Desktop\win32_remote.exeProcess token adjusted: DebugJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C2F0D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C2F0D3
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C2A147 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00C2A147
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C2AC15 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C2AC15
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C2AD77 SetUnhandledExceptionFilter,0_2_00C2AD77
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C2AA6E cpuid 0_2_00C2AA6E
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C3F7F3 GetSystemTimeAsFileTime,0_2_00C3F7F3
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00BD1045 GetVersionExA,GetCurrentProcess,0_2_00BD1045
Source: C:\Users\user\Desktop\win32_remote.exeCode function: 0_2_00C17985 WSAStartup,bind,WSAGetLastError,listen,0_2_00C17985

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Access Token Manipulation		1
Access Token Manipulation		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts1
Process Injection		1
Process Injection		LSASS Memory11
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		Security Account Manager2
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS14
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Timestomp		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1431482 Sample: win32_remote.exe Startdate: 25/04/2024 Architecture: WINDOWS Score: 9 5 win32_remote.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
win32_remote.exe3%ReversingLabs
win32_remote.exe1%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1431482
Start date and time:2024-04-25 09:52:07 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 17s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:win32_remote.exe
Detection:CLEAN
Classification:clean9.winEXE@2/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 97%
  • Number of executed functions: 11
  • Number of non-executed functions: 108
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

\Device\ConDrv

Download File
Process:C:\Users\user\Desktop\win32_remote.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):127
Entropy (8bit):5.007403239027221
Encrypted:false
SSDEEP:3:zNBh2HVHmJbyKlCP2XVFyiWALOHDn/GXWJbRMLLe:jh2HVHoyKEP2XCR7/5bqLq
MD5:FB54F4ABF797A2F13F8678B9E986CB2C
SHA1:14B11F2B6650BC4399AFBABC14F3940BFE7191C8
SHA-256:455E744FB5D7D1DDEF9A852AD09862846F8BAEF1A006CD0E65AF3AB7835C35C9
SHA-512:9122A986C56B3CD7C27068A57D11E3EE607B3BE748689E985E237DA6550EC578BBE3D78856433579CACC9ECB9BB522019E1F440E64CEDA431C2B9BE5A7A6A2FA
Malicious:false
Reputation:low
Preview:IDA Windows 32-bit remote debug server(MT) v7.5.26. Hex-Rays (c) 2004-2020..Listening on 0.0.0.0:23946 (my ip 192.168.2.4).....

Static File Info

General

File type:PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):6.464722512456986
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:win32_remote.exe
File size:721'408 bytes
MD5:2783a76f46f07b45dcc4514bd67daeb4
SHA1:a2ec57d564f9b29cc9798ddad730ecda0af4fcc0
SHA256:9ca85bbfed42b252002390fe9c5dbbfbe2e76c6e69f681204dd1d403b8f1ce2d
SHA512:00c25cff3239d5b7dc091340468228911eeb3037024feb0029eda2d9e4632dd5c603936d084ee47da0582e10d19e7e697574682fcb3e225c932be693282ebbc2
SSDEEP:12288:I0M5551VeifM4D9ohl4wjiVzRuWFpSte+cgKlT701zbR/zLsi5VmBiJ8RLYTlIPA:vEvJHzRiFcgwf6FsiU+8RLYTCPPdoJ
TLSH:2AE47D30BB46C576C59211710D6DD7AB252CFE280F655CCB93C8293E2E361E27E32A5B
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B...,[..,[..,[../Z..,[..)Zs.,[..(Z..,[..(Z..,[../Z..,[...[..,[..)Z..,[...[..,[..-[u.,[-.(Z..,[-.)Z..,[-..Z..,[Rich..,[.......

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x45a0b2
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0xF41F5250 [Wed Oct 14 20:36:32 2099 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:5555d6854cda03e02340917da5096fe1

Entrypoint Preview

Instruction
call 00007FC4246DB526h
jmp 00007FC4246DA5D9h
push 00000010h
push 004A7258h
call 00007FC4246DB46Dh
xor ebx, ebx
mov dword ptr [ebp-20h], ebx
mov byte ptr [ebp-19h], bl
mov dword ptr [ebp-04h], ebx
cmp ebx, dword ptr [ebp+10h]
je 00007FC4246DA77Dh
mov ecx, dword ptr [ebp+14h]
call dword ptr [004802D8h]
mov ecx, dword ptr [ebp+08h]
call dword ptr [ebp+14h]
mov eax, dword ptr [ebp+0Ch]
add dword ptr [ebp+08h], eax
inc ebx
mov dword ptr [ebp-20h], ebx
jmp 00007FC4246DA742h
mov al, 01h
mov byte ptr [ebp-19h], al
mov dword ptr [ebp-04h], FFFFFFFEh
call 00007FC4246DA77Dh
mov ecx, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop esi
pop ebx
leave
retn 0014h
mov ebx, dword ptr [ebp-20h]
mov al, byte ptr [ebp-19h]
test al, al
jne 00007FC4246DA771h
push dword ptr [ebp+18h]
push ebx
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007FC4246DA428h
ret
push ebp
mov ebp, esp
pop ebp
jmp 00007FC4246D9FABh
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007FC4246DAC66h
pop ecx
pop ebp
ret
push ebp
mov ebp, esp
push 00000000h
call dword ptr [004801D8h]
push dword ptr [ebp+08h]
call dword ptr [004801D4h]
push C0000409h
call dword ptr [004800F0h]
push eax
call dword ptr [004800F4h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h

Rich Headers

Programming Language:
  • [ C ] VS2008 SP1 build 30729
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xa7a740xa0.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xae0000x6074.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x9fe900x70.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x9ffac0x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x9ff000x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x800000x2d8.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x7eced0x7ee00132307a60364cd2f41bdf1088acee7d3False0.5191637161330049data6.514495585148327IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x800000x289780x28a000aeb890bea053b03acd5865df0fe8133False0.40975360576923076data5.364481984823826IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xa90000x4b0c0x24001dba36bb91140ae4a0db2db47b9c8f09False0.2815755208333333data3.686629471032741IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc0xae0000x60740x6200e7f72156e66d502f0f0237b1d174b7c8False0.6529416454081632data6.575912774431718IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLLImport
ole32.dllCoTaskMemFree, StringFromCLSID, CoCreateInstance, CoUninitialize, CoInitialize
OLEAUT32.dllVariantInit, SysFreeString
WS2_32.dllWSASetLastError, getaddrinfo, WSAStartup, getservbyname, getservbyport, WSACleanup, WSAGetLastError, freeaddrinfo, socket, shutdown, setsockopt, sendto, select, recvfrom, ntohs, listen, inet_addr, htons, htonl, getsockname, getpeername, connect, closesocket, bind, accept, inet_ntoa, gethostbyaddr, gethostbyname
CRYPT32.dllCertGetCertificateChain, CertGetNameStringA, CertVerifyTimeValidity, CertAddEncodedCertificateToStore, CertFreeCertificateContext, CertFreeCertificateChain
Secur32.dllDecryptMessage, EncryptMessage, FreeContextBuffer, QueryCredentialsAttributesA, QueryContextAttributesA, ApplyControlToken, DeleteSecurityContext, InitializeSecurityContextA, AcquireCredentialsHandleA
USER32.dllPostThreadMessageA
KERNEL32.dllFlushFileBuffers, HeapFree, HeapAlloc, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetTimeZoneInformation, MoveFileExW, DeleteFileW, GetStringTypeW, SystemTimeToTzSpecificLocalTime, FindNextFileW, FindFirstFileExW, GetConsoleCP, WriteFile, ReadConsoleW, GetConsoleMode, HeapReAlloc, SetStdHandle, GetOEMCP, FreeEnvironmentStringsW, GetProcessHeap, GetCommandLineA, SetEndOfFile, GetFileType, CreateDirectoryW, GetCurrentDirectoryW, SetEnvironmentVariableW, GetDriveTypeW, SetConsoleCtrlHandler, GetModuleHandleExW, LoadLibraryExW, WriteConsoleW, HeapSize, FileTimeToSystemTime, FormatMessageA, InterlockedIncrement, InterlockedDecrement, FreeLibrary, GetProcAddress, ReadFile, SetFilePointerEx, CloseHandle, LoadLibraryA, GetModuleHandleA, CreateFileW, SearchPathA, LocalFree, FlushInstructionCache, VirtualProtectEx, VirtualQueryEx, GetCurrentProcess, TerminateProcess, GetThreadSelectorEntry, GetLastError, SetLastError, ReadProcessMemory, WriteProcessMemory, GetThreadContext, SetThreadContext, SuspendThread, ResumeThread, WaitForDebugEvent, ContinueDebugEvent, DebugActiveProcess, SetEvent, WaitForSingleObject, GetSystemInfo, CreateEventA, GetLogicalDriveStringsW, GetSystemDirectoryA, GetCurrentDirectoryA, QueryDosDeviceW, OpenProcess, GetVersionExA, GetCurrentProcessId, DecodePointer, ExitProcess, IsDebuggerPresent, Sleep, GetSystemTimeAsFileTime, FormatMessageW, QueryPerformanceCounter, QueryPerformanceFrequency, GetExitCodeProcess, GetEnvironmentStringsW, CreateThread, GetCurrentThreadId, TerminateThread, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, ReleaseSemaphore, GetStdHandle, CreateSemaphoreA, CreateProcessW, SearchPathW, GetFullPathNameW, GetModuleFileNameW, GetFileAttributesW, MultiByteToWideChar, IsValidCodePage, GetACP, GetCPInfo, IsDBCSLeadByteEx, WideCharToMultiByte, FindClose, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetStartupInfoW, GetModuleHandleW, InitializeSListHead, TlsFree, RtlUnwind, RaiseException, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:09:52:52
Start date:25/04/2024
Path:C:\Users\user\Desktop\win32_remote.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\win32_remote.exe"
Imagebase:0xbd0000
File size:721'408 bytes
MD5 hash:2783A76F46F07B45DCC4514BD67DAEB4
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

General

Target ID:1
Start time:09:52:52
Start date:25/04/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:1%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:9.2%
    Total number of Nodes:543
    Total number of Limit Nodes:18
    execution_graph 56754 c173a0 getsockname 56755 c173d2 56754->56755 56756 c173e6 56754->56756 56763 c299bd 56755->56763 56770 c17ad0 38 API calls _ValidateLocalCookies 56756->56770 56759 c173e0 56760 c173f9 56761 c299bd _ValidateLocalCookies 5 API calls 56760->56761 56762 c17408 56761->56762 56764 c299c6 56763->56764 56765 c299c8 IsProcessorFeaturePresent 56763->56765 56764->56759 56767 c2a183 56765->56767 56771 c2a147 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 56767->56771 56769 c2a266 56769->56759 56770->56760 56771->56769 56772 c16ea0 56773 c16efc 56772->56773 56774 c16ebe 56772->56774 56775 c299bd _ValidateLocalCookies 5 API calls 56773->56775 56774->56773 56776 c16ed0 accept 56774->56776 56777 c16f0d 56775->56777 56776->56774 56778 c16eef WSAGetLastError 56776->56778 56778->56774 56779 c16f13 WSAGetLastError 56778->56779 56780 c299bd _ValidateLocalCookies 5 API calls 56779->56780 56781 c16f30 56780->56781 56782 c29f30 56783 c29f3c ___scrt_is_nonwritable_in_current_image 56782->56783 56812 c29a61 56783->56812 56785 c29f43 56786 c2a09c 56785->56786 56789 c29f6d 56785->56789 56870 c2ac15 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 56786->56870 56788 c2a0a3 56790 c2a0a9 56788->56790 56871 c3292b 28 API calls _unexpected 56788->56871 56798 c29fac ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 56789->56798 56864 c3de79 5 API calls _ValidateLocalCookies 56789->56864 56872 c328dd 28 API calls _unexpected 56790->56872 56794 c2a0b1 56795 c29f86 56796 c29f8c 56795->56796 56865 c3de1d 5 API calls _ValidateLocalCookies 56795->56865 56799 c2a00d 56798->56799 56866 c328f3 37 API calls 3 library calls 56798->56866 56823 c3d822 56799->56823 56806 c2a034 56806->56788 56807 c2a038 56806->56807 56808 c2a041 56807->56808 56868 c328ce 28 API calls _unexpected 56807->56868 56869 c29bf0 74 API calls 2 library calls 56808->56869 56811 c2a04a 56811->56796 56813 c29a6a 56812->56813 56873 c2aa6e IsProcessorFeaturePresent 56813->56873 56815 c29a76 56874 c2da64 10 API calls 3 library calls 56815->56874 56817 c29a7b 56822 c29a7f 56817->56822 56875 c3dd05 56817->56875 56820 c29a96 56820->56785 56822->56785 56824 c2a021 56823->56824 56825 c3d82b 56823->56825 56827 c12930 56824->56827 56883 c3d358 49 API calls 56825->56883 56884 bf5440 56827->56884 56831 c12961 56832 c12b82 56831->56832 56923 be3aa0 56831->56923 56833 c15a20 81 API calls 56832->56833 56835 c12b8c 56833->56835 56867 c2ad34 GetModuleHandleW 56835->56867 56836 c12973 56836->56832 56837 c1297b 56836->56837 56941 c1e120 56837->56941 56841 c129a5 56842 c129db BuildCatchObjectHelperInternal 56841->56842 57024 c1bb80 22 API calls 3 library calls 56841->57024 56960 c15a20 56842->56960 56847 c12b14 56969 c281f0 56847->56969 56848 c12a89 56848->56847 57026 c1bb80 22 API calls 3 library calls 56848->57026 56850 c12b28 56978 c16c10 56850->56978 56864->56795 56865->56798 56866->56799 56867->56806 56868->56808 56869->56811 56870->56788 56871->56790 56872->56794 56873->56815 56874->56817 56879 c45df4 56875->56879 56878 c2da8d 8 API calls 3 library calls 56878->56822 56882 c45e0d 56879->56882 56880 c299bd _ValidateLocalCookies 5 API calls 56881 c29a88 56880->56881 56881->56820 56881->56878 56882->56880 56883->56824 56885 bf5481 56884->56885 56886 c1e290 _wctomb_s 22 API calls 56885->56886 56887 bf5486 56886->56887 56888 c1e290 _wctomb_s 22 API calls 56887->56888 56889 bf5490 56888->56889 56890 bf55eb 56889->56890 56891 bf54aa 56889->56891 57060 c1b460 79 API calls 2 library calls 56890->57060 57027 bf5160 56891->57027 56894 bf55ff 57061 c1b460 79 API calls 2 library calls 56894->57061 56895 bf54af 57032 c03c10 56895->57032 56897 bf54bc 57038 bf5b30 56897->57038 56899 bf5613 56902 bf5b30 25 API calls 56903 bf54f5 56902->56903 56904 bf5b30 25 API calls 56903->56904 56909 bf5501 56904->56909 56905 bf55d4 57059 bf6080 24 API calls _wctomb_s 56905->57059 56907 bf55e5 56907->56894 56908 bf5596 56907->56908 56910 c299bd _ValidateLocalCookies 5 API calls 56908->56910 56909->56905 57055 bfb760 86 API calls _wctomb_s 56909->57055 56912 bf55af 56910->56912 56920 c1e290 56912->56920 56913 bf5568 56914 bf556c 56913->56914 56915 bf55b7 56913->56915 57056 c1baa0 19 API calls ___std_exception_copy 56914->57056 57057 bffd50 79 API calls 2 library calls 56915->57057 56917 bf55bf 57058 c1baa0 19 API calls ___std_exception_copy 56917->57058 56921 c2997f _wctomb_s 21 API calls 56920->56921 56922 c1e298 InitializeCriticalSection 56921->56922 56922->56831 56924 be3aac 56923->56924 56925 be3aa9 56923->56925 56926 be3ab5 56924->56926 57097 be7f90 56924->57097 56925->56836 56926->56836 56928 be3abd 57105 be0e90 56928->57105 56930 be3aed 56931 be3af9 GetLastError 56930->56931 56932 be3b13 GetModuleHandleA 56930->56932 57122 c1b830 80 API calls 4 library calls 56931->57122 56934 be3b60 LoadLibraryA 56932->56934 56939 be3b36 GetProcAddress 56932->56939 56936 be3b74 GetProcAddress GetProcAddress 56934->56936 56937 be3bb2 GetModuleHandleA GetProcAddress GetProcAddress 56934->56937 56936->56937 56940 be3b9c FreeLibrary 56936->56940 56937->56836 56938 be3b05 _wctomb_s 56938->56932 56939->56934 56940->56937 56942 c1e151 56941->56942 56943 c1e18d 56941->56943 56944 c2997f _wctomb_s 21 API calls 56942->56944 56945 c1e193 EnterCriticalSection 56943->56945 56946 c1e158 GetCurrentThreadId 56944->56946 57124 c38c8d 56945->57124 56948 c2997f _wctomb_s 21 API calls 56946->56948 56949 c1e179 InitializeCriticalSection 56948->56949 56949->56945 56950 c1e1c2 56951 c1e260 LeaveCriticalSection 56950->56951 56951->56841 56952 c1e24f 57130 c334b8 19 API calls _free 56952->57130 56957 c1e1e6 56959 c1e214 BuildCatchObjectHelperInternal 56957->56959 57128 c1bb80 22 API calls 3 library calls 56957->57128 57129 c1baa0 19 API calls ___std_exception_copy 56959->57129 56963 c15a30 _wctomb_s 56960->56963 56962 c15a48 57178 c32d35 56962->57178 57165 c1bdf0 56963->57165 56966 c16610 57411 c28190 56966->57411 57416 bd27c0 22 API calls 2 library calls 56969->57416 56972 c28365 56977 c2836e 56972->56977 57418 c28180 79 API calls 56972->57418 56975 c2838b 56975->56850 56976 c28207 56976->56972 56976->56975 57417 c28180 79 API calls 56976->57417 56977->56850 57419 c3317e 56978->57419 56980 c16c22 56981 c3317e 22 API calls 56980->56981 56982 c16c2e 56981->56982 56983 c3317e 22 API calls 56982->56983 56984 c12b32 56983->56984 56985 c16630 56984->56985 57442 c14c60 21 API calls _wctomb_s 56985->57442 56987 c166f3 57445 c289f0 56987->57445 56988 c16667 56988->56987 57443 c16c50 79 API calls _wctomb_s 56988->57443 56990 c1674b 56992 c16758 inet_ntoa 56990->56992 57008 c168d6 56990->57008 56998 c16779 56992->56998 56999 c1679e BuildCatchObjectHelperInternal 56992->56999 56993 c166e1 57444 c3292b 28 API calls _unexpected 56993->57444 56994 c15a20 81 API calls 57014 c16901 56994->57014 56997 c167e9 BuildCatchObjectHelperInternal 57459 c1baa0 19 API calls ___std_exception_copy 56997->57459 56998->56999 57457 c1bb80 22 API calls 3 library calls 56998->57457 56999->56997 57458 c1bb80 22 API calls 3 library calls 56999->57458 57003 c16821 57004 c1686d 57003->57004 57005 c1697c 57003->57005 57010 c1688b BuildCatchObjectHelperInternal 57004->57010 57460 c1bb80 22 API calls 3 library calls 57004->57460 57005->57008 57464 c1baa0 19 API calls ___std_exception_copy 57005->57464 57008->56994 57009 c15a20 81 API calls 57009->57014 57461 bd5210 22 API calls 2 library calls 57010->57461 57012 c2997f _wctomb_s 21 API calls 57012->57014 57014->57009 57014->57012 57018 c16962 57014->57018 57462 c14c60 21 API calls _wctomb_s 57014->57462 57471 c16580 27 API calls 57014->57471 57472 c16a70 91 API calls 57014->57472 57018->57014 57463 c1e300 CreateSemaphoreA 57018->57463 57465 c1e440 24 API calls _wctomb_s 57018->57465 57466 c24230 80 API calls 4 library calls 57018->57466 57467 c15020 90 API calls 3 library calls 57018->57467 57468 c1e320 CloseHandle 57018->57468 57469 c16580 27 API calls 57018->57469 57470 c1e340 ReleaseSemaphore 57018->57470 57024->56842 57025 c1bb80 22 API calls 3 library calls 57025->56848 57026->56848 57028 bf525f 57027->57028 57029 bf5190 57027->57029 57028->56895 57062 c2997f 57029->57062 57033 c2997f _wctomb_s 21 API calls 57032->57033 57034 c03c3d 57033->57034 57035 c03c6f 57034->57035 57084 bfcee0 29 API calls 2 library calls 57034->57084 57035->56897 57037 c03c5e 57037->56897 57039 bf5160 21 API calls 57038->57039 57040 bf5b5d 57039->57040 57085 c1e2e0 EnterCriticalSection 57040->57085 57042 bf5b71 57086 bf4aa0 57042->57086 57045 c2997f _wctomb_s 21 API calls 57047 bf5b93 57045->57047 57050 bf5bba 57047->57050 57092 bdc5f0 21 API calls _wctomb_s 57047->57092 57048 bf54e9 57048->56902 57093 bd27c0 22 API calls 2 library calls 57050->57093 57052 bf5c30 57091 c1e2f0 LeaveCriticalSection 57052->57091 57053 bf5c06 57053->57052 57094 c1bb80 22 API calls 3 library calls 57053->57094 57055->56913 57056->56908 57057->56917 57058->56905 57059->56907 57060->56894 57061->56899 57064 c29984 57062->57064 57065 bf51a6 57064->57065 57068 c299a0 _wctomb_s 57064->57068 57072 c3402d 57064->57072 57079 c3ce51 7 API calls 2 library calls 57064->57079 57065->56895 57067 c2aa4b _wctomb_s 57081 c2c3c3 RaiseException 57067->57081 57068->57067 57080 c2c3c3 RaiseException 57068->57080 57071 c2aa68 57077 c3fdfc _strftime 57072->57077 57073 c3fe3a 57083 c340bc 19 API calls __dosmaperr 57073->57083 57074 c3fe25 RtlAllocateHeap 57076 c3fe38 57074->57076 57074->57077 57076->57064 57077->57073 57077->57074 57082 c3ce51 7 API calls 2 library calls 57077->57082 57079->57064 57080->57067 57081->57071 57082->57077 57083->57076 57084->57037 57085->57042 57095 c1e2e0 EnterCriticalSection 57086->57095 57089 bf4b52 57089->57045 57089->57052 57090 bf4ad9 57096 c1e2f0 LeaveCriticalSection 57090->57096 57091->57048 57092->57050 57093->57053 57094->57052 57095->57090 57096->57089 57098 be7fbc 57097->57098 57099 be7fef 57097->57099 57100 c2997f _wctomb_s 21 API calls 57098->57100 57099->56928 57101 be7fc3 57100->57101 57101->57099 57102 be7fd4 57101->57102 57123 be6e90 41 API calls _wctomb_s 57102->57123 57104 be7fdb 57104->56928 57106 be0fdf 57105->57106 57107 be0eb0 57105->57107 57108 c299bd _ValidateLocalCookies 5 API calls 57106->57108 57107->57106 57109 be0ebd LoadLibraryA 57107->57109 57110 be0fed 57108->57110 57111 be0ed8 GetProcAddress GetProcAddress GetProcAddress 57109->57111 57115 be0fcb 57109->57115 57110->56930 57112 be0f9d 57111->57112 57114 be0f1d 57111->57114 57112->57115 57116 be0fa6 GetLastError FreeLibrary SetLastError 57112->57116 57113 c299bd _ValidateLocalCookies 5 API calls 57117 be0fdb 57113->57117 57114->57112 57118 be0f2a GetCurrentProcess OpenProcessToken 57114->57118 57115->57113 57116->57115 57117->56930 57118->57112 57119 be0f42 LookupPrivilegeValueA 57118->57119 57120 be0f54 AdjustTokenPrivileges 57119->57120 57121 be0f93 FindCloseChangeNotification 57119->57121 57120->57121 57121->57112 57122->56938 57123->57104 57131 c38a21 57124->57131 57126 c1e1b4 57126->56950 57126->56951 57126->56952 57127 bd2630 22 API calls 2 library calls 57126->57127 57127->56957 57128->56959 57129->56952 57130->56950 57132 c38a2d ___scrt_is_nonwritable_in_current_image 57131->57132 57139 c40ef1 EnterCriticalSection 57132->57139 57134 c38a38 57140 c38a7c 57134->57140 57138 c38a68 __fread_nolock 57138->57126 57139->57134 57141 c38a8b 57140->57141 57142 c38a9e 57140->57142 57159 c340bc 19 API calls __dosmaperr 57141->57159 57142->57141 57147 c38ab1 _unexpected _wctomb_s 57142->57147 57144 c38a90 57160 c2f298 25 API calls ___std_exception_copy 57144->57160 57146 c38a54 57156 c38a73 57146->57156 57147->57146 57148 c38ae5 57147->57148 57149 c38af8 57147->57149 57161 c340bc 19 API calls __dosmaperr 57148->57161 57162 c3332f 25 API calls 2 library calls 57149->57162 57152 c38b03 57152->57146 57153 c38b14 57152->57153 57163 c2f2c5 11 API calls _unexpected 57153->57163 57155 c38b20 57164 c40f39 LeaveCriticalSection 57156->57164 57158 c38a7a 57158->57138 57159->57144 57160->57146 57161->57146 57162->57152 57163->57155 57164->57158 57166 c1be05 _wctomb_s 57165->57166 57167 c1be35 _strftime 57165->57167 57202 c340bc 19 API calls __dosmaperr 57166->57202 57184 c1bc10 57167->57184 57169 c1be11 _wctomb_s 57172 c299bd _ValidateLocalCookies 5 API calls 57169->57172 57171 c1be5f ___scrt_initialize_default_local_stdio_options 57193 c32308 57171->57193 57173 c1be2f 57172->57173 57173->56962 57176 c299bd _ValidateLocalCookies 5 API calls 57177 c1be8b 57176->57177 57177->56962 57179 c32d47 57178->57179 57181 c32d50 ___scrt_uninitialize_crt 57178->57181 57409 c32bde 66 API calls ___scrt_uninitialize_crt 57179->57409 57182 c12a1f 57181->57182 57410 c32b88 66 API calls 3 library calls 57181->57410 57182->56966 57185 c1bd39 57184->57185 57186 c1bc1d _wctomb_s 57184->57186 57203 c1b460 79 API calls 2 library calls 57185->57203 57188 c1bc31 57186->57188 57190 c1bd64 57186->57190 57204 c1b460 79 API calls 2 library calls 57186->57204 57188->57171 57205 c1b460 79 API calls 2 library calls 57190->57205 57192 c1bd78 57194 c32338 57193->57194 57195 c3234d 57193->57195 57214 c340bc 19 API calls __dosmaperr 57194->57214 57195->57194 57197 c32351 57195->57197 57206 c3039f 57197->57206 57198 c3233d 57215 c2f298 25 API calls ___std_exception_copy 57198->57215 57201 c1be7a 57201->57176 57202->57169 57203->57186 57204->57190 57205->57192 57207 c303ab ___scrt_is_nonwritable_in_current_image 57206->57207 57216 c30377 EnterCriticalSection 57207->57216 57209 c303b9 57217 c30b65 57209->57217 57213 c303d7 __fread_nolock 57213->57201 57214->57198 57215->57201 57216->57209 57231 c40dc2 57217->57231 57221 c30b9f _wctomb_s 57248 c30dd9 57221->57248 57228 c299bd _ValidateLocalCookies 5 API calls 57229 c303c6 57228->57229 57230 c303e4 LeaveCriticalSection __fread_nolock 57229->57230 57230->57213 57268 c3cb68 57231->57268 57233 c40dd1 57275 c44101 57233->57275 57235 c40dd7 _wctomb_s 57239 c30b88 57235->57239 57284 c3fdfc 57235->57284 57240 c2f3b8 57239->57240 57241 c2f3d8 57240->57241 57242 c2f3cf 57240->57242 57241->57242 57305 c3ebdf 37 API calls 3 library calls 57241->57305 57242->57221 57244 c2f3f8 57306 c3eeec 37 API calls __fassign 57244->57306 57246 c2f40e 57307 c3ef19 37 API calls __fassign 57246->57307 57308 c31f44 25 API calls 3 library calls 57248->57308 57250 c30dfe 57309 c340bc 19 API calls __dosmaperr 57250->57309 57252 c30e03 57310 c2f298 25 API calls ___std_exception_copy 57252->57310 57253 c30be3 57261 c30b27 57253->57261 57255 c30de9 _wctomb_s 57255->57250 57255->57253 57311 c31179 25 API calls 3 library calls 57255->57311 57312 c31a04 40 API calls _wctomb_s 57255->57312 57313 c312d8 40 API calls _wctomb_s 57255->57313 57314 c312fe 45 API calls 3 library calls 57255->57314 57315 c315b2 45 API calls _wctomb_s 57255->57315 57262 c3faf6 _free 19 API calls 57261->57262 57263 c30b37 57262->57263 57264 c40e77 57263->57264 57265 c40e82 57264->57265 57266 c30c12 57264->57266 57265->57266 57316 c32c82 57265->57316 57266->57228 57269 c3cb74 57268->57269 57270 c3cb89 57268->57270 57297 c340bc 19 API calls __dosmaperr 57269->57297 57270->57233 57272 c3cb79 57298 c2f298 25 API calls ___std_exception_copy 57272->57298 57274 c3cb84 57274->57233 57276 c4410e 57275->57276 57277 c4411b 57275->57277 57299 c340bc 19 API calls __dosmaperr 57276->57299 57279 c44127 57277->57279 57300 c340bc 19 API calls __dosmaperr 57277->57300 57279->57235 57281 c44113 57281->57235 57282 c44148 57301 c2f298 25 API calls ___std_exception_copy 57282->57301 57285 c3fe3a 57284->57285 57290 c3fe0a _strftime 57284->57290 57303 c340bc 19 API calls __dosmaperr 57285->57303 57286 c3fe25 RtlAllocateHeap 57288 c3fe38 57286->57288 57286->57290 57291 c3faf6 57288->57291 57290->57285 57290->57286 57302 c3ce51 7 API calls 2 library calls 57290->57302 57292 c3fb01 HeapFree 57291->57292 57293 c3fb2a _free 57291->57293 57292->57293 57294 c3fb16 57292->57294 57293->57239 57304 c340bc 19 API calls __dosmaperr 57294->57304 57296 c3fb1c GetLastError 57296->57293 57297->57272 57298->57274 57299->57281 57300->57282 57301->57281 57302->57290 57303->57288 57304->57296 57305->57244 57306->57246 57307->57242 57308->57255 57309->57252 57310->57253 57311->57255 57312->57255 57313->57255 57314->57255 57315->57255 57317 c32c99 57316->57317 57321 c32cbe 57316->57321 57318 c3cb68 __fread_nolock 25 API calls 57317->57318 57317->57321 57319 c32cb7 57318->57319 57322 c3b093 57319->57322 57321->57266 57323 c3b09f ___scrt_is_nonwritable_in_current_image 57322->57323 57324 c3b0a7 57323->57324 57325 c3b0bf 57323->57325 57401 c340a9 19 API calls __dosmaperr 57324->57401 57326 c3b15a 57325->57326 57330 c3b0f1 57325->57330 57406 c340a9 19 API calls __dosmaperr 57326->57406 57329 c3b0ac 57402 c340bc 19 API calls __dosmaperr 57329->57402 57347 c43e23 EnterCriticalSection 57330->57347 57331 c3b15f 57407 c340bc 19 API calls __dosmaperr 57331->57407 57335 c3b0f7 57337 c3b113 57335->57337 57338 c3b128 57335->57338 57336 c3b167 57408 c2f298 25 API calls ___std_exception_copy 57336->57408 57403 c340bc 19 API calls __dosmaperr 57337->57403 57348 c3b17b 57338->57348 57341 c3b0b4 __fread_nolock 57341->57321 57343 c3b118 57404 c340a9 19 API calls __dosmaperr 57343->57404 57344 c3b123 57405 c3b152 LeaveCriticalSection __wsopen_s 57344->57405 57347->57335 57349 c3b1a8 57348->57349 57387 c3b1a1 57348->57387 57350 c3b1cc 57349->57350 57351 c3b1ac 57349->57351 57354 c3b21b 57350->57354 57355 c3b1fe 57350->57355 57353 c340a9 __dosmaperr 19 API calls 57351->57353 57352 c299bd _ValidateLocalCookies 5 API calls 57356 c3b389 57352->57356 57357 c3b1b1 57353->57357 57359 c3b22e 57354->57359 57363 c3b528 __wsopen_s 27 API calls 57354->57363 57358 c340a9 __dosmaperr 19 API calls 57355->57358 57356->57344 57360 c340bc _free 19 API calls 57357->57360 57362 c3b203 57358->57362 57361 c3ad21 __wsopen_s 38 API calls 57359->57361 57364 c3b1b9 57360->57364 57366 c3b23f 57361->57366 57367 c340bc _free 19 API calls 57362->57367 57363->57359 57365 c2f298 ___std_exception_copy 25 API calls 57364->57365 57365->57387 57368 c3b283 57366->57368 57369 c3b244 57366->57369 57370 c3b20b 57367->57370 57374 c3b297 57368->57374 57375 c3b2dc WriteFile 57368->57375 57371 c3b248 57369->57371 57372 c3b26d 57369->57372 57373 c2f298 ___std_exception_copy 25 API calls 57370->57373 57380 c3acb7 __wsopen_s 6 API calls 57371->57380 57382 c3b263 57371->57382 57376 c3aae8 __wsopen_s 43 API calls 57372->57376 57373->57387 57378 c3b2a2 57374->57378 57379 c3b2cc 57374->57379 57377 c3b300 GetLastError 57375->57377 57391 c3b2ba 57375->57391 57376->57382 57377->57391 57383 c3b2a7 57378->57383 57384 c3b2bc 57378->57384 57381 c3ad97 __wsopen_s 7 API calls 57379->57381 57380->57382 57381->57382 57382->57387 57388 c3b326 57382->57388 57389 c3b34a 57382->57389 57383->57382 57385 c3b2ac 57383->57385 57386 c3af5f __wsopen_s 8 API calls 57384->57386 57390 c3ae74 __wsopen_s 7 API calls 57385->57390 57386->57391 57387->57352 57392 c3b341 57388->57392 57393 c3b32d 57388->57393 57389->57387 57396 c340bc _free 19 API calls 57389->57396 57390->57391 57391->57382 57395 c34086 __dosmaperr 19 API calls 57392->57395 57394 c340bc _free 19 API calls 57393->57394 57397 c3b332 57394->57397 57395->57387 57398 c3b366 57396->57398 57399 c340a9 __dosmaperr 19 API calls 57397->57399 57400 c340a9 __dosmaperr 19 API calls 57398->57400 57399->57387 57400->57387 57401->57329 57402->57341 57403->57343 57404->57344 57405->57341 57406->57331 57407->57336 57408->57341 57409->57182 57410->57182 57412 c12a6f 57411->57412 57414 c28199 57411->57414 57412->56848 57412->57025 57414->57412 57415 c1bb80 22 API calls 3 library calls 57414->57415 57415->57414 57416->56976 57420 c3318a ___scrt_is_nonwritable_in_current_image 57419->57420 57421 c33264 57420->57421 57426 c331cf 57420->57426 57435 c331de _unexpected _wctomb_s 57420->57435 57438 c40ef1 EnterCriticalSection 57421->57438 57424 c33278 57425 c3328f SetConsoleCtrlHandler 57424->57425 57431 c332a0 _unexpected __onexit 57424->57431 57427 c332a9 57425->57427 57425->57431 57426->57435 57437 c3ed30 19 API calls 2 library calls 57426->57437 57439 c340a9 19 API calls __dosmaperr 57427->57439 57430 c332ae GetLastError 57430->57431 57440 c33317 LeaveCriticalSection _unexpected 57431->57440 57432 c331e9 57434 c3fdfc _strftime 20 API calls 57432->57434 57432->57435 57434->57435 57436 c3322f __fread_nolock 57435->57436 57441 c32efb 19 API calls _free 57435->57441 57436->56980 57437->57432 57438->57424 57439->57430 57440->57435 57441->57436 57442->56988 57443->56993 57444->56987 57446 c28a50 getaddrinfo 57445->57446 57447 c28a37 57445->57447 57449 c28ab2 57446->57449 57450 c28a77 freeaddrinfo 57446->57450 57473 c1bd90 79 API calls 57447->57473 57451 c299bd _ValidateLocalCookies 5 API calls 57449->57451 57454 c299bd _ValidateLocalCookies 5 API calls 57450->57454 57455 c28ac4 57451->57455 57452 c28a49 57452->57446 57456 c28aac 57454->57456 57455->56990 57456->56990 57457->56999 57458->56997 57459->57003 57460->57010 57461->57008 57462->57014 57463->57018 57464->57008 57465->57018 57466->57018 57467->57018 57468->57018 57469->57018 57470->57018 57471->57014 57472->57014 57473->57452 57474 c17985 57475 c179b8 WSAStartup 57474->57475 57481 c179d8 57474->57481 57476 c179ce 57475->57476 57475->57481 57500 c29c53 28 API calls __onexit 57476->57500 57477 c179f0 57480 c299bd _ValidateLocalCookies 5 API calls 57477->57480 57482 c17aa2 57480->57482 57481->57477 57492 c175f0 socket 57481->57492 57483 c17a61 bind 57485 c17a76 WSAGetLastError 57483->57485 57486 c17aab listen 57483->57486 57484 c17a07 57484->57477 57484->57483 57487 c289f0 81 API calls 57484->57487 57485->57477 57486->57477 57486->57485 57489 c17a47 57487->57489 57489->57483 57490 c15a20 81 API calls 57489->57490 57491 c17a56 57490->57491 57491->57483 57493 c17623 setsockopt 57492->57493 57494 c1760d WSAGetLastError 57492->57494 57495 c17670 setsockopt 57493->57495 57496 c17647 _wctomb_s 57493->57496 57494->57484 57497 c176b0 setsockopt 57495->57497 57498 c17687 _wctomb_s 57495->57498 57496->57495 57499 c176c5 _wctomb_s 57497->57499 57498->57497 57499->57484 57500->57481

    Executed Functions

    Function 00BE3AA0 Relevance: 33.3, APIs: 10, Strings: 9, Instructions: 88COMMON
    Download Yara Rule

    Control-flow Graph

    Strings
    • OpenThread, xrefs: 00BE3BBF
    • kernel32.dll, xrefs: 00BE3BB2
    • GetThreadDescription, xrefs: 00BE3BC7
    • GetMappedFileNameW, xrefs: 00BE3B74
    • psapi.dll, xrefs: 00BE3B60
    • ntdll.dll, xrefs: 00BE3B15
    • Cannot set debug privilege: %s.Debugging of processes owned by another account won't be possible., xrefs: 00BE3B06
    • SeDebugPrivilege, xrefs: 00BE3AE3
    • GetModuleFileNameExW, xrefs: 00BE3B7C
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID:
    • String ID: Cannot set debug privilege: %s.Debugging of processes owned by another account won't be possible.$GetMappedFileNameW$GetModuleFileNameExW$GetThreadDescription$OpenThread$SeDebugPrivilege$kernel32.dll$ntdll.dll$psapi.dll
    • API String ID: 0-2269794156
    • Opcode ID: 95428abd7ccf5cf55ce134f5c807d2ac055e68b9961227d32b6cbedc665932f9
    • Instruction ID: 7a50a6f5957fa917ba8df6a8af55fe83ac7fd30568b1b74a39a024d3e65397c8
    • Opcode Fuzzy Hash: 95428abd7ccf5cf55ce134f5c807d2ac055e68b9961227d32b6cbedc665932f9
    • Instruction Fuzzy Hash: 4431A2789013809EE7115B75AC4DB6E7BE4EB85B16F4400B9E809972B1DF748DC8CB64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BE0E90 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 97libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryA.KERNELBASE(advapi32.dll,?,?,?,00BE3AED,SeDebugPrivilege,00000001,00C12973,CFA550F7), ref: 00BE0EC5
    • GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00BE0EE5
    • GetProcAddress.KERNEL32(LookupPrivilegeValueA), ref: 00BE0EF7
    • GetProcAddress.KERNEL32(AdjustTokenPrivileges), ref: 00BE0F09
    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,00BE3AED,SeDebugPrivilege,00000001,00C12973,CFA550F7), ref: 00BE0F31
    • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00BE3AED,SeDebugPrivilege,00000001,00C12973,CFA550F7), ref: 00BE0F38
    • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 00BE0F4A
    • AdjustTokenPrivileges.KERNELBASE(00000001,00000000,?,00000010), ref: 00BE0F88
    • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,00BE3AED,SeDebugPrivilege,00000001,00C12973,CFA550F7), ref: 00BE0F97
    • GetLastError.KERNEL32(?,?,?,?,00BE3AED,SeDebugPrivilege,00000001,00C12973,CFA550F7), ref: 00BE0FA6
    • FreeLibrary.KERNELBASE(?,?,?,?,00BE3AED,SeDebugPrivilege,00000001,00C12973,CFA550F7), ref: 00BE0FB4
    • SetLastError.KERNEL32(00000000,?,?,?,?,00BE3AED,SeDebugPrivilege,00000001,00C12973,CFA550F7), ref: 00BE0FBB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: AddressProc$ErrorLastLibraryProcessToken$AdjustChangeCloseCurrentFindFreeLoadLookupNotificationOpenPrivilegePrivilegesValue
    • String ID: AdjustTokenPrivileges$LookupPrivilegeValueA$OpenProcessToken$advapi32.dll
    • API String ID: 3237215637-4270423970
    • Opcode ID: d4d1b672d697ee48276b745fef5a6a0f325ace9bc6148fa19ddc2eeda5c0e0c6
    • Instruction ID: c0de61f8b0cb04c5f332c2c35544cdef73f79a449430ecd832b25733842d6e7f
    • Opcode Fuzzy Hash: d4d1b672d697ee48276b745fef5a6a0f325ace9bc6148fa19ddc2eeda5c0e0c6
    • Instruction Fuzzy Hash: 55316875614341AFD720AF76EC49B1E7BE4FB88715F54051AF448921B0DBB498C4CF92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C17985 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102networkCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 45 c17985-c179b6 46 c179e9-c179ee 45->46 47 c179b8-c179cc WSAStartup 45->47 50 c179f0-c179f2 46->50 51 c179f7-c17a09 call c175f0 46->51 48 c179e2 47->48 49 c179ce-c179e0 call c29c53 47->49 48->46 49->46 52 c17a92-c17aa8 call c299bd 50->52 59 c17a86-c17a8a 51->59 60 c17a0b-c17a33 51->60 63 c17a8f-c17a91 59->63 61 c17a61-c17a74 bind 60->61 62 c17a35-c17a37 60->62 65 c17a76 61->65 66 c17aab-c17abc listen 61->66 62->61 64 c17a39-c17a49 call c289f0 62->64 63->52 64->61 72 c17a4b-c17a59 call c15a20 64->72 70 c17a7d-c17a83 WSAGetLastError 65->70 67 c17ac7-c17ac9 66->67 68 c17abe-c17ac5 66->68 67->63 68->70 70->59 72->61
    APIs
    • WSAStartup.WS2_32(00000002,?), ref: 00C179BF
    • bind.WS2_32(?,00000010,00000010), ref: 00C17A6B
    • WSAGetLastError.WS2_32(?,?,CCCCCCCC), ref: 00C17A7D
    • listen.WS2_32(?,7FFFFFFF), ref: 00C17AB3
      • Part of subcall function 00C29C53: __onexit.LIBCMT ref: 00C29C59
    Strings
    • Cannot parse IPv4 address "%s", falling back to INADDR_ANY, xrefs: 00C17A4C
    • WSAStartup, xrefs: 00C179E2
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: ErrorLastStartup__onexitbindlisten
    • String ID: Cannot parse IPv4 address "%s", falling back to INADDR_ANY$WSAStartup
    • API String ID: 2742818544-3921961327
    • Opcode ID: 0adfe180b982c5cf32c1e995025a03a9d6432433d045f7e3f470ffeb8e82fd20
    • Instruction ID: a011b776079502fe6a7381626151914d962c0fe96cd2ecf33f5bca87689e4cf6
    • Opcode Fuzzy Hash: 0adfe180b982c5cf32c1e995025a03a9d6432433d045f7e3f470ffeb8e82fd20
    • Instruction Fuzzy Hash: 153102746083019FDB209F24DC06BEA7BF4FF86320F500B09F4A587291D7B199C9AB12
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C175F0 Relevance: 7.6, APIs: 5, Instructions: 82networkCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 75 c175f0-c1760b socket 76 c17623-c17645 setsockopt 75->76 77 c1760d-c17620 WSAGetLastError 75->77 78 c17670-c17685 setsockopt 76->78 79 c17647-c17659 76->79 81 c176b0-c176c3 setsockopt 78->81 82 c17687-c17699 78->82 79->78 80 c1765b-c1766d call bd37c0 79->80 80->78 84 c176c5-c176d7 81->84 85 c176ee-c176f1 81->85 82->81 83 c1769b-c176ad call bd37c0 82->83 83->81 84->85 86 c176d9-c176eb call bd37c0 84->86 86->85
    APIs
    • socket.WS2_32(?,?,?), ref: 00C175FF
    • WSAGetLastError.WS2_32 ref: 00C17614
    • setsockopt.WS2_32(?,?,?,?,00000000), ref: 00C17641
    • setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 00C17681
    • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 00C176BE
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: setsockopt$ErrorLastsocket
    • String ID:
    • API String ID: 1825786771-0
    • Opcode ID: d51537dafeb93ac3e038a48383410e4b8507923a43219fffd2fc1d34a9d36efa
    • Instruction ID: 6e76789879f27ae7171a1aff6fb72847b3fdcc46491241ed094b3b9279bfe2c1
    • Opcode Fuzzy Hash: d51537dafeb93ac3e038a48383410e4b8507923a43219fffd2fc1d34a9d36efa
    • Instruction Fuzzy Hash: 6621BFB5204701AFD720DF18DC05FAA77F4AF09B01F100628FA419B2E1DBB0D989DBA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C3B17B Relevance: 4.7, APIs: 3, Instructions: 193COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 96 c3b17b-c3b19f 97 c3b1a1-c3b1a3 96->97 98 c3b1a8-c3b1aa 96->98 99 c3b37e-c3b38c call c299bd 97->99 100 c3b1cc-c3b1ef 98->100 101 c3b1ac-c3b1c7 call c340a9 call c340bc call c2f298 98->101 102 c3b1f1-c3b1f4 100->102 103 c3b1f6-c3b1fc 100->103 101->99 102->103 106 c3b21b-c3b220 102->106 103->106 107 c3b1fe-c3b216 call c340a9 call c340bc call c2f298 103->107 111 c3b222-c3b22e call c3b528 106->111 112 c3b231-c3b242 call c3ad21 106->112 143 c3b374-c3b377 107->143 111->112 123 c3b283-c3b295 112->123 124 c3b244-c3b246 112->124 129 c3b297-c3b2a0 123->129 130 c3b2dc-c3b2fe WriteFile 123->130 126 c3b248-c3b250 124->126 127 c3b26d-c3b279 call c3aae8 124->127 131 c3b312-c3b315 126->131 132 c3b256-c3b263 call c3acb7 126->132 141 c3b27e-c3b281 127->141 137 c3b2a2-c3b2a5 129->137 138 c3b2cc-c3b2d5 call c3ad97 129->138 134 c3b300-c3b306 GetLastError 130->134 135 c3b309 130->135 144 c3b318-c3b31d 131->144 152 c3b266-c3b268 132->152 134->135 142 c3b30c-c3b311 135->142 145 c3b2a7-c3b2aa 137->145 146 c3b2bc-c3b2ca call c3af5f 137->146 151 c3b2da 138->151 141->152 142->131 148 c3b37c-c3b37d 143->148 153 c3b379 144->153 154 c3b31f-c3b324 144->154 145->144 147 c3b2ac-c3b2ba call c3ae74 145->147 146->141 147->141 148->99 151->141 152->142 153->148 155 c3b326-c3b32b 154->155 156 c3b34a-c3b356 154->156 159 c3b341-c3b348 call c34086 155->159 160 c3b32d-c3b33f call c340bc call c340a9 155->160 162 c3b361-c3b371 call c340bc call c340a9 156->162 163 c3b358-c3b35b 156->163 159->143 160->143 162->143 163->162 166 c3b35d-c3b35f 163->166 166->148
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8520216b73d880d73fdf502c586f458709324f4c2bee79ebae30b2f49bc033bd
    • Instruction ID: 47bd1c8b73b8f65ff66dc350592096000d61389a19819d7e2e8def9a632e2b84
    • Opcode Fuzzy Hash: 8520216b73d880d73fdf502c586f458709324f4c2bee79ebae30b2f49bc033bd
    • Instruction Fuzzy Hash: 0161C471A2021AEFDF14EFB5C842BEEB7B8EF09310F104515E614A7262DB71DE419B61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C16EA0 Relevance: 4.6, APIs: 3, Instructions: 53networkCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 175 c16ea0-c16ebc 176 c16efc-c16f10 call c299bd 175->176 177 c16ebe-c16eca 175->177 179 c16ed0-c16eed accept 177->179 181 c16ef6-c16efa 179->181 182 c16eef-c16ef4 WSAGetLastError 179->182 181->176 181->179 182->181 183 c16f13-c16f33 WSAGetLastError call c299bd 182->183
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: ErrorLast$accept
    • String ID:
    • API String ID: 3337009512-0
    • Opcode ID: c2a4a634082d3b6703d8da843200fa7f70d2894a774eadebf63ec78c6e6ec3cb
    • Instruction ID: bd4eecf0e9ecdfa78e984c710fc5167fbad76045c12414d2f9c5f4d0abe01ab4
    • Opcode Fuzzy Hash: c2a4a634082d3b6703d8da843200fa7f70d2894a774eadebf63ec78c6e6ec3cb
    • Instruction Fuzzy Hash: AA11A0725003008B8720EF29E8415ABF3E4FF9A330F500B6ED46583591D731A98A9B92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C3AD97 Relevance: 3.1, APIs: 2, Instructions: 81fileCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 242 c3ad97-c3adec call c29d40 245 c3ae61-c3ae73 call c299bd 242->245 246 c3adee 242->246 248 c3adf4 246->248 250 c3adfa-c3adfc 248->250 251 c3ae16-c3ae3b WriteFile 250->251 252 c3adfe-c3ae03 250->252 253 c3ae59-c3ae5f GetLastError 251->253 254 c3ae3d-c3ae48 251->254 255 c3ae05-c3ae0b 252->255 256 c3ae0c-c3ae14 252->256 253->245 254->245 257 c3ae4a-c3ae55 254->257 255->256 256->250 256->251 257->248 258 c3ae57 257->258 258->245
    APIs
    • WriteFile.KERNELBASE(?,?,?,?,00000000,?,00000000,00000000,?,00C3B2DA,?,00000000,00000000,?,?,00000000), ref: 00C3AE33
    • GetLastError.KERNEL32(?,00C3B2DA,?,00000000,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?), ref: 00C3AE59
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: ErrorFileLastWrite
    • String ID:
    • API String ID: 442123175-0
    • Opcode ID: 75a00f894eb87f0e7f2ba02fac5814bb64a198fa2457491176ed60242c1f200c
    • Instruction ID: e388a853ef724654dd63046e85ebb3ad203d7e911b7facede05ba55503fcccd8
    • Opcode Fuzzy Hash: 75a00f894eb87f0e7f2ba02fac5814bb64a198fa2457491176ed60242c1f200c
    • Instruction Fuzzy Hash: 1A21B435A102189BCF19CF19DC80AEDB7B9EF4C301F1040A9E94AD7221D7309E92CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C289F0 Relevance: 3.1, APIs: 2, Instructions: 71COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 259 c289f0-c28a35 260 c28a50-c28a75 getaddrinfo 259->260 261 c28a37-c28a4c call c1bd90 259->261 263 c28ab2-c28ac7 call c299bd 260->263 264 c28a77-c28a83 260->264 261->260 267 c28a95-c28aaf freeaddrinfo call c299bd 264->267 268 c28a85-c28a92 264->268 268->267
    APIs
    • getaddrinfo.WS2_32(?,00000000,?,?), ref: 00C28A64
    • freeaddrinfo.WS2_32(00000000), ref: 00C28A96
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: freeaddrinfogetaddrinfo
    • String ID:
    • API String ID: 1109861670-0
    • Opcode ID: b5b3bdee751fd2e72301ca6aaf649746eb385a8fd1c00ebd8d74eb7606f7b315
    • Instruction ID: 702a69e13983a8f5b9648db674ef307bf7b49201d8d0d61cf8876ef8f0f44def
    • Opcode Fuzzy Hash: b5b3bdee751fd2e72301ca6aaf649746eb385a8fd1c00ebd8d74eb7606f7b315
    • Instruction Fuzzy Hash: 3521B5B5A183419BC304DF28D891A6BB7F4FFA9300F404D1EF49697152EB70E988C752
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C40DC2 Relevance: 1.6, APIs: 1, Instructions: 71COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 272 c40dc2-c40ddb call c3cb68 call c44101 277 c40de4-c40df3 call c3031b 272->277 278 c40ddd-c40ddf 272->278 282 c40df5-c40dfa 277->282 283 c40dfc-c40e05 call c3031b 277->283 279 c40e74-c40e76 278->279 284 c40e0c-c40e1c 282->284 287 c40e70 283->287 289 c40e07 283->289 284->287 288 c40e1e-c40e2a 284->288 292 c40e72-c40e73 287->292 290 c40e2c-c40e31 call c3fdfc 288->290 291 c40e59-c40e6e 288->291 289->284 295 c40e36-c40e45 call c3faf6 290->295 294 c40e55-c40e57 291->294 292->279 294->292 295->291 298 c40e47-c40e52 295->298 298->294
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: 5c2c5b0a19f207546d76bb84921bbede56f3e3efa51657af3d6ed222b69f5a51
    • Instruction ID: d397943c612710b3c39285c525b936a9610b0a3f7d8d38c14ba5d972efacc96a
    • Opcode Fuzzy Hash: 5c2c5b0a19f207546d76bb84921bbede56f3e3efa51657af3d6ed222b69f5a51
    • Instruction Fuzzy Hash: 991126725443029FE720AF69D481B57B7E4FF14765F30482EE2DAC7282E731E9919790
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C173A0 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 299 c173a0-c173d0 getsockname 300 c173d2-c173e3 call c299bd 299->300 301 c173e6-c1740b call c17ad0 call c299bd 299->301
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: getsockname
    • String ID:
    • API String ID: 3358416759-0
    • Opcode ID: b77845c442f309445bfda9163cbb30ba20fd79fd7f19377510732e24ba1a1e15
    • Instruction ID: b3123c0a90c4cb023b7771841b9beca6613f5b9f7d4a37c5e8f25a2bd162f59c
    • Opcode Fuzzy Hash: b77845c442f309445bfda9163cbb30ba20fd79fd7f19377510732e24ba1a1e15
    • Instruction Fuzzy Hash: D4F0AF71108201AFD700FF18DC42A9FB7E8FF99314F40484EF48992162D630DAA8EB93
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C3FDFC Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 308 c3fdfc-c3fe08 309 c3fe3a-c3fe45 call c340bc 308->309 310 c3fe0a-c3fe0c 308->310 318 c3fe47-c3fe49 309->318 311 c3fe25-c3fe36 RtlAllocateHeap 310->311 312 c3fe0e-c3fe0f 310->312 314 c3fe11-c3fe18 call c3e118 311->314 315 c3fe38 311->315 312->311 314->309 320 c3fe1a-c3fe23 call c3ce51 314->320 315->318 320->309 320->311
    APIs
    • RtlAllocateHeap.NTDLL(00000000,?,?,?,00C29999,?,?,00C1B64A,00000014,?,?,00C1B824,00000001,00BD5AAE,?,?), ref: 00C3FE2E
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: 7c130232e5ed9cbb9abdcf12a7bf37deb86715c9c666c8941f77f4e26ece2fed
    • Instruction ID: 1270e750187e48ac07fa387baa6ea0f79652dfa3b8eadd11d7d759b77f7bada0
    • Opcode Fuzzy Hash: 7c130232e5ed9cbb9abdcf12a7bf37deb86715c9c666c8941f77f4e26ece2fed
    • Instruction Fuzzy Hash: 30E0E535A2431166D62026629C09B5F364CAF517A1F11043DED25A22E2DB60CD4352E4
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 00BE3C60 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 138filenativeCOMMON
    Download Yara Rule
    APIs
    • RtlAdjustPrivilege.NTDLL(0000000A,00000001,00000000,?), ref: 00BE3C7F
    • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,?), ref: 00BE3CB5
      • Part of subcall function 00C1B830: FormatMessageW.KERNEL32(00001200,00000000,?,00000400,00000400,00000400,00000000), ref: 00C1B86D
    • NtDeviceIoControlFile.NTDLL(00000000,00000000,00000000,00000000,00000010,0022C007,00000010,0000000C,?), ref: 00BE3DD5
    Strings
    • AUTOHIDE NONEFailed to acquire 'debug' privilege, is system booted in /debug mode?Error: %s, xrefs: 00BE3CC8
    • AUTOHIDE NONEFailed to load 'kldbgdrv', please use local kernel debugging at least once!Error: %s, xrefs: 00BE3D00
    • AUTOHIDE NONEFailed to open 'kldbgdrv'Error: %s, xrefs: 00BE3D80
    • AUTOHIDE NONEFailed to acquire 'load driver' privilege, please run as admin!Error: %s, xrefs: 00BE3C92
    • @, xrefs: 00BE3D4D
    • AUTOHIDE NONEFailed to access model specific register, is system booted in /debug mode?Error: %s, xrefs: 00BE3DE8
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: AdjustPrivilege$ControlDeviceFileFormatMessage
    • String ID: @$AUTOHIDE NONEFailed to access model specific register, is system booted in /debug mode?Error: %s$AUTOHIDE NONEFailed to acquire 'debug' privilege, is system booted in /debug mode?Error: %s$AUTOHIDE NONEFailed to acquire 'load driver' privilege, please run as admin!Error: %s$AUTOHIDE NONEFailed to load 'kldbgdrv', please use local kernel debugging at least once!Error: %s$AUTOHIDE NONEFailed to open 'kldbgdrv'Error: %s
    • API String ID: 3673152573-875527524
    • Opcode ID: b40a5e75dc926b1e4a315bd5d6283f269b04d8c45372760a4524094e130a3b2b
    • Instruction ID: 06e3314fa9105adb69769c7f55fbca4ae465dda995f70842a16837b85b61c583
    • Opcode Fuzzy Hash: b40a5e75dc926b1e4a315bd5d6283f269b04d8c45372760a4524094e130a3b2b
    • Instruction Fuzzy Hash: 8541197A74035077E301A7159C46FBF73E8AFD5B15F084439FA48E6290EBB0D9888766
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BD5600 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 211librarycomloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00C1F270: LoadLibraryA.KERNEL32(Shell32.dll,CFA550F7,00000000,00000000,00C4F3C8,000000FF), ref: 00C1F2CB
      • Part of subcall function 00C1F270: GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00C1F2DB
    • CoCreateInstance.OLE32(00000000,00000001,00C50EFC,0000000C,00000000,00000104,0000002B,CFA550F7,00000000,?,00000000), ref: 00BD56F9
    • SearchPathA.KERNEL32(?,00000000,00000104,?,00000000,?,00000104,00000000,?,?,?,?,?,?,?,00C4B3F8), ref: 00BD5756
    • LoadLibraryA.KERNEL32(?,?,00000104,00000000,?,?,?,?,?,?,?,00C4B3F8,000000FF), ref: 00BD5786
    • GetProcAddress.KERNEL32(00000000,DllGetClassObject), ref: 00BD5798
    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,00C4B3F8,000000FF), ref: 00BD57D9
    Strings
    • DllGetClassObject, xrefs: 00BD5792
    • \Microsoft Shared\VC, xrefs: 00BD56D0
    • PDB: DIA interface version %d.%d, xrefs: 00BD586D
    • PDB: using DIA dll "%s", xrefs: 00BD582C
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: Library$AddressLoadProc$CreateFreeInstancePathSearch
    • String ID: DllGetClassObject$PDB: DIA interface version %d.%d$PDB: using DIA dll "%s"$\Microsoft Shared\VC
    • API String ID: 1182861127-3119384895
    • Opcode ID: 2a64ddad10dc8be2d4982cc6cff7cf694ae63ecad8e39a0ab12a2eeb3fbb6b22
    • Instruction ID: 0c57be496a321f90fbf7fa14ef56a21d29e0982ce495072febea2d6fb56aaf60
    • Opcode Fuzzy Hash: 2a64ddad10dc8be2d4982cc6cff7cf694ae63ecad8e39a0ab12a2eeb3fbb6b22
    • Instruction Fuzzy Hash: 4F8181B59006599FDB20CF94DC85BEEBBF4EB08700F60416AE905BB390E7719D84CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C4712E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1356COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: __floor_pentium4
    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
    • API String ID: 4168288129-2761157908
    • Opcode ID: 4caeffdd17e04ba1ace145dbb015ce56e9ef103def2700eaca0f743706a3eecf
    • Instruction ID: 31685659b66b9403f8af244f7c5d3aa0376c53aea58695f8e11ebae4001d65aa
    • Opcode Fuzzy Hash: 4caeffdd17e04ba1ace145dbb015ce56e9ef103def2700eaca0f743706a3eecf
    • Instruction Fuzzy Hash: E2C22971E086298FDB25CE28DD407ADB7B5FB48304F1542EAD81DE7241EB78AE858F41
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BFBA90 Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 658COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID:
    • String ID: (null)$<obj>$X
    • API String ID: 0-1050949231
    • Opcode ID: d7ff0691620e4db9d214131d1e414adb327349aea1f3d25f03bbabfcd0e13bb4
    • Instruction ID: 8bd4c72c03fc79f6b612c45b30ca5885d6694b01b42a04d054e2aec67b2802b5
    • Opcode Fuzzy Hash: d7ff0691620e4db9d214131d1e414adb327349aea1f3d25f03bbabfcd0e13bb4
    • Instruction Fuzzy Hash: C332C1715083898BCB15CF68C990A7BBBE4EF95344F040AADFAC5A7242D731DD4D8B92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BE2E80 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 322COMMON
    Download Yara Rule
    APIs
    • GetSystemInfo.KERNEL32(?,CFA550F7,00000000,?,?), ref: 00BE2EDA
    • VirtualQueryEx.KERNEL32(000000FF,?,?,0000001C,CFA550F7,00000000,?,?), ref: 00BE2EFD
    • VirtualQueryEx.KERNEL32(000000FF,00000000,?,0000001C), ref: 00BE2F26
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: QueryVirtual$InfoSystem
    • String ID: masked protect=0x%x
    • API String ID: 407608572-2043771121
    • Opcode ID: 355783bf82407d78ef42b68c6cffaa48a22a8242b78af5a3808e898225db02d7
    • Instruction ID: 8c8181268188ab9be2c8d310ea8dbb6662ae5b5914868fe9704a103c30e24b3f
    • Opcode Fuzzy Hash: 355783bf82407d78ef42b68c6cffaa48a22a8242b78af5a3808e898225db02d7
    • Instruction Fuzzy Hash: E6C1A1B1900249EFDF20CFA5C885BEEBBF9FF09310F004169E955A7281E7359A49DB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BE64D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26nativeCOMMON
    Download Yara Rule
    APIs
    • FreeLibrary.KERNEL32(75D90000,00C1291E), ref: 00BE6509
    • CloseHandle.KERNEL32(00000000), ref: 00BE6523
    • NtUnloadDriver.NTDLL(00C79010), ref: 00BE6538
      • Part of subcall function 00BE0E90: LoadLibraryA.KERNELBASE(advapi32.dll,?,?,?,00BE3AED,SeDebugPrivilege,00000001,00C12973,CFA550F7), ref: 00BE0EC5
      • Part of subcall function 00BE0E90: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00BE0EE5
      • Part of subcall function 00BE0E90: GetProcAddress.KERNEL32(LookupPrivilegeValueA), ref: 00BE0EF7
      • Part of subcall function 00BE0E90: GetProcAddress.KERNEL32(AdjustTokenPrivileges), ref: 00BE0F09
      • Part of subcall function 00BE0E90: GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,00BE3AED,SeDebugPrivilege,00000001,00C12973,CFA550F7), ref: 00BE0F31
      • Part of subcall function 00BE0E90: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00BE3AED,SeDebugPrivilege,00000001,00C12973,CFA550F7), ref: 00BE0F38
      • Part of subcall function 00BE0E90: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 00BE0F4A
      • Part of subcall function 00BE0E90: AdjustTokenPrivileges.KERNELBASE(00000001,00000000,?,00000010), ref: 00BE0F88
      • Part of subcall function 00BE0E90: FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,00BE3AED,SeDebugPrivilege,00000001,00C12973,CFA550F7), ref: 00BE0F97
      • Part of subcall function 00BE0E90: GetLastError.KERNEL32(?,?,?,?,00BE3AED,SeDebugPrivilege,00000001,00C12973,CFA550F7), ref: 00BE0FA6
      • Part of subcall function 00BE0E90: FreeLibrary.KERNELBASE(?,?,?,?,00BE3AED,SeDebugPrivilege,00000001,00C12973,CFA550F7), ref: 00BE0FB4
      • Part of subcall function 00BE0E90: SetLastError.KERNEL32(00000000,?,?,?,?,00BE3AED,SeDebugPrivilege,00000001,00C12973,CFA550F7), ref: 00BE0FBB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: AddressLibraryProc$CloseErrorFreeLastProcessToken$AdjustChangeCurrentDriverFindHandleLoadLookupNotificationOpenPrivilegePrivilegesUnloadValue
    • String ID: SeDebugPrivilege
    • API String ID: 3240401103-2896544425
    • Opcode ID: 39c40832ff34076364b7882685092e48bad66ec130e0982131420872958043d1
    • Instruction ID: f04e3584b1cf5080008c4b746711ddd34c2b1750fd2033c5c157f5b9cf5ce71f
    • Opcode Fuzzy Hash: 39c40832ff34076364b7882685092e48bad66ec130e0982131420872958043d1
    • Instruction Fuzzy Hash: 84F082746003819BF7104B25FC5C71D3BE5B724B5AF580098E418D62F5CFB448C8C761
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BE25E0 Relevance: 6.3, APIs: 4, Instructions: 318COMMON
    Download Yara Rule
    APIs
    • GetLogicalDriveStringsW.KERNEL32(000001FF,?), ref: 00BE26CD
    • QueryDosDeviceW.KERNEL32(?,?,00000103), ref: 00BE2714
      • Part of subcall function 00BDD4B0: WriteProcessMemory.KERNEL32(000000FF,?,?,?,00000000,?), ref: 00BDD516
      • Part of subcall function 00BDD4B0: GetLastError.KERNEL32 ref: 00BDD542
      • Part of subcall function 00BDD4B0: FlushInstructionCache.KERNEL32(000000FF,?,?), ref: 00BDD62F
    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00BE28F4
    • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BE2986
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: Directory$CacheCurrentDeviceDriveErrorFlushInstructionLastLogicalMemoryProcessQueryStringsSystemWrite
    • String ID:
    • API String ID: 1781466888-0
    • Opcode ID: 0a393dc3919c79102fd05c5fe2e91a5ba0a8f316d4e88c59eefeb8d13a35bb04
    • Instruction ID: d3656f187bc4473afb81e15e4f7d9633a8b241b113be7b942a55be9de94cb128
    • Opcode Fuzzy Hash: 0a393dc3919c79102fd05c5fe2e91a5ba0a8f316d4e88c59eefeb8d13a35bb04
    • Instruction Fuzzy Hash: 01C15FB5900298ABDF20DB51CD85BEE77BDEF05300F0005D9EA45A7181E7B4AE88DF61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C3B5D6 Relevance: 6.2, APIs: 4, Instructions: 196fileCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00C3B61F
    • GetLastError.KERNEL32 ref: 00C3B62C
      • Part of subcall function 00C3B81C: FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,00C3B69E,?), ref: 00C3B848
      • Part of subcall function 00C3B81C: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,00C3B69E,?,?,?,?,00C3B69E,?), ref: 00C3B85C
    • FindNextFileW.KERNEL32(?,?,?), ref: 00C3B752
    • GetLastError.KERNEL32 ref: 00C3B75C
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: Time$File$ErrorFindLastSystem$FirstLocalNextSpecific
    • String ID:
    • API String ID: 3693236040-0
    • Opcode ID: 976557cf81c5e7fba8249c5fa558edc54b1d52cae8fa211f6ec2b9458bc3b002
    • Instruction ID: ff452f5724694e16b7a47366a1d4d9eeec5dfeac1ea29cc667903149ad0c22d0
    • Opcode Fuzzy Hash: 976557cf81c5e7fba8249c5fa558edc54b1d52cae8fa211f6ec2b9458bc3b002
    • Instruction Fuzzy Hash: 0F61A4719106189BC724EF74CC86AAEB7F8EF45310F10465AF629C7281DB34EE849FA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C18AE0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 216windowCOMMON
    Download Yara Rule
    APIs
    • EncryptMessage.SECUR32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000006,00000000,?,00000000,00000001,?,?,00000000), ref: 00C18C53
      • Part of subcall function 00C19250: FreeContextBuffer.SECUR32(?,?,?,?,00C187FA,CFA550F7,?,?,00C4B180,000000FF), ref: 00C19274
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: BufferContextEncryptFreeMessage
    • String ID: irs$short_send
    • API String ID: 3709023888-1748497182
    • Opcode ID: ad8f50af3e2f57b29e9cf310b24d2851225efb7127ee21a9568ab2c9a3b38258
    • Instruction ID: c964396be3507f453ac9df57f0b22768b2e233608580681784c1be76b0bdc604
    • Opcode Fuzzy Hash: ad8f50af3e2f57b29e9cf310b24d2851225efb7127ee21a9568ab2c9a3b38258
    • Instruction Fuzzy Hash: 6D9169B1A04209AFDB10DFA8C841BDEBBF4FF49314F200159E515A7381DBB5AA48EB64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C193A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194windowCOMMON
    Download Yara Rule
    APIs
    • DecryptMessage.SECUR32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C1948C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: DecryptMessage
    • String ID: connection_closed_by_peer$renegotiation
    • API String ID: 1433999834-3842103035
    • Opcode ID: b0c4bf1a9f822351f40e63021279d6ceda1b0e55e7a559f2dcc5322f5189cc28
    • Instruction ID: 2c558da1865b27e2444e71ff2063ff518fa00faaa0d9fde45719c7b671c595c2
    • Opcode Fuzzy Hash: b0c4bf1a9f822351f40e63021279d6ceda1b0e55e7a559f2dcc5322f5189cc28
    • Instruction Fuzzy Hash: 4661C471A00208EFDB15DF94C895BDEBBB4FF0A310F10415AF505A7281DBB56A84FBA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C172F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35networkCOMMON
    Download Yara Rule
    APIs
    • recvfrom.WS2_32(?,?,?,00000000,00000000,00000000), ref: 00C17305
    • WSAGetLastError.WS2_32 ref: 00C17339
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: ErrorLastrecvfrom
    • String ID: recv
    • API String ID: 3585051393-1507349165
    • Opcode ID: 9000840af0c3789c407d4e1346cca6e236e2786ea642fa5bfceca9cbabdd0c7f
    • Instruction ID: fc14127ee0382cf5bc82010038e82b9092beaf7434837361ba1070e3018b97e1
    • Opcode Fuzzy Hash: 9000840af0c3789c407d4e1346cca6e236e2786ea642fa5bfceca9cbabdd0c7f
    • Instruction Fuzzy Hash: 4EF0BE793083009BCB918F14DC88B5A37B1FBD6302F608129FD64CA2A1C771C899BB24
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C2F0D3 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,000000FF), ref: 00C2F1CB
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,000000FF), ref: 00C2F1D5
    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00C2F1E2
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$DebuggerPresent
    • String ID:
    • API String ID: 3906539128-0
    • Opcode ID: d13470b81f61666efdbbb0bed202a647235920ed7052543b0514460e188e00c1
    • Instruction ID: a93194530944c23314f8f78a75fa6c41d3adb3240d920ccdb18dcc9d3b026876
    • Opcode Fuzzy Hash: d13470b81f61666efdbbb0bed202a647235920ed7052543b0514460e188e00c1
    • Instruction Fuzzy Hash: 5331D67590132CABCB21DF64DD8878DB7B8AF08311F6042EAE81CA7651EB709F858F45
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BE64D1 Relevance: 4.5, APIs: 3, Instructions: 29nativeCOMMON
    Download Yara Rule
    APIs
    • FreeLibrary.KERNEL32(75D90000,00C1291E), ref: 00BE6509
    • CloseHandle.KERNEL32(00000000), ref: 00BE6523
    • NtUnloadDriver.NTDLL(00C79010), ref: 00BE6538
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: CloseDriverFreeHandleLibraryUnload
    • String ID:
    • API String ID: 3579101394-0
    • Opcode ID: 011c3983ce0108805f67e7962449b0fc7cf551c9f8e3c45d2863672d1aca38b1
    • Instruction ID: e2cebc626064158606eb360a60f4fa5ac52538817619ba8d787e064ca5157d48
    • Opcode Fuzzy Hash: 011c3983ce0108805f67e7962449b0fc7cf551c9f8e3c45d2863672d1aca38b1
    • Instruction Fuzzy Hash: ACF05EF5A083428BDB004B209C9C70A3BA4AB25769B28449ED949C21B2DF69C8C5CB51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C327C0 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(00BD5AAE,?,00C327BF,?,00C1B492,00BD5AAE,?,00BD5AAE,?), ref: 00C327E2
    • TerminateProcess.KERNEL32(00000000,?,00C327BF,?,00C1B492,00BD5AAE,?,00BD5AAE,?), ref: 00C327E9
    • ExitProcess.KERNEL32 ref: 00C327FB
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: Process$CurrentExitTerminate
    • String ID:
    • API String ID: 1703294689-0
    • Opcode ID: a23f018b0ca2eb818488848a590710949de920ed85d6e9e04d5b4f7b0f373cf9
    • Instruction ID: e50b84064e7e88ddf5656b2b47fe786583a3c8388a5661fe0713ac62cfdf85ec
    • Opcode Fuzzy Hash: a23f018b0ca2eb818488848a590710949de920ed85d6e9e04d5b4f7b0f373cf9
    • Instruction Fuzzy Hash: 2EE08C35050208AFCF216F64DE4CB0D3B29FB40382F200424F904DA232DB35DD82EB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C3F7F3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000000,00C3011C), ref: 00C3F832
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: Time$FileSystem
    • String ID: GetSystemTimePreciseAsFileTime
    • API String ID: 2086374402-595813830
    • Opcode ID: 7538854af84bc065ed612eee1d85c87800cfcecfd3f0062b02fa02fde3ce559e
    • Instruction ID: a3c6588460f314ae64f4f5de63dcbf29644e6358ac45a3a02543e658687d9fb4
    • Opcode Fuzzy Hash: 7538854af84bc065ed612eee1d85c87800cfcecfd3f0062b02fa02fde3ce559e
    • Instruction Fuzzy Hash: 43E0A031A5021877C714BB559D46A3F7B94EB4AB21F10017ABC09A7290DA610D4396D2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C379D0 Relevance: 3.5, APIs: 2, Instructions: 457COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 984c63ee81471a000d78e162be7495e623c4e5cdaeff1ea68d292f436e49dfbd
    • Instruction ID: dabb0e69df78083016dc7a4fc899e83a3dbc27fb65f9af98616748391992165a
    • Opcode Fuzzy Hash: 984c63ee81471a000d78e162be7495e623c4e5cdaeff1ea68d292f436e49dfbd
    • Instruction Fuzzy Hash: 09023DB1E142199FDF24CFA9D9806ADB7F1FF88314F258269D829A7344D731AE41CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C494A4 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
    Download Yara Rule
    APIs
    • FindFirstFileExW.KERNEL32(00000140,?,00000140,00000000,?,?,?,?,?,?,00000000,00000140), ref: 00C494EC
    • _free.LIBCMT ref: 00C494FD
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: FileFindFirst_free
    • String ID:
    • API String ID: 689657435-0
    • Opcode ID: a4fa4b5a2f658bdf6e876afe809fd577d6ba73ef5e2f313267978736a8cbe9c7
    • Instruction ID: 4397e4a93432ab4452080a28272052d08ee877b38c040724168af557bb00f603
    • Opcode Fuzzy Hash: a4fa4b5a2f658bdf6e876afe809fd577d6ba73ef5e2f313267978736a8cbe9c7
    • Instruction Fuzzy Hash: CA01EC71C00159AFCF519FA8DC056EF7FB5FB08350F144165FD28E21A1D6314A61AB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BD1045 Relevance: 3.0, APIs: 2, Instructions: 20COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: CurrentProcessVersion
    • String ID:
    • API String ID: 2809935031-0
    • Opcode ID: f932a3c12ecc7191f2e56cc4c2d70a60b6f8871508fbad43ee9ab97ce6c0f84e
    • Instruction ID: 04853efe9025e0156b74f03101a766b459d8268f6c465ddb0a0857035c537af4
    • Opcode Fuzzy Hash: f932a3c12ecc7191f2e56cc4c2d70a60b6f8871508fbad43ee9ab97ce6c0f84e
    • Instruction Fuzzy Hash: 89E04F34115B918ED3255F3AA80978FBBE49F25742F15459DD0DA82252C374688587A1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C1CD50 Relevance: 1.9, APIs: 1, Instructions: 379COMMON
    Download Yara Rule
    APIs
    • GetEnvironmentStringsW.KERNEL32(CFA550F7,00C50380,00000000,?), ref: 00C1CD98
      • Part of subcall function 00C1C9E0: _wcschr.LIBVCRUNTIME ref: 00C1CA18
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: EnvironmentStrings_wcschr
    • String ID:
    • API String ID: 4249361245-0
    • Opcode ID: 40294b56338696de08aded45916eeb0c093638f73f16dc88c4ea4ed37172b855
    • Instruction ID: e8f195de184a4e1cadeba93e92df37d949c39e6118d1fc308f06c5484954fd5e
    • Opcode Fuzzy Hash: 40294b56338696de08aded45916eeb0c093638f73f16dc88c4ea4ed37172b855
    • Instruction Fuzzy Hash: 6EE18B7190021AAFCB10DFA4C881FEEF7F5FF09310F14856AE855A7251E731AA55DBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C3E465 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00C3E460,?,?,00000008,?,?,00C4AC24,00000000), ref: 00C3E692
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: ExceptionRaise
    • String ID:
    • API String ID: 3997070919-0
    • Opcode ID: c6708e1cfa0c61b16b6219e52862535e50515efd96fb8ecc5ac88060d2975785
    • Instruction ID: 67916904c3117229ccd1d71fbbeee74972bd308ea15ef87d482bb400f528d253
    • Opcode Fuzzy Hash: c6708e1cfa0c61b16b6219e52862535e50515efd96fb8ecc5ac88060d2975785
    • Instruction Fuzzy Hash: D9B12C75620609DFD715CF28C48AB657BE0FF45364F258658E8AACF2E1C335EA92CB40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C2AD77 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_0005AD83,00C29F23), ref: 00C2AD7C
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: 6cb5754c9a858ba442e2375debac17365d6e1840224292bc7e2b19078aaff113
    • Instruction ID: 8e78b009935bdcb6e1088b7812a254c477c3cf7fbf5480f6e816928d0356cf78
    • Opcode Fuzzy Hash: 6cb5754c9a858ba442e2375debac17365d6e1840224292bc7e2b19078aaff113
    • Instruction Fuzzy Hash:
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C315B2 Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 76ac482c2b06292b945b816f115a72dc676cb9a310b39dc1f572e71c73b08521
    • Instruction ID: e6763e78be37ad9d14dc346a7113c84bc17d5b70cbca02c9a5127370afe58896
    • Opcode Fuzzy Hash: 76ac482c2b06292b945b816f115a72dc676cb9a310b39dc1f572e71c73b08521
    • Instruction Fuzzy Hash: 325159B0634A489EDB3849A8896BBFE63F9DB53340F1C451DFCA2CB282C911DF459751
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C317DB Relevance: 1.5, Strings: 1, Instructions: 214COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: ed94cc5d06db1a7e99d863389d290812017f31115f99a3a47a0c4d291e81b05f
    • Instruction ID: c894a96effb847343fa7896351d945980bf8063cbb6b7fb8e8ff32ad6ff32985
    • Opcode Fuzzy Hash: ed94cc5d06db1a7e99d863389d290812017f31115f99a3a47a0c4d291e81b05f
    • Instruction Fuzzy Hash: 68518B71730B886EDB38956D88657BE67EA9B02300F1D0519ECA2D72C2CA11DF42D35B
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C2CFEA Relevance: .3, Instructions: 254COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
    • Instruction ID: 6869c1a2ae66a06033f56173b95712df0a987198ca4baef9e653bca268b3eaa1
    • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
    • Instruction Fuzzy Hash: CA9196721080B349DB2D463EA57403EFFE15A613B171A079EE4F3CB8D5EE24CA65D620
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C2D2A5 Relevance: .2, Instructions: 244COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
    • Instruction ID: 70eccae5621fec7dc3754201c0bb23354ba07e19c37bd996dc24c68baaf5f106
    • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
    • Instruction Fuzzy Hash: 3F9154721080F34ADB69863EA57403EFFE15A623A131A07ADD4F3CB9D5ED24DA54E620
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C2CD23 Relevance: .2, Instructions: 240COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
    • Instruction ID: 88fe01f025cb41559a8ce39e038f4d0e1ea13ed5407485d8114a2c81b59109ec
    • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
    • Instruction Fuzzy Hash: B09186722094B30DDB29427E95B403DFFE15A523A171A07AEE4F3CB9C5EE24D664E620
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C2CA79 Relevance: .2, Instructions: 232COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
    • Instruction ID: 8a95aa2aaa5003ca0c9e05e96f383b2df5797de80fda53b364aa441691bfada2
    • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
    • Instruction Fuzzy Hash: 4F8185722080F34ADB2D463EA5B503EFFE15A523A171A07AED4F6CB9C5EE24C654D620
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C295E0 Relevance: .2, Instructions: 194COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 091132f2779eb96042a59e420e51519fc029edee924acafda6f25c85b3758335
    • Instruction ID: f917c17b7a57ccfd47a440711c2d01476fed3105dff9463bb5f8f1a13ae962e5
    • Opcode Fuzzy Hash: 091132f2779eb96042a59e420e51519fc029edee924acafda6f25c85b3758335
    • Instruction Fuzzy Hash: 2D717F716501718FD724CF6BFCD0A3E73A1E38A3017864729F6818B395CA75E92AC7A0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C359CD Relevance: .2, Instructions: 160COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 024f2cad5bd958f53898bd821d343bd4c4ef1b0ea9f8bff4ffff8014d1a81fff
    • Instruction ID: ad0aa29586058baecfc1bcfabe1fac3bccedaccff45da5155a840c4c98e04a9a
    • Opcode Fuzzy Hash: 024f2cad5bd958f53898bd821d343bd4c4ef1b0ea9f8bff4ffff8014d1a81fff
    • Instruction Fuzzy Hash: 6D518071E10119EFDF04CF99C981AFEBBB2EF88304F198199E415AB201C735AE51DB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C48A46 Relevance: .1, Instructions: 105COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4c88e8c69ace258372eb3d265be62f5087ead577efe0cf376e8fa955e3b4b030
    • Instruction ID: 1aee0815f687268602ee978d46d25ce3022526b12ff2d7d5a9b37aaf01371aa8
    • Opcode Fuzzy Hash: 4c88e8c69ace258372eb3d265be62f5087ead577efe0cf376e8fa955e3b4b030
    • Instruction Fuzzy Hash: 9821B673F205384B770CC47E8C5227DB6E1C78C511745427AF8A6EA3C1D968D927E2E4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C4891A Relevance: .1, Instructions: 85COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: aabb8ac93db980299bbb1cdc21d0d966a1e321bd958a33c268b4dbadb2a38914
    • Instruction ID: 12739fd245c43e6d543b0a737e18834ac9f4e324363c2144603858c85a68b87d
    • Opcode Fuzzy Hash: aabb8ac93db980299bbb1cdc21d0d966a1e321bd958a33c268b4dbadb2a38914
    • Instruction Fuzzy Hash: 78119423F30C295B275C816D8C17379A2D2EADC25074F533AEC2AE72C4E954DE23D290
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C2D8F0 Relevance: .1, Instructions: 76COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
    • Instruction ID: f297c02c912b467036ff6c7fdbf42e3b5476f4a3cddfd2885e84676468d42bb5
    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
    • Instruction Fuzzy Hash: 7B11387B2000A243D744AA2EF4B45B6E395EBF632172C427AF0A38BE48DD229AC59500
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BE5500 Relevance: .0, Instructions: 46COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 914f90f965d58627382c93f11f2c79cdac3db12dc38d61f240093f96e18c8939
    • Instruction ID: c5a204e68ea3b93d2249ca78b2206a47c00bc29d3730e0fedeeec03d24eba1e9
    • Opcode Fuzzy Hash: 914f90f965d58627382c93f11f2c79cdac3db12dc38d61f240093f96e18c8939
    • Instruction Fuzzy Hash: 0B014CB4B147425BD754DF29C841B5BB7E6BFE8710F14892DB489D7280EBB0E8848B62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BE6E20 Relevance: .0, Instructions: 36COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 46cc1eec5523fe48f89d02f5c87f882ae8339493c70e7d45eae1086da149cb4e
    • Instruction ID: 67198f2b68b13c1df1cc5e9234711dd3d0eed991832f2d99ecd6d9ef55832464
    • Opcode Fuzzy Hash: 46cc1eec5523fe48f89d02f5c87f882ae8339493c70e7d45eae1086da149cb4e
    • Instruction Fuzzy Hash: 9BF03CB46143029FD704DF29C852B5FB7E4EB98B50F40485DB588D7280E7B0E9848BA3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C40F50 Relevance: .0, Instructions: 23COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6910a6cb669f9a09cc504bd8827c426d0b0c35624f57410307d8c49431a33e8f
    • Instruction ID: 031051c318d7fa32ba0a66d4559b779ab89a96b027205f2edc4e77ebb8425314
    • Opcode Fuzzy Hash: 6910a6cb669f9a09cc504bd8827c426d0b0c35624f57410307d8c49431a33e8f
    • Instruction Fuzzy Hash: E9E04632E65228EB8724DECC890499AF3ECEB09B11F2505AABA14D3210C270DE04D7D1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BDE1E0 Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 167libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,?,?,?,?,?,00BE55EF,?,00BDB9FD,?,?,?,?,00BE08E1,00000001,?), ref: 00BDE237
    • GetProcAddress.KERNEL32(00000000,GetEnabledXStateFeatures), ref: 00BDE24B
    • GetProcAddress.KERNEL32(00000000,InitializeContext), ref: 00BDE256
    • GetProcAddress.KERNEL32(00000000,GetXStateFeaturesMask), ref: 00BDE261
    • GetProcAddress.KERNEL32(00000000,LocateXStateFeature), ref: 00BDE26C
    • GetProcAddress.KERNEL32(00000000,SetXStateFeaturesMask), ref: 00BDE277
    • GetProcAddress.KERNEL32(00000000,CopyContext), ref: 00BDE282
    • GetLastError.KERNEL32(?,?,?,00BE55EF,?,00BDB9FD,?,?,?,?,00BE08E1,00000001,?,?,?,?), ref: 00BDE2CE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: AddressProc$ErrorHandleLastModule
    • String ID: %s$AVX feature not enabled$CopyContext$Couldn't retrieve AVX functions$GetEnabledXStateFeatures$GetXStateFeaturesMask$InitializeContext$InitializeContext failed$LocateXStateFeature$SetXStateFeaturesMask$kernel32.dll
    • API String ID: 3392887714-1311255704
    • Opcode ID: 61a9227ce283e6428e6455868df99fa18cdc882db2c2969293ef0b4a4f4c786f
    • Instruction ID: f5274c5a375b6c18fc769eb0bfc4e11407c8784487bfb50663b89765f544f797
    • Opcode Fuzzy Hash: 61a9227ce283e6428e6455868df99fa18cdc882db2c2969293ef0b4a4f4c786f
    • Instruction Fuzzy Hash: 17516EB5500315ABDB20AF25CC89B6ABBE8EF55761F18846AFC149F380E770D844CBA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C1A730 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 209encryptionCOMMON
    Download Yara Rule
    APIs
    • QueryContextAttributesA.SECUR32(?,00000053,?), ref: 00C1A757
    • CertGetCertificateChain.CRYPT32 ref: 00C1A839
    • GetLastError.KERNEL32 ref: 00C1A846
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: AttributesCertCertificateChainContextErrorLastQuery
    • String ID: 2.5.4.3$expired_remote_certificate$internal.hex-rays.com$invalid_remote_certificate
    • API String ID: 991655573-2147032877
    • Opcode ID: e3ba42c0b5521b708a0fb9cd6c84429110238e6b6eecbf131eef63d5ac608378
    • Instruction ID: 8337c533830b98408941af3114dd2b8a12c485a6a0a68cba2a9126f92d03aab5
    • Opcode Fuzzy Hash: e3ba42c0b5521b708a0fb9cd6c84429110238e6b6eecbf131eef63d5ac608378
    • Instruction Fuzzy Hash: DD811471605341AFDB10CF24C840BAABBE1BF4A310F444658F9E597692D330E9C9EBA3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BE6E90 Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 64libraryloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00C1E120: GetCurrentThreadId.KERNEL32 ref: 00C1E15D
      • Part of subcall function 00C1E120: InitializeCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00C4F468,000000FF), ref: 00C1E17F
      • Part of subcall function 00C1E120: EnterCriticalSection.KERNEL32(00D773D8,CFA550F7,?,00000000,00000001,?,?,CFA550F7,00000000,00000000,00000001,?,?,00C4F468,000000FF), ref: 00C1E197
      • Part of subcall function 00C1E120: LeaveCriticalSection.KERNEL32(00D773D8), ref: 00C1E26B
    • GetModuleHandleA.KERNEL32(kernel32.dll,IDA_DEBUGBREAKPROCESS,00000000,?,?,?,00BE7FDB), ref: 00BE6EA9
    • GetProcAddress.KERNEL32(00000000,DebugActiveProcessStop), ref: 00BE6EBD
    • GetProcAddress.KERNEL32(00000000,DebugBreakProcess), ref: 00BE6EC8
    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00BE6ED3
    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00BE6EDD
    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 00BE6EE8
    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00BE6EF3
    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00BE6EFE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: AddressProc$CriticalSection$CurrentEnterHandleInitializeLeaveModuleThread
    • String ID: CreateToolhelp32Snapshot$DebugActiveProcessStop$DebugBreakProcess$IDA_DEBUGBREAKPROCESS$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
    • API String ID: 371740190-1882585277
    • Opcode ID: fd4751fc79375e2ea18e67873726f3aaf54c81fc8ab62a05de2921d3c315d020
    • Instruction ID: 93c1d951e951dcb48e8554f53c01526c91d75a5387fc5a1db03e9235dbf24567
    • Opcode Fuzzy Hash: fd4751fc79375e2ea18e67873726f3aaf54c81fc8ab62a05de2921d3c315d020
    • Instruction Fuzzy Hash: AC116074A41310AADF244F679C89B4BBFE4DF62762F0444BBA8049B196C6B4C984CFA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C20720 Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 288COMMON
    Download Yara Rule
    APIs
    • IsValidCodePage.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00C1FEFB,?,00000010,?), ref: 00C2090F
    • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00C1FEFB,?,00000010), ref: 00C20920
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: CodeInfoPageValid
    • String ID: UCS-2$UCS-2-INTERNAL$UCS-4$UCS2$UCS4$UTF-16$UTF-32$UTF16$UTF32$ignore$nocompat$translit
    • API String ID: 546120528-4202647433
    • Opcode ID: b5abab6c21844f3bcbed5eeb706ef80c832bd4ebc18fb71a1071b68f15ac54fb
    • Instruction ID: 5af05d0002abecfa49a7c466cc9f79702c85e0da59314dbbd3c104f49c11b07e
    • Opcode Fuzzy Hash: b5abab6c21844f3bcbed5eeb706ef80c832bd4ebc18fb71a1071b68f15ac54fb
    • Instruction Fuzzy Hash: 8AA1F6B05003209BDF209F14B88572BB7E0EF50705F64447EF8598AA43E7B5DA45EBA2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BDD4B0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 128injectionCOMMON
    Download Yara Rule
    APIs
    • WriteProcessMemory.KERNEL32(000000FF,?,?,?,00000000,?), ref: 00BDD516
    • GetLastError.KERNEL32 ref: 00BDD542
    • FlushInstructionCache.KERNEL32(000000FF,?,?), ref: 00BDD62F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: CacheErrorFlushInstructionLastMemoryProcessWrite
    • String ID: %sProcessMemory(%p)$Read$VirtualProtectEx1(%08p, size=%d for %s)$VirtualProtectEx2(%p)$Write$read$write
    • API String ID: 3701336150-2189298975
    • Opcode ID: ac720d8817302287c6c4ef7c351e43754e7c800eb70b78875149e9758373d5dc
    • Instruction ID: fde9a69a04b24d8c23209c657686ca77097139c72d6b898a0446187fcb5cfe85
    • Opcode Fuzzy Hash: ac720d8817302287c6c4ef7c351e43754e7c800eb70b78875149e9758373d5dc
    • Instruction Fuzzy Hash: 2A4103B01083407BE7209B249C48FAFBBE8EF92709F14095DF9D6922D1E760DD88D762
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C206A0 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 42libraryCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(mlang.dll,00000000,00C208C4,?,?,?,?,?,?,?,?,?,?,?,00C1FEFB,?), ref: 00C206B5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: ConvertINetMultiByteToUnicode$ConvertINetString$ConvertINetUnicodeToMultiByte$IsConvertINetStringAvailable$LcidToRfc1766A$Rfc1766ToLcidA$mlang.dll
    • API String ID: 1029625771-943241681
    • Opcode ID: 288f5945e58b8a66527d9ee98eb21d5c22ed3f056f0deba0262053e5caa46492
    • Instruction ID: 1f1a687dc629c021aee67c1fc0ca48e2535a83f26ceca49f2856df3a138c2dd4
    • Opcode Fuzzy Hash: 288f5945e58b8a66527d9ee98eb21d5c22ed3f056f0deba0262053e5caa46492
    • Instruction Fuzzy Hash: B5F04F31A4531666C7205B7ABC89F4EBEE8EBD1B59F14097FB018E32A0D6B844C0CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C430F7 Relevance: 24.4, APIs: 16, Instructions: 413COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: 01eb9631297bfba3c61b6f9ef3bb83a4ca5902e07fb93d126fe861da9c55a2c9
    • Instruction ID: 7ae18153fee33a393d82e247d9a420184f508e9808396fcf37912cb1edd94adf
    • Opcode Fuzzy Hash: 01eb9631297bfba3c61b6f9ef3bb83a4ca5902e07fb93d126fe861da9c55a2c9
    • Instruction Fuzzy Hash: 3ED137B1E00381AFDB21AFB98C41A6E7BB4BF40310F14456DF929DB281EB719B41DB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C462EB Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • ___free_lconv_mon.LIBCMT ref: 00C4632F
      • Part of subcall function 00C45EE6: _free.LIBCMT ref: 00C45F03
      • Part of subcall function 00C45EE6: _free.LIBCMT ref: 00C45F15
      • Part of subcall function 00C45EE6: _free.LIBCMT ref: 00C45F27
      • Part of subcall function 00C45EE6: _free.LIBCMT ref: 00C45F39
      • Part of subcall function 00C45EE6: _free.LIBCMT ref: 00C45F4B
      • Part of subcall function 00C45EE6: _free.LIBCMT ref: 00C45F5D
      • Part of subcall function 00C45EE6: _free.LIBCMT ref: 00C45F6F
      • Part of subcall function 00C45EE6: _free.LIBCMT ref: 00C45F81
      • Part of subcall function 00C45EE6: _free.LIBCMT ref: 00C45F93
      • Part of subcall function 00C45EE6: _free.LIBCMT ref: 00C45FA5
      • Part of subcall function 00C45EE6: _free.LIBCMT ref: 00C45FB7
      • Part of subcall function 00C45EE6: _free.LIBCMT ref: 00C45FC9
      • Part of subcall function 00C45EE6: _free.LIBCMT ref: 00C45FDB
    • _free.LIBCMT ref: 00C46324
      • Part of subcall function 00C3FAF6: HeapFree.KERNEL32(00000000,00000000,?,00C3DB01), ref: 00C3FB0C
      • Part of subcall function 00C3FAF6: GetLastError.KERNEL32(?,?,00C3DB01), ref: 00C3FB1E
    • _free.LIBCMT ref: 00C46346
    • _free.LIBCMT ref: 00C4635B
    • _free.LIBCMT ref: 00C46366
    • _free.LIBCMT ref: 00C46388
    • _free.LIBCMT ref: 00C4639B
    • _free.LIBCMT ref: 00C463A9
    • _free.LIBCMT ref: 00C463B4
    • _free.LIBCMT ref: 00C463EC
    • _free.LIBCMT ref: 00C463F3
    • _free.LIBCMT ref: 00C46410
    • _free.LIBCMT ref: 00C46428
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
    • String ID:
    • API String ID: 161543041-0
    • Opcode ID: 52dc8a65f8ea8f773a41350c8b272f64e15fb9deb8b445bed5c015200a2a0700
    • Instruction ID: 7bf691bb905316c2272f4343a69ee2908aaf8925adb88664f1d35fa22c526e9e
    • Opcode Fuzzy Hash: 52dc8a65f8ea8f773a41350c8b272f64e15fb9deb8b445bed5c015200a2a0700
    • Instruction Fuzzy Hash: EE314C71A00345DFEB30AE78DC45B5A73E8BF01350F24482EE569DB265DF71AE80AB21
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C1D190 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 233COMMON
    Download Yara Rule
    APIs
    • GetStdHandle.KERNEL32(000000F5,CFA550F7,00C50380,00000000,?,?,00C1DCB3,00000000,?,00000044,00000000,00000000,?,00000004), ref: 00C1D1FB
    • GetStdHandle.KERNEL32(000000F6,?,00C1DCB3,00000000,?,00000044,00000000,00000000,?,00000004), ref: 00C1D202
    • GetStdHandle.KERNEL32(000000F4,?,00C1DCB3,00000000,?,00000044,00000000,00000000,?,00000004), ref: 00C1D209
    • CloseHandle.KERNEL32(?,CFA550F7,00C50380,00000000,?,?,00C1DCB3,00000000,?,00000044,00000000,00000000,?,00000004), ref: 00C1D3A9
    • CloseHandle.KERNEL32(?,CFA550F7,00C50380,00000000,?,?,00C1DCB3,00000000,?,00000044,00000000,00000000,?,00000004), ref: 00C1D3B3
    • CloseHandle.KERNEL32(?,CFA550F7,00C50380,00000000,?,?,00C1DCB3,00000000,?,00000044,00000000,00000000,?,00000004), ref: 00C1D3BD
    • GetLastError.KERNEL32 ref: 00C1D3F0
    Strings
    • cannot redirect channel %d on windows, xrefs: 00C1D437
    • failed to redirect %d to %s: %s, xrefs: 00C1D402
    • cannot redirect to channel %d on windows, xrefs: 00C1D37B
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: Handle$Close$ErrorLast
    • String ID: cannot redirect channel %d on windows$cannot redirect to channel %d on windows$failed to redirect %d to %s: %s
    • API String ID: 4243473068-1398952782
    • Opcode ID: b30657fd04b2d2a45cc95cb133cbb1bf3d1c4be3cbd57260cc6ab006e1358ac1
    • Instruction ID: b5d7ba98aa7aa767fff5cd16842319bbe6ec16eb9f6daf859c32c40e2c3173e0
    • Opcode Fuzzy Hash: b30657fd04b2d2a45cc95cb133cbb1bf3d1c4be3cbd57260cc6ab006e1358ac1
    • Instruction Fuzzy Hash: 0F81D070A006059FDB24CF69C985BEEB7B0FF06310F504629E936976A1C731EE80EB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BD52D0 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 196COMMON
    Download Yara Rule
    APIs
    • StringFromCLSID.OLE32(?,?,CFA550F7), ref: 00BD5378
    • CoTaskMemFree.OLE32(?,?,?,000000FF), ref: 00BD5394
      • Part of subcall function 00C1B830: FormatMessageW.KERNEL32(00001200,00000000,?,00000400,00000400,00000400,00000000), ref: 00C1B86D
    Strings
    • {00000000-0000-0000-0000-000000000000}, xrefs: 00BD53BC
    • ', xrefs: 00BD53A0
    • PDB: loadDataFromPdb("%S"): %s, xrefs: 00BD550C
    • HIDECANCELICON WARNINGAUTOHIDE NONEPDB signature and/or age does not match the input file.Do you want to load it anyway?, xrefs: 00BD5482
    • ', xrefs: 00BD53C2
    • Invalid parameter., xrefs: 00BD5457, 00BD5463, 00BD54FE
    • PDB: loadAndValidateDataFromPdb("%S"): %s, xrefs: 00BD5465
    • PDB: Trying to load PDB "%S" (guid %s, sig 0x%08X, age 0x%08X), xrefs: 00BD53F5
    • Data source has already been prepared., xrefs: 00BD545E, 00BD5505, 00BD550A
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: FormatFreeFromMessageStringTask
    • String ID: '$'$Data source has already been prepared.$HIDECANCELICON WARNINGAUTOHIDE NONEPDB signature and/or age does not match the input file.Do you want to load it anyway?$Invalid parameter.$PDB: Trying to load PDB "%S" (guid %s, sig 0x%08X, age 0x%08X)$PDB: loadAndValidateDataFromPdb("%S"): %s$PDB: loadDataFromPdb("%S"): %s${00000000-0000-0000-0000-000000000000}
    • API String ID: 3640614906-965912233
    • Opcode ID: ce35e12d1cd7e1b8e5db1733719736c38dadd4b7547ab2c28af8100af7ed7585
    • Instruction ID: ee513a1df00d391fed367f535f07314bf8c2abab8213accbb45e2366b590e232
    • Opcode Fuzzy Hash: ce35e12d1cd7e1b8e5db1733719736c38dadd4b7547ab2c28af8100af7ed7585
    • Instruction Fuzzy Hash: C661E275900605ABCB20DF98D840BEEB7F4EF05715F2001AAF815E7390E3729D848BA6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C18290 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 104libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00C182ED
    • LoadLibraryA.KERNEL32(?), ref: 00C18338
    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00C18352
    • FreeLibrary.KERNEL32(00000000), ref: 00C18359
    • LoadLibraryA.KERNEL32(?), ref: 00C1838E
    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00C1839C
    • GetProcAddress.KERNEL32(00000000,?), ref: 00C183A9
    • FreeLibrary.KERNEL32(00000000), ref: 00C183D7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: Library$AddressProc$FreeLoad$DirectorySystem
    • String ID: \ws2_32$\wship6$getaddrinfo
    • API String ID: 1621665182-3078833738
    • Opcode ID: 725d96805ede734832b7a9f50ea91b56284a32426a7ef9d81a0af206684c5864
    • Instruction ID: aa4fb62943698a30844c5269ddcaedecf767970224ec1211829b595f6d3de110
    • Opcode Fuzzy Hash: 725d96805ede734832b7a9f50ea91b56284a32426a7ef9d81a0af206684c5864
    • Instruction Fuzzy Hash: 3C31D5B55083009BC710EB64EC85BAFB7F8EB89700F80092DF958D3251DB74D688DBA2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C39A98 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 274COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00C397D7: CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00C397F4
    • GetLastError.KERNEL32 ref: 00C39BAC
    • __dosmaperr.LIBCMT ref: 00C39BB3
    • GetFileType.KERNEL32(00000000), ref: 00C39BBF
    • GetLastError.KERNEL32 ref: 00C39BC9
    • __dosmaperr.LIBCMT ref: 00C39BD2
    • CloseHandle.KERNEL32(00000000), ref: 00C39BF2
    • CloseHandle.KERNEL32(?), ref: 00C39D3F
    • GetLastError.KERNEL32 ref: 00C39D71
    • __dosmaperr.LIBCMT ref: 00C39D78
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
    • String ID: H
    • API String ID: 4237864984-2852464175
    • Opcode ID: 5ac6d0cfd3cd1ea79dd3face9eff5dc36396c22a3d70af36f230b99525511985
    • Instruction ID: 6d14666d1fff0dec098ec16e626a62bb0229af3fb4afee86d687d24c74292eb9
    • Opcode Fuzzy Hash: 5ac6d0cfd3cd1ea79dd3face9eff5dc36396c22a3d70af36f230b99525511985
    • Instruction Fuzzy Hash: 9BA12532A241488FDF1DAF68D852BAE7BF0EF46320F140159F815AB3E1CB719952DB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C196A0 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 223COMMON
    Download Yara Rule
    APIs
    • AcquireCredentialsHandleA.SECUR32(00000000,Microsoft Unified Security Protocol Provider,00000002,00000000,00000004,00000000,00000000,?,00000000,?,?,?,?), ref: 00C19851
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: AcquireCredentialsHandle
    • String ID: $$Microsoft Unified Security Protocol Provider$TLS: certificate verified$irs$load_certificates$load_root_ca_certificate$unsupported_tls12
    • API String ID: 3250056690-1008259944
    • Opcode ID: 137f7728a5f266e8c9ab29d581206bdb3ea9ea0487b8bfdb6a699f5b5263e2de
    • Instruction ID: a52851db371100f775e030c67eed050e6291b659f719c1112c8e5ce3f9ab71e0
    • Opcode Fuzzy Hash: 137f7728a5f266e8c9ab29d581206bdb3ea9ea0487b8bfdb6a699f5b5263e2de
    • Instruction Fuzzy Hash: 8D71E4B6A047089FDB10DF50E842BEEF7F4FB45720F00422EE915A7680DB766948DB94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BE0520 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 185threadCOMMON
    Download Yara Rule
    APIs
    • ResumeThread.KERNEL32(00000000), ref: 00BE0555
    • GetThreadSelectorEntry.KERNEL32(00000000,?,?), ref: 00BE0607
    • GetLastError.KERNEL32 ref: 00BE0611
      • Part of subcall function 00C1D4D0: GetCurrentThreadId.KERNEL32 ref: 00C1D4E7
      • Part of subcall function 00C1D4D0: InitializeCriticalSection.KERNEL32(00000000), ref: 00C1D509
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: Thread$CriticalCurrentEntryErrorInitializeLastResumeSectionSelector
    • String ID: GetThreadSelectorEntry$ResumeThread(%08X)$ResumeThread(%08X) -> %d$SuspendThread(%08X)$SuspendThread(%08X) -> %d
    • API String ID: 2137861752-2861539722
    • Opcode ID: 33e9af615511782f64c9c17879956b99ab5e7d1e5c73e64f23f2ab49a444126f
    • Instruction ID: 7c4ce944d575e06d8d4bac57ad57014fcf62d5ab95247716d234c26bc0c32c52
    • Opcode Fuzzy Hash: 33e9af615511782f64c9c17879956b99ab5e7d1e5c73e64f23f2ab49a444126f
    • Instruction Fuzzy Hash: C15124705003505FD720BB29EC89BEA37D4EFA2325F140658F8AA831E1D7B05CD9DB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C3EAC5 Relevance: 15.1, APIs: 10, Instructions: 70COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 916cf0ebad842a0a854ca7447db1201f12d9e37479df2d40fdd727b52cafd7d2
    • Instruction ID: 23984e23e7fb11977ef90d5962f1ac813677f12aa82e57b0ba4aa176866cba64
    • Opcode Fuzzy Hash: 916cf0ebad842a0a854ca7447db1201f12d9e37479df2d40fdd727b52cafd7d2
    • Instruction Fuzzy Hash: CB21BF76910108AFDB41EF98CD81DDE7BB5BF08300F104565F9199F222E771DA55EB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BDE980 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 184COMMON
    Download Yara Rule
    APIs
    • SetLastError.KERNEL32(00000032), ref: 00BDE9CC
    • DebugActiveProcess.KERNEL32(?,?), ref: 00BDE9DC
      • Part of subcall function 00C1D4D0: GetCurrentThreadId.KERNEL32 ref: 00C1D4E7
      • Part of subcall function 00C1D4D0: InitializeCriticalSection.KERNEL32(00000000), ref: 00C1D509
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: ActiveCriticalCurrentDebugErrorInitializeLastProcessSectionThread
    • String ID: AUTOHIDE NONEPlease use ida64 to debug 64-bit applications$ContinueDebugEvent$ContinueDebugEvent: handled=%s$DebugActiveProcess %08lX$yes
    • API String ID: 4210721570-1988077489
    • Opcode ID: 2b92b8869a3b4d06895160b40b239daad72a24b5306110cccd4bc1e44bd4d1cf
    • Instruction ID: 37bf387b049489c49e44b05e09adb72aee3f7f71e5653a9bd23fc970147a8983
    • Opcode Fuzzy Hash: 2b92b8869a3b4d06895160b40b239daad72a24b5306110cccd4bc1e44bd4d1cf
    • Instruction Fuzzy Hash: 3A5127742007016BD721AB28E885BEAB7E5EF51324F10465EF8BA4B3D1E7B0ACC5C761
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C174B0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 111windowCOMMON
    Download Yara Rule
    APIs
    • FormatMessageA.KERNEL32(000012FF,?,?,00000400,00C7C0D0,00000400,?), ref: 00C17502
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: FormatMessage
    • String ID: %s: %s$WSAStartup$WSAStartup failed with error: %d$gai_strerror$getaddrinfo: %s$recv$recv: Connection closed by peer
    • API String ID: 1306739567-2680373602
    • Opcode ID: e7445cec530b4b47f1823e6093155010aea0c5a534281cdfa2e667cdf28a4b32
    • Instruction ID: 980d94c7cc03259df5b1be104dfd780ccd595f4d691fb617facdac6dcf74ed5d
    • Opcode Fuzzy Hash: e7445cec530b4b47f1823e6093155010aea0c5a534281cdfa2e667cdf28a4b32
    • Instruction Fuzzy Hash: 6131E86270C14167C7210B309D22BF37BB3BF27348B5842A0ED9597612F722EED9A395
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C3A736 Relevance: 13.8, APIs: 9, Instructions: 302COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e3560b83d4a9df1f1e4939b7c3628ce631034d67f11acbde25d2ec9f24d5df55
    • Instruction ID: 76f298d2d5b9ebc519823253348e591f37c029021c8a966907ef2cb6da88e2f1
    • Opcode Fuzzy Hash: e3560b83d4a9df1f1e4939b7c3628ce631034d67f11acbde25d2ec9f24d5df55
    • Instruction Fuzzy Hash: 94C13371E24305AFDB19DF99C880BADBBB0AF49300F104558F595AB392C7349E92DF62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C16630 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 357COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: inet_ntoa
    • String ID: (my ip $%s:%u: %s$0.0.0.0$Failed to create thread: %s; cannot handle session$Listening on %s:%u%s...$Rejected client
    • API String ID: 1879540557-975577182
    • Opcode ID: 8cd90a71dec0d05728a38f81e8029c047e4b835c8ceb7f72a1c9329ab94d5578
    • Instruction ID: 3fe64e6ad42cc89f419de122c3c2a884cb0268ed0c231900ca845c1942898ee4
    • Opcode Fuzzy Hash: 8cd90a71dec0d05728a38f81e8029c047e4b835c8ceb7f72a1c9329ab94d5578
    • Instruction Fuzzy Hash: 7FD1D7B1D00219EFDB10DFA4D881BEEBBB9AF0A314F144118F855B7282D7719D84EBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C18050 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 202COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID:
    • String ID: 65535$udp
    • API String ID: 0-1267037602
    • Opcode ID: 5eaad9640049d4418556cb6b469541503231539b12c60104f436a16f4c1b4d16
    • Instruction ID: cd6051b72f32777ab0636aa986060717210cf4708775b3dbba428f3b75c429d3
    • Opcode Fuzzy Hash: 5eaad9640049d4418556cb6b469541503231539b12c60104f436a16f4c1b4d16
    • Instruction Fuzzy Hash: AA5123366087015BD724EE18E8157AFB3E0EF9A710F54442DF85687252EF31CE8DA6A2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BE7310 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 60libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00BE739B
    • GetProcAddress.KERNEL32(00000000,GetProcessDEPPolicy), ref: 00BE73B2
    • GetProcAddress.KERNEL32(00000000,GetSystemDEPPolicy), ref: 00BE73CC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: AddressProc$HandleModule
    • String ID: GetProcessDEPPolicy$GetSystemDEPPolicy$kernel32.dll$win32
    • API String ID: 667068680-3817798277
    • Opcode ID: e0c4f4a7c8991ca41011081b9be1b261a9c5aff7f7f7f88b513335a2314ac165
    • Instruction ID: 309d8f316e1e4e3602ebbb4c73b82f3e1504ed0a28a873ad266c66543b323170
    • Opcode Fuzzy Hash: e0c4f4a7c8991ca41011081b9be1b261a9c5aff7f7f7f88b513335a2314ac165
    • Instruction Fuzzy Hash: 4221C0B4104700AFD3208F65DC0479BBBF8FB45711F10062DE829972E0DFB459849BA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C17CC0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 305COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID:
    • String ID: tcp$udp
    • API String ID: 0-3725065008
    • Opcode ID: 31a63a0903eac29a004a118362988dce5b3e53a09fc2ac5c5224cf36fe59ff1b
    • Instruction ID: 438f3dda6430862e1ed3ac3f3c094e0b9fe9bee8f61269f23ae994e364e4c2d7
    • Opcode Fuzzy Hash: 31a63a0903eac29a004a118362988dce5b3e53a09fc2ac5c5224cf36fe59ff1b
    • Instruction Fuzzy Hash: EDA111316083058FD720DF19D8807ABB7F0EF96750F04866EE8948B261D775DE89EB92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BFDA90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 205COMMON
    Download Yara Rule
    APIs
    • std::_Xinvalid_argument.LIBCPMT ref: 00BFDA95
      • Part of subcall function 00C2995F: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00C2996B
      • Part of subcall function 00C2995F: __CxxThrowException@8.LIBVCRUNTIME ref: 00C29979
    • std::_Xinvalid_argument.LIBCPMT ref: 00BFDAA5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: Xinvalid_argumentstd::_$Exception@8Throwstd::invalid_argument::invalid_argument
    • String ID: list<T> too long$string too long$vector<T> too long
    • API String ID: 1284171080-3856299004
    • Opcode ID: 016a7dab50bc5cc726f73d28e5e5c5ea92a872f2ffa407ff1aba1158f71614bf
    • Instruction ID: bf99d57d1ba912f5a5f787a776971fec9a89db1b601924f6abeb38a08968e1d9
    • Opcode Fuzzy Hash: 016a7dab50bc5cc726f73d28e5e5c5ea92a872f2ffa407ff1aba1158f71614bf
    • Instruction Fuzzy Hash: 92718D70A043499FCB14DFA8D484BEEBBF5EF09310F1445ADE959AB381D770A948CBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C2C470 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON
    Download Yara Rule
    APIs
    • _ValidateLocalCookies.LIBCMT ref: 00C2C49B
    • ___except_validate_context_record.LIBVCRUNTIME ref: 00C2C4A3
    • _ValidateLocalCookies.LIBCMT ref: 00C2C531
    • __IsNonwritableInCurrentImage.LIBCMT ref: 00C2C55C
    • _ValidateLocalCookies.LIBCMT ref: 00C2C5B1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
    • String ID: csm
    • API String ID: 1170836740-1018135373
    • Opcode ID: 3b057bc1f81860efeb4acdaf3009bff764e8b6c7683eabd090fed09a83046482
    • Instruction ID: 79d9a50b1ff728c436b456726703b7285b940a5ae352c1fdd4bde4b9f6d7bda7
    • Opcode Fuzzy Hash: 3b057bc1f81860efeb4acdaf3009bff764e8b6c7683eabd090fed09a83046482
    • Instruction Fuzzy Hash: 6041F834E002289BCF10DF69E8C4AAE7BB4BF44314F148165E825AB792D771EA45DB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C3F3DB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID:
    • String ID: api-ms-$ext-ms-
    • API String ID: 0-537541572
    • Opcode ID: c1c0947c314447356c603bdd671c03ba8b18c3a0ead5cfb8f173ad58639c53dd
    • Instruction ID: af40c57aa24eb45b98c28d7425f365eb862f0706ac19b7b7424d40e083daed03
    • Opcode Fuzzy Hash: c1c0947c314447356c603bdd671c03ba8b18c3a0ead5cfb8f173ad58639c53dd
    • Instruction Fuzzy Hash: 6C21BB31E51315EBCB314A299C81F6F7758AF45760F240A39ED69E72D1D630DE02C6E0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BE7930 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 68COMMON
    Download Yara Rule
    APIs
    • VirtualProtectEx.KERNEL32(?,?,?,?,?), ref: 00BE7997
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: success! old=0x%x$VirtualProtectEx$dbg_enable_page_bpt(%s): page_ea=%a, old_prot=0x%x, new_prot=0x%x$false$true
    • API String ID: 544645111-559441299
    • Opcode ID: e04a9394c2c3ddfb87f6988daa29b907102ff3ca112bff09afe3f9d1a54fb4d8
    • Instruction ID: 269387c83408eaaabfcda061ba24321fc6a31d38262a138fe4f9f7012fec7f86
    • Opcode Fuzzy Hash: e04a9394c2c3ddfb87f6988daa29b907102ff3ca112bff09afe3f9d1a54fb4d8
    • Instruction Fuzzy Hash: C611E97A3843016BD710CF259C81E7BB3E8EF95711B04442DF8C5C2152D721E89DB7A1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C46085 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00C4604D: _free.LIBCMT ref: 00C46072
    • _free.LIBCMT ref: 00C460D3
      • Part of subcall function 00C3FAF6: HeapFree.KERNEL32(00000000,00000000,?,00C3DB01), ref: 00C3FB0C
      • Part of subcall function 00C3FAF6: GetLastError.KERNEL32(?,?,00C3DB01), ref: 00C3FB1E
    • _free.LIBCMT ref: 00C460DE
    • _free.LIBCMT ref: 00C460E9
    • _free.LIBCMT ref: 00C4613D
    • _free.LIBCMT ref: 00C46148
    • _free.LIBCMT ref: 00C46153
    • _free.LIBCMT ref: 00C4615E
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 918ad97e9ee96470931f57a7106f1100360e20b41c714626ed78e0da9a2c14ec
    • Instruction ID: 2f3cdb2f14c75520d113bba4b7436558e74c70a7de24682bb64673445c134bfb
    • Opcode Fuzzy Hash: 918ad97e9ee96470931f57a7106f1100360e20b41c714626ed78e0da9a2c14ec
    • Instruction Fuzzy Hash: 24112171D40B44FAE530FFB0CC07FCB779C6F05740F404C2AB29D6A196DA69B505A656
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BDFE60 Relevance: 9.4, APIs: 1, Strings: 5, Instructions: 415COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00C1D4D0: GetCurrentThreadId.KERNEL32 ref: 00C1D4E7
      • Part of subcall function 00C1D4D0: InitializeCriticalSection.KERNEL32(00000000), ref: 00C1D509
    • SetLastError.KERNEL32(00000032,?), ref: 00BE013E
    Strings
    • AUTOHIDE NONEInput file is missing: %s, xrefs: 00BDFF84
    • %d: (set_step) SetThreadContext failed, xrefs: 00BDFEB1
    • AUTOHIDE NONECannot find application file '%s', xrefs: 00BE0196
    • AUTOHIDE NONE%s, xrefs: 00BE0241
    • AUTOHIDE NONEPlease use ida64 to debug 64-bit applications, xrefs: 00BE012E
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: CriticalCurrentErrorInitializeLastSectionThread
    • String ID: %d: (set_step) SetThreadContext failed$AUTOHIDE NONE%s$AUTOHIDE NONECannot find application file '%s'$AUTOHIDE NONEInput file is missing: %s$AUTOHIDE NONEPlease use ida64 to debug 64-bit applications
    • API String ID: 2717818847-627147582
    • Opcode ID: fb29a813af3b52648f6808b1949f394e1725e712b223fd1623098ed59c9c74c1
    • Instruction ID: 4ab9ec30070e1d0811bfa5699f0470e62b2a7d2475e4bbdf44351eb5fcbc59dc
    • Opcode Fuzzy Hash: fb29a813af3b52648f6808b1949f394e1725e712b223fd1623098ed59c9c74c1
    • Instruction Fuzzy Hash: 2BF1C070900389AFDF21EF64C845BEEBBF4EF05304F044169F859A7291DBB46A84DB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C33A8D Relevance: 9.3, APIs: 6, Instructions: 265COMMON
    Download Yara Rule
    APIs
    • __allrem.LIBCMT ref: 00C33C17
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C33C33
    • __allrem.LIBCMT ref: 00C33C4A
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C33C68
    • __allrem.LIBCMT ref: 00C33C7F
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C33C9D
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
    • String ID:
    • API String ID: 1992179935-0
    • Opcode ID: eb40296fbc8b90fb36133f3737146b4df7bc1f29ddd9f9b2da2995feb58e00c9
    • Instruction ID: 336f862be4ee7b9e38223ca85ac9d82dea0493bf4fd6a8fe28efa8f2fdf4b5e6
    • Opcode Fuzzy Hash: eb40296fbc8b90fb36133f3737146b4df7bc1f29ddd9f9b2da2995feb58e00c9
    • Instruction Fuzzy Hash: 99814772A107429BE724EF69DC42BAAB7F8AF40724F24422EF421DB6C1E774DB009754
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C3D451 Relevance: 9.2, APIs: 6, Instructions: 223COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 00C3D4E1
    • _free.LIBCMT ref: 00C3D4FC
    • _free.LIBCMT ref: 00C3D507
    • _free.LIBCMT ref: 00C3D616
      • Part of subcall function 00C3FA99: HeapAlloc.KERNEL32(00000008,?,?,?,00C3ED79,00000001,00000364,00000005,000000FF,?,CFA550F7,00C340C1,00C3FB1C,?,?,00C3DB01), ref: 00C3FADA
    • _free.LIBCMT ref: 00C3D5EB
      • Part of subcall function 00C3FAF6: HeapFree.KERNEL32(00000000,00000000,?,00C3DB01), ref: 00C3FB0C
      • Part of subcall function 00C3FAF6: GetLastError.KERNEL32(?,?,00C3DB01), ref: 00C3FB1E
    • _free.LIBCMT ref: 00C3D60C
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: _free$Heap$AllocErrorFreeLast
    • String ID:
    • API String ID: 2104767428-0
    • Opcode ID: af8175e2d733a2501cfceffe69a200a49b005d83c2411546f95f35b5c693e08a
    • Instruction ID: ff76a45b23c6b266ffadb88a66066e5a97c956d21bf35b432b5e774fd07ef110
    • Opcode Fuzzy Hash: af8175e2d733a2501cfceffe69a200a49b005d83c2411546f95f35b5c693e08a
    • Instruction Fuzzy Hash: A851AC76E04201ABDF14DF78B8527BA77B8DF84310F24046EFD5ADB241EA319F029660
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C3AAE8 Relevance: 9.2, APIs: 6, Instructions: 168fileCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetConsoleCP.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,00C3B27E,?,00000000,00000000,?), ref: 00C3AB2A
    • __fassign.LIBCMT ref: 00C3ABB4
    • __fassign.LIBCMT ref: 00C3ABD3
    • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00C3AC22
    • WriteFile.KERNEL32(?,00C3B27E,00000001,?,00000000), ref: 00C3AC5C
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: FileWrite__fassign$Console
    • String ID:
    • API String ID: 3692784241-0
    • Opcode ID: f99d0abb0b4419155ad1fe60e0d1fa0d0d37e34ed91d0218b1d9fce2def2947e
    • Instruction ID: 42c5b2b5fe137806490d701520e03b0bc2a3db881ab17eeea5c56a5e7d97efee
    • Opcode Fuzzy Hash: f99d0abb0b4419155ad1fe60e0d1fa0d0d37e34ed91d0218b1d9fce2def2947e
    • Instruction Fuzzy Hash: DF51C171E10248AFCF04CFA8D881BEEBBF8EF09310F14456AE556E7251D7309951CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C2DB12 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,00C2DB09,00C2B068), ref: 00C2DB20
    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C2DB2E
    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C2DB47
    • SetLastError.KERNEL32(00000000,?,00C2DB09,00C2B068), ref: 00C2DB99
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: ErrorLastValue___vcrt_
    • String ID:
    • API String ID: 3852720340-0
    • Opcode ID: 7dcf7d90221f366975f69b5bea60c50839f9e414f42b8dbfa3d44f84346eade0
    • Instruction ID: b201561930408a8dd74f386553e8487c87840b4172da951225014800d2003c8b
    • Opcode Fuzzy Hash: 7dcf7d90221f366975f69b5bea60c50839f9e414f42b8dbfa3d44f84346eade0
    • Instruction Fuzzy Hash: 9A01D4362193716FA72527B87CA5B5F2BA4EB623B17310229F039914E0EF114C41B951
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C19950 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 262COMMON
    Download Yara Rule
    APIs
    • InitializeSecurityContextA.SECUR32(00000800,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000002,00000000,00000000,00000001), ref: 00C199EF
    • InitializeSecurityContextA.SECUR32(00000800,?,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000002,00000000,00000000,00000001), ref: 00C19B0B
    • QueryContextAttributesA.SECUR32(?,00000004,00000000,CFA550F7,?,?,00000000), ref: 00C19C68
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: Context$InitializeSecurity$AttributesQuery
    • String ID: irs$unsupported_attributes
    • API String ID: 108030439-414457109
    • Opcode ID: a4207747d210f880f9e38c7d2cd5db64b013f2de0f59ec7c5fa9e45a3c301aae
    • Instruction ID: b8a2773805ace4382c746257ab346d1e3042f8dc659d28b983983f8c45a2084e
    • Opcode Fuzzy Hash: a4207747d210f880f9e38c7d2cd5db64b013f2de0f59ec7c5fa9e45a3c301aae
    • Instruction Fuzzy Hash: 3FB19F71D40208EFDF10DFA4C995BDDBBB8FF06304F244159E9046B282D7B59A88EB95
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BF3678 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 134COMMON
    Download Yara Rule
    APIs
    • __CxxThrowException@8.LIBVCRUNTIME ref: 00BF3687
      • Part of subcall function 00C2C3C3: RaiseException.KERNEL32(?,?,?,00C2AA68,?,?,?,?,?,?,?,?,00C2AA68,00C1B492,00C77274,00C1B492), ref: 00C2C423
    Strings
    • ""'', xrefs: 00BF376B
    • BADADDR|BADSEL|MAXADDR, xrefs: 00BF385C
    • long|string|number|success|char|float|void, xrefs: 00BF384E
    • auto|static|for|if|else|while|do|break|continue|return, xrefs: 00BF383E
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: ExceptionException@8RaiseThrow
    • String ID: ""''$BADADDR|BADSEL|MAXADDR$auto|static|for|if|else|while|do|break|continue|return$long|string|number|success|char|float|void
    • API String ID: 3976011213-2830299658
    • Opcode ID: 11fbd3441fc7b5451af844824e5859bd9a359ada4827ff0a5b5aff79c51c6c92
    • Instruction ID: 4b08ab3b8531847fc573674739caba54fdb8ca416902a92319f0dcb387f280a8
    • Opcode Fuzzy Hash: 11fbd3441fc7b5451af844824e5859bd9a359ada4827ff0a5b5aff79c51c6c92
    • Instruction Fuzzy Hash: A55136B0100B05AFE7219F11D85AB1BBBF0FF01B08F10891CE54A1BAD1D7BAA658CB85
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BD5590 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(shlwapi.dll,00BD693A,?,?,0000000C,?,CFA550F7,00000000,?,?), ref: 00BD559E
    • GetProcAddress.KERNEL32(00000000,PathIsUNCA), ref: 00BD55AE
    Strings
    • AUTOHIDE NONEHIDECANCELPlease be careful, the debug path looks odd!"%s"Do you really want IDA to access this path (possibly a remote server)?, xrefs: 00BD55DD
    • shlwapi.dll, xrefs: 00BD5599
    • PathIsUNCA, xrefs: 00BD55A8
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: AUTOHIDE NONEHIDECANCELPlease be careful, the debug path looks odd!"%s"Do you really want IDA to access this path (possibly a remote server)?$PathIsUNCA$shlwapi.dll
    • API String ID: 1646373207-3076978507
    • Opcode ID: 67d2ce3e47faafe279c6c41e988e7879ef35d650475c752c71d069d0e37fe351
    • Instruction ID: be6d556e5600d830db5c71513d7d02907de6a81ce39cff212d78358b599ba132
    • Opcode Fuzzy Hash: 67d2ce3e47faafe279c6c41e988e7879ef35d650475c752c71d069d0e37fe351
    • Instruction Fuzzy Hash: E1F09635205B115ADB711B647C49BABA7E6DB20756F640092EC45D23A1FA10D8C08A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C32846 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00C327F7,00BD5AAE,?,00C327BF,?,00C1B492), ref: 00C32866
    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C32879
    • FreeLibrary.KERNEL32(00000000,?,?,?,00C327F7,00BD5AAE,?,00C327BF,?,00C1B492), ref: 00C3289C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: AddressFreeHandleLibraryModuleProc
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 4061214504-1276376045
    • Opcode ID: 49b46c9fb7949c4f0d81698f88aa1bbd77cfd30f9f3c00f7819679ff89b2e14a
    • Instruction ID: 0faaa22125f54f5f630fad60928cdc2d39c33fb6e8b322d2659572c94995eabe
    • Opcode Fuzzy Hash: 49b46c9fb7949c4f0d81698f88aa1bbd77cfd30f9f3c00f7819679ff89b2e14a
    • Instruction Fuzzy Hash: B0F04F35A10318BBCB159BA5DC49B9DBFB4EF44712F1040A9F809B22A0CB705E81DF92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C3D8DD Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: 178b9ca265997274e171bf2ae5d9cb9ef6849e7eff695b1536f146a8f2dc50f3
    • Instruction ID: a9d9167fd26f4c4fe4860d3b6907d15306c70c48f90f8e38ef165d5056b9cbee
    • Opcode Fuzzy Hash: 178b9ca265997274e171bf2ae5d9cb9ef6849e7eff695b1536f146a8f2dc50f3
    • Instruction Fuzzy Hash: 6B41E232E103049FCB24DFB8D881A5EB7B5EF88710F154569E556EB381DA31AE02DB81
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C45FE4 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 00C45FFC
      • Part of subcall function 00C3FAF6: HeapFree.KERNEL32(00000000,00000000,?,00C3DB01), ref: 00C3FB0C
      • Part of subcall function 00C3FAF6: GetLastError.KERNEL32(?,?,00C3DB01), ref: 00C3FB1E
    • _free.LIBCMT ref: 00C4600E
    • _free.LIBCMT ref: 00C46020
    • _free.LIBCMT ref: 00C46032
    • _free.LIBCMT ref: 00C46044
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 6f4d303520ffd678dbf9da78a09e6af748ffc4891273a3878b43b8bbfc66cd3d
    • Instruction ID: b8c29f3c6a3d7072037ba3b70e57797afcb7a4cb76184de25416345cc061229c
    • Opcode Fuzzy Hash: 6f4d303520ffd678dbf9da78a09e6af748ffc4891273a3878b43b8bbfc66cd3d
    • Instruction Fuzzy Hash: FAF06732914300AB9730EB68E886E0F77E9BA01314BA40C19F52CDB614CF30FCC0AA68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BE4CB0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 384COMMON
    Download Yara Rule
    APIs
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BE4DA3
    Strings
    • . Do you want to continue with the new value?, xrefs: 00BE4DB4
    • AUTOHIDE SESSIONHIDECANCEL%s %I64u is incorrect, maximum possible value is %I64u%s, xrefs: 00BE4DC9
    • Number of sections, xrefs: 00BE4DC4
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
    • String ID: . Do you want to continue with the new value?$AUTOHIDE SESSIONHIDECANCEL%s %I64u is incorrect, maximum possible value is %I64u%s$Number of sections
    • API String ID: 885266447-2555838626
    • Opcode ID: 773ccc81725a022fab0f3822b56375a190ff702c960d8633fd0c8872ce885865
    • Instruction ID: a1d31b65b475171f3c33a253e09196901ff712d79dfa6420611089a3a3e0ef66
    • Opcode Fuzzy Hash: 773ccc81725a022fab0f3822b56375a190ff702c960d8633fd0c8872ce885865
    • Instruction Fuzzy Hash: 0CE17E70A00655AFDB28CF6AC884BAEB7E5FF04714F1486A9F819D7691D774EC80CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C42765 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 376COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: __freea$_free
    • String ID: a/p$am/pm
    • API String ID: 3432400110-3206640213
    • Opcode ID: 2e822ff099e8ce75837495ff0a751bab7840ae60fc7fffce46dc02a806dd254b
    • Instruction ID: 78d93e390d2fc95fc55e07fac8fe8a59875bd9674132312ee1c82f59d092270c
    • Opcode Fuzzy Hash: 2e822ff099e8ce75837495ff0a751bab7840ae60fc7fffce46dc02a806dd254b
    • Instruction Fuzzy Hash: CFC11435900206CBCB248F69C89BBBEB7B0FF15714FA44159F916AB390D3319E42DBA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BE0960 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 315COMMON
    Download Yara Rule
    APIs
    • VirtualQueryEx.KERNEL32(?,?,CFA550F7,0000001C,?,?,?,?,?,?,?,?,?,?), ref: 00BE0C12
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: %sStack[%08X]$%sStack_PAGE_GUARD[%08X]$STACK
    • API String ID: 1804819252-3428214111
    • Opcode ID: 24fc25c746ed5261b6f10bd7d7242a152af16f11f0e05b460e0db31f1e04fa43
    • Instruction ID: e5e20b2e58913169bd6423d7063d55c14bafe6b692e86781460b6ea4714c558f
    • Opcode Fuzzy Hash: 24fc25c746ed5261b6f10bd7d7242a152af16f11f0e05b460e0db31f1e04fa43
    • Instruction Fuzzy Hash: 2AE149B1D0026CAADB20DB64CC45BDEBBB8AF49304F4441E9E609A3242E7715F84DF69
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BFD9E0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 261COMMON
    Download Yara Rule
    APIs
    • std::_Xinvalid_argument.LIBCPMT ref: 00BFDA95
    • std::_Xinvalid_argument.LIBCPMT ref: 00BFDAA5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: Xinvalid_argumentstd::_
    • String ID: string too long$vector<T> too long
    • API String ID: 909987262-107800493
    • Opcode ID: b50900fd816d6e22581aa618ca441528d1a7620be70ed6b9affc03f95afda089
    • Instruction ID: e6bad9b21ab774f765e26f8f254561d3a63c6aa742d13e2925f28863c7008e5f
    • Opcode Fuzzy Hash: b50900fd816d6e22581aa618ca441528d1a7620be70ed6b9affc03f95afda089
    • Instruction Fuzzy Hash: 9BA1A271A04309DFCB14DF68D880BAEBBF5EF49310F14856DE959AB341D770A949CBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BE7780 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 151COMMON
    Download Yara Rule
    APIs
    • VirtualQueryEx.KERNEL32(?,-00000001,?,0000001C,?,?,?,?), ref: 00BE77DC
    Strings
    • %a: the page has not been allocated, xrefs: 00BE780B
    • %a: the page cannot be accessed, xrefs: 00BE782E
    • VirtualQueryEx, xrefs: 00BE77E6
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: %a: the page cannot be accessed$%a: the page has not been allocated$VirtualQueryEx
    • API String ID: 1804819252-340004040
    • Opcode ID: 5b43e2abb2d539461eaa7f350cb543a7ae0e915b7530e5ff0c13e462b9d49cc9
    • Instruction ID: 227fa2f87c815e1784e062d70e6acf31822825dc1d72d9888e304833e22cf708
    • Opcode Fuzzy Hash: 5b43e2abb2d539461eaa7f350cb543a7ae0e915b7530e5ff0c13e462b9d49cc9
    • Instruction Fuzzy Hash: 3451DE766083489FD710DF55EC84EABB7E8EF84714F00492EF84987252EB71EA48CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BDF180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80threadinjectionCOMMON
    Download Yara Rule
    APIs
    • TerminateProcess.KERNEL32(?,000000FF), ref: 00BDF1AB
      • Part of subcall function 00C1D4D0: GetCurrentThreadId.KERNEL32 ref: 00C1D4E7
      • Part of subcall function 00C1D4D0: InitializeCriticalSection.KERNEL32(00000000), ref: 00C1D509
    • SuspendThread.KERNEL32(?,?,?,?,?,000075EF), ref: 00BDF248
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: Thread$CriticalCurrentInitializeProcessSectionSuspendTerminate
    • String ID: TerminateProcess$continue_after_event
    • API String ID: 2305517139-3403241224
    • Opcode ID: 893683d10f9e653c82590dfd62828ab9eb1a4b515ea68033ec93f46f8f4b4b66
    • Instruction ID: 23ccc698781a1db5e5c049df515b05952dc713d1413fb49a5cded59ffccd90e1
    • Opcode Fuzzy Hash: 893683d10f9e653c82590dfd62828ab9eb1a4b515ea68033ec93f46f8f4b4b66
    • Instruction Fuzzy Hash: 50212C312086029FD7149B18E845BEAF7D4FF11321F24496AF466973D1E7B0ACC5C761
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C1F270 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(Shell32.dll,CFA550F7,00000000,00000000,00C4F3C8,000000FF), ref: 00C1F2CB
    • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00C1F2DB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: SHGetFolderPathW$Shell32.dll
    • API String ID: 2574300362-1831903832
    • Opcode ID: 5bbbedd4288eef4fa88c05116560791664b966bd50daf60adecdbb1c3ddb58c3
    • Instruction ID: 64d862250427ca81c4e8f85bfb91030b40a8c508f0f4856dbbc6b5372a77564a
    • Opcode Fuzzy Hash: 5bbbedd4288eef4fa88c05116560791664b966bd50daf60adecdbb1c3ddb58c3
    • Instruction Fuzzy Hash: 00216075940249EFDB20DFA4DC85BEE77B4FB45700F20012EE925E7190DB309685EB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C29E25 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: Initialize
    • String ID: csm
    • API String ID: 2538663250-1018135373
    • Opcode ID: 52358802292629ab54266d996035f4afce77bd99bb9aa05f2154157dc2314cb8
    • Instruction ID: dde6ea1b998c9f8804abda73e1735cf6d60c233e4f3e4eabb97f298c032de69c
    • Opcode Fuzzy Hash: 52358802292629ab54266d996035f4afce77bd99bb9aa05f2154157dc2314cb8
    • Instruction Fuzzy Hash: 03119E709102269FCF20BBF4B90378E66E5AF14311F150891F801EAA83FE39C940B673
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C14870 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52threadinjectionCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: ContextThread
    • String ID: GetThreadContext$SetThreadContext
    • API String ID: 1591575202-1281544224
    • Opcode ID: 5ea817fc349eac937de8c227abbb4fbc0a871749cebec70a3454b00478995696
    • Instruction ID: 967f8d3206f515b19cba536eeebada6b664c3137ec20f3953df16a65a012985a
    • Opcode Fuzzy Hash: 5ea817fc349eac937de8c227abbb4fbc0a871749cebec70a3454b00478995696
    • Instruction Fuzzy Hash: F4116D795047019FD311DF29D805BDFB7E8AF99311F00482EE89DD3311E774AA889B92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BD83F3 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,?,Unhandled C++ exception: %s,00000000,?,?,?,CFA550F7), ref: 00BD8455
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: CreateFile
    • String ID: Unhandled C++ exception!$Unhandled C++ exception: %s$pdb
    • API String ID: 823142352-1417998992
    • Opcode ID: a7cfe61a813f5533bf1c8952106be90cd95cadf14efa0df901dfc27d651d35d1
    • Instruction ID: 735cf45c8bca5a2d37cb0a5b0ed4b49222e6ea4b7fc1c2fc103cc537fbe61f66
    • Opcode Fuzzy Hash: a7cfe61a813f5533bf1c8952106be90cd95cadf14efa0df901dfc27d651d35d1
    • Instruction Fuzzy Hash: 95F09634280315AFE335ABA4DC47F9E77A1EF41B12F2045A9F6169FAE1C7A06C80CB55
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C4041C Relevance: 6.3, APIs: 4, Instructions: 317COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: _strrchr
    • String ID:
    • API String ID: 3213747228-0
    • Opcode ID: 27d61e534c4a937f2376ec45b17f24609d813d81a54bb369e842103830b4a3e4
    • Instruction ID: 36156e64a8af7a2a25826e4835fe634d663a6ba9ec9b91ea68787533f7905431
    • Opcode Fuzzy Hash: 27d61e534c4a937f2376ec45b17f24609d813d81a54bb369e842103830b4a3e4
    • Instruction Fuzzy Hash: CBB144329402559FDB11DF28C8917FEBBE5FF85310F2541AAEA55EB242D2389E02CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C217A0 Relevance: 6.2, APIs: 4, Instructions: 204COMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,CFA550F7), ref: 00C21804
    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,?), ref: 00C21847
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00C21884
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00C219A3
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: ByteCharMultiWide
    • String ID:
    • API String ID: 626452242-0
    • Opcode ID: 4a331571cf64f6338ed3c07523c1635e1534c937ee12ad71053716649bd528e7
    • Instruction ID: 51a13257a34da1821b98f81fc542591bc659d473410fd5232b5c1a78bde9ddae
    • Opcode Fuzzy Hash: 4a331571cf64f6338ed3c07523c1635e1534c937ee12ad71053716649bd528e7
    • Instruction Fuzzy Hash: FE71DEB0A0421AAFDF18DF64D896BBFB7B9FF54300F14812DE815A7680D735AA41CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C39DE4 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: 879abe9b7f1f50b9865c88468381bebf633a8eb25712dadb11b19a09e7b78f91
    • Instruction ID: c45eab3ecb6d33354814961a756c6d0a53c66568cfab4e459e49b3998e2fc291
    • Opcode Fuzzy Hash: 879abe9b7f1f50b9865c88468381bebf633a8eb25712dadb11b19a09e7b78f91
    • Instruction Fuzzy Hash: 8F413B32B34601ABDB24BBF98C46BBE3BB4EF45730F140619F538D6291D7B48D4166A2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C3387B Relevance: 6.1, APIs: 4, Instructions: 133COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 406194430f561ab0b00b0f1f1e83aba72b1eb137faae80e0a651f868add7b75c
    • Instruction ID: 4738ab94cd3f94cde539b75a8c768bb987860b2c46d47131c5e50e0a67d9494b
    • Opcode Fuzzy Hash: 406194430f561ab0b00b0f1f1e83aba72b1eb137faae80e0a651f868add7b75c
    • Instruction Fuzzy Hash: C1410B71A10354EFE724EF78DC41B6ABBE9EF84710F10462EF155DB6C1D271AA409780
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BE6330 Relevance: 6.1, APIs: 4, Instructions: 125threadinjectionCOMMON
    Download Yara Rule
    APIs
    • SuspendThread.KERNEL32(?,CFA550F7), ref: 00BE6424
    • ResumeThread.KERNEL32(?), ref: 00BE642D
    • SuspendThread.KERNEL32(?), ref: 00BE6441
    • SuspendThread.KERNEL32(?), ref: 00BE6455
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: Thread$Suspend$Resume
    • String ID:
    • API String ID: 20103837-0
    • Opcode ID: 655beddd155b37aa2ed6588894a69c05d5716674a631b62b27bf4636e73a3e11
    • Instruction ID: fc0f1d7694db7d2afb856b43a1db640f430ee8bd0fd6b0a595ccbbb0ec75e9ea
    • Opcode Fuzzy Hash: 655beddd155b37aa2ed6588894a69c05d5716674a631b62b27bf4636e73a3e11
    • Instruction Fuzzy Hash: 3C5134B5D006189FCB20DFA9C984B9EFBF4FF48720F10066AE819A3791D735A9419F60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C1E120 Relevance: 6.1, APIs: 4, Instructions: 114threadCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00C1E15D
      • Part of subcall function 00C2997F: __CxxThrowException@8.LIBVCRUNTIME ref: 00C2AA46
      • Part of subcall function 00C2997F: __CxxThrowException@8.LIBVCRUNTIME ref: 00C2AA63
    • InitializeCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00C4F468,000000FF), ref: 00C1E17F
    • EnterCriticalSection.KERNEL32(00D773D8,CFA550F7,?,00000000,00000001,?,?,CFA550F7,00000000,00000000,00000001,?,?,00C4F468,000000FF), ref: 00C1E197
    • LeaveCriticalSection.KERNEL32(00D773D8), ref: 00C1E26B
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: CriticalSection$Exception@8Throw$CurrentEnterInitializeLeaveThread
    • String ID:
    • API String ID: 2208964849-0
    • Opcode ID: c30c3c78705af431cd0cae9c99b40edeee39fb40816490ad3addfd668f29c560
    • Instruction ID: 5b70232dd372303a1286757a8586e396854163ea6f6e0524150fd587963ccc76
    • Opcode Fuzzy Hash: c30c3c78705af431cd0cae9c99b40edeee39fb40816490ad3addfd668f29c560
    • Instruction Fuzzy Hash: 9E41E4B1900309EFDB01DFA0D881BDEBBB8FF09310F148169F81597251E775AA84EBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C3EBDF Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,00000000,?,00C2F3F8,00000000,000000FF,?,?,00C341B6,00000000,?,?), ref: 00C3EBE4
    • _free.LIBCMT ref: 00C3EC3F
    • _free.LIBCMT ref: 00C3EC75
    • SetLastError.KERNEL32(00000000,00000005,000000FF,?,00C341B6,00000000,?,?), ref: 00C3EC80
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: ErrorLast_free
    • String ID:
    • API String ID: 2283115069-0
    • Opcode ID: 254ec5f50e6b91b9d946c9fb622a52c1f795ac89ded9acabc0a91163159700fa
    • Instruction ID: fe7ec14b4fae3512ecaeaf91287040e99009eaa68c29fd9223dc303a96c99237
    • Opcode Fuzzy Hash: 254ec5f50e6b91b9d946c9fb622a52c1f795ac89ded9acabc0a91163159700fa
    • Instruction Fuzzy Hash: 7D1121316203117FE71037B67DC6B2F3A88AB913B4F200A38F529A51E2DE918C02B761
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C3ED30 Relevance: 6.1, APIs: 4, Instructions: 65COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,CFA550F7,00C340C1,00C3FB1C,?,?,00C3DB01), ref: 00C3ED35
    • _free.LIBCMT ref: 00C3ED90
    • _free.LIBCMT ref: 00C3EDC6
    • SetLastError.KERNEL32(00000000,00000005,000000FF,?,CFA550F7,00C340C1,00C3FB1C,?,?,00C3DB01), ref: 00C3EDD1
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: ErrorLast_free
    • String ID:
    • API String ID: 2283115069-0
    • Opcode ID: d9b61bf892d0268b6b029af1c0597a2bae3916115d5e5d5a6dc586c56096f7fb
    • Instruction ID: 9d9005f80e7b5f7a9118d43d8ea10e7180b208a6467d91c3e9d1c8761e8418b8
    • Opcode Fuzzy Hash: d9b61bf892d0268b6b029af1c0597a2bae3916115d5e5d5a6dc586c56096f7fb
    • Instruction Fuzzy Hash: E401C431A252117FE71136B56CC6B6F2A58EF91374F200638F529D51E1DAA18C02F761
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C33DAD Relevance: 6.1, APIs: 4, Instructions: 58COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00C41A5F: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00C3F294,?,00000000,00000000), ref: 00C41B01
    • GetLastError.KERNEL32(?,00C33FD4,?,?,00C33FD4,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 00C33DCE
    • __dosmaperr.LIBCMT ref: 00C33DD5
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,00C33FD4,?,?,00C33FD4,00000000,?,?), ref: 00C33E16
    • __dosmaperr.LIBCMT ref: 00C33E1D
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
    • String ID:
    • API String ID: 1913693674-0
    • Opcode ID: 612b00263487d2ad8a3d41102c7899be37554e7ab85521f0035e16d3dd34299c
    • Instruction ID: b64160eb27d4f6960c5aaa1d09a989c65f5c4925d6cb7d7a57fc419430c1b29e
    • Opcode Fuzzy Hash: 612b00263487d2ad8a3d41102c7899be37554e7ab85521f0035e16d3dd34299c
    • Instruction Fuzzy Hash: A7019236624285BB8B34AFA2CD05D4F3BBDEBC1730B104518FA25D62A1EB31DA50A760
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C1E380 Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00C1E3BA
      • Part of subcall function 00C2997F: __CxxThrowException@8.LIBVCRUNTIME ref: 00C2AA46
      • Part of subcall function 00C2997F: __CxxThrowException@8.LIBVCRUNTIME ref: 00C2AA63
    • InitializeCriticalSection.KERNEL32(00000000), ref: 00C1E3DC
    • EnterCriticalSection.KERNEL32(00D773D8,CFA550F7,?,?,?,00000000,00C4B768,000000FF,?,00BE9A15,00000000,00000001,?,00000000), ref: 00C1E3F4
    • LeaveCriticalSection.KERNEL32(00D773D8,?), ref: 00C1E41C
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: CriticalSection$Exception@8Throw$CurrentEnterInitializeLeaveThread
    • String ID:
    • API String ID: 2208964849-0
    • Opcode ID: 68fd846abd4d57565ddd9de78ce57addfcbe45c2b83368ba1d4c490afd735556
    • Instruction ID: 9b6d84b804c5f3d5ac439cb06f5af3c276c68a2f3cb7f99aa9327416a016b50e
    • Opcode Fuzzy Hash: 68fd846abd4d57565ddd9de78ce57addfcbe45c2b83368ba1d4c490afd735556
    • Instruction Fuzzy Hash: 8011A7B6800718AFD7009F64EC45B9E77A8FB09721F10822AFC15D7290DB756A44DB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C2DDCA Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • ___BuildCatchObject.LIBVCRUNTIME ref: 00C2DDE4
      • Part of subcall function 00C2DD31: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00C2DD60
      • Part of subcall function 00C2DD31: ___AdjustPointer.LIBCMT ref: 00C2DD7B
    • _UnwindNestedFrames.LIBCMT ref: 00C2DDF9
    • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00C2DE0A
    • CallCatchBlock.LIBVCRUNTIME ref: 00C2DE32
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
    • String ID:
    • API String ID: 737400349-0
    • Opcode ID: 40565a80738074e8a7c802f4b8bec1bfee9a6bccdb5f20dc3212eb32cb948035
    • Instruction ID: 2d3b7ca221f7172d63ecbaf382c08eb617af3bb00925b73e67ce30069f740d87
    • Opcode Fuzzy Hash: 40565a80738074e8a7c802f4b8bec1bfee9a6bccdb5f20dc3212eb32cb948035
    • Instruction Fuzzy Hash: B3012532100119BBCF126E95EC42EEF3F69EF98794F044018FE18A6521D732E861EBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C33D29 Relevance: 6.1, APIs: 4, Instructions: 52COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00C419E3: MultiByteToWideChar.KERNEL32(00C45BCF,00000100,5EFC4D8B,00000000,00000000,00000020,?,00C461B6,00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100), ref: 00C41A53
    • GetLastError.KERNEL32(?,?,000000FF,00000000,?,?,?,?,?,?,00C34028,?,?,?,00C1B770,00000000), ref: 00C33D48
    • __dosmaperr.LIBCMT ref: 00C33D4F
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,000000FF,00000000,?,?), ref: 00C33D8F
    • __dosmaperr.LIBCMT ref: 00C33D96
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
    • String ID:
    • API String ID: 1913693674-0
    • Opcode ID: 283ecd8902105009806640bb6c42bbd22f52bbd408242828f10a853f26264d22
    • Instruction ID: 9f7fae618c4811494a5817b72ffef478698f8eae821333b2f6467a28239c51bf
    • Opcode Fuzzy Hash: 283ecd8902105009806640bb6c42bbd22f52bbd408242828f10a853f26264d22
    • Instruction Fuzzy Hash: 2E018832624345ABDF246FA5DD02F4E37A9AF40321F104605FA29D61E1EB32EA506795
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C390FA Relevance: 6.0, APIs: 4, Instructions: 43COMMON
    Download Yara Rule
    APIs
    • GetFullPathNameW.KERNEL32(00000000,?,?,00000000,00000104,00000000,?,00C392A5,CFA550F7,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C39110
    • GetLastError.KERNEL32(?,00C392A5,CFA550F7,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00C1E66C,?,00000104,CFA550F7,?), ref: 00C3911A
    • __dosmaperr.LIBCMT ref: 00C39121
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: ErrorFullLastNamePath__dosmaperr
    • String ID:
    • API String ID: 2398240785-0
    • Opcode ID: 415260bb7707eb0ccaa4434c00caf2d704d81918ea37aacc7078aa62639d273c
    • Instruction ID: eb678622815528a8b703f0197d0ae4eead5340b70a06d13d3667f42426f7d7e1
    • Opcode Fuzzy Hash: 415260bb7707eb0ccaa4434c00caf2d704d81918ea37aacc7078aa62639d273c
    • Instruction Fuzzy Hash: 02F08132210116BB8F201FA2CC08A5FBFB9FF453A1B158514F529E6220CB71E950D7D0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C39162 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
    Download Yara Rule
    APIs
    • GetFullPathNameW.KERNEL32(00000000,?,?,00000000,00000104,00000000,?,00C392D9,CFA550F7,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C39178
    • GetLastError.KERNEL32(?,00C392D9,CFA550F7,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00C1E66C,?,00000104,CFA550F7,?), ref: 00C39182
    • __dosmaperr.LIBCMT ref: 00C39189
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: ErrorFullLastNamePath__dosmaperr
    • String ID:
    • API String ID: 2398240785-0
    • Opcode ID: f4233b9569457bd0b40693395f2f37f25010ebd7ee53300e1093208c3dbe2395
    • Instruction ID: 04a7ae5b5ac43efb62f9d5b4bb063a1f6b8915b98b2cbdf7e1cd03b55174ede0
    • Opcode Fuzzy Hash: f4233b9569457bd0b40693395f2f37f25010ebd7ee53300e1093208c3dbe2395
    • Instruction Fuzzy Hash: 58F0A436610516BB8B202FA6DC08A5FFF69FF443A1B148514F529E6160C771E950EBD0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C1D460 Relevance: 6.0, APIs: 4, Instructions: 39synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32(00000000,?,00BE47BC,00C24E77,00000000,?,000000FF,00000088,00000000), ref: 00C1D474
    • GetExitCodeProcess.KERNEL32(00000000,?), ref: 00C1D494
    • GetLastError.KERNEL32 ref: 00C1D4A6
    • CloseHandle.KERNEL32(00000000), ref: 00C1D4C4
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: CloseCodeErrorExitHandleLastObjectProcessSingleWait
    • String ID:
    • API String ID: 2321548817-0
    • Opcode ID: e3f4672e168943b203c5d023a402c845f04e356e1842d222ed0c7819c8226b69
    • Instruction ID: 8b7bd5c410ca64a8e447a7bee36805022070e0b8822a385cb9899eec21c25c0e
    • Opcode Fuzzy Hash: e3f4672e168943b203c5d023a402c845f04e356e1842d222ed0c7819c8226b69
    • Instruction Fuzzy Hash: 30F01D352057119BD724DF35D844BAFB3A4AF95321F10891DF862D6290D734A981CBA2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C453E2 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameW.KERNEL32(?,?,00000105,00C7D448), ref: 00C4540B
    • GetLastError.KERNEL32 ref: 00C45415
    • __dosmaperr.LIBCMT ref: 00C4541C
    • _mbstowcs.LIBCMT ref: 00C45431
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: ErrorFileLastModuleName__dosmaperr_mbstowcs
    • String ID:
    • API String ID: 2664030482-0
    • Opcode ID: 60a149f77e21050d1c00d5fae86101df80fe4ca15e321f4f4b16ae8a51abb247
    • Instruction ID: 22cb13a61a20fa9d8c4c46b4a8a078b85c0364d4c360a6c58d96228996ae89df
    • Opcode Fuzzy Hash: 60a149f77e21050d1c00d5fae86101df80fe4ca15e321f4f4b16ae8a51abb247
    • Instruction Fuzzy Hash: F6F0F071A0020DABCB14EFA4DC09AEE37A8EF44312F010858F408D7140EA30AA848B91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C48FBC Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,00C4417C,00000000,00000001,00000000,00000000,?,00C3ACE2,00000000,?,00000000), ref: 00C48FD3
    • GetLastError.KERNEL32(?,00C4417C,00000000,00000001,00000000,00000000,?,00C3ACE2,00000000,?,00000000,00000000,00000000,?,00C3B263,?), ref: 00C48FDF
      • Part of subcall function 00C48FA5: CloseHandle.KERNEL32(FFFFFFFE,00C48FEF,?,00C4417C,00000000,00000001,00000000,00000000,?,00C3ACE2,00000000,?,00000000,00000000,00000000), ref: 00C48FB5
    • ___initconout.LIBCMT ref: 00C48FEF
      • Part of subcall function 00C48F67: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00C48F96,00C44162,00000000,?,00C3ACE2,00000000,?,00000000,00000000), ref: 00C48F7A
    • WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,00C4417C,00000000,00000001,00000000,00000000,?,00C3ACE2,00000000,?,00000000,00000000), ref: 00C49004
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
    • String ID:
    • API String ID: 2744216297-0
    • Opcode ID: d8df87be21f3c1ddd66567bf5753bc85f7e0507877c418a5456f9650d0d42cef
    • Instruction ID: 2c831b98a468d13cb7b3d9f9e18a0037aa7613c3b14533d219c26eaec7a45a93
    • Opcode Fuzzy Hash: d8df87be21f3c1ddd66567bf5753bc85f7e0507877c418a5456f9650d0d42cef
    • Instruction Fuzzy Hash: BFF0AC3A501129BBCF221FD5EC09B9E3F66FF483A1B144110FE18A5161DB329960AB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BFD730 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 229COMMON
    Download Yara Rule
    APIs
    • std::_Xinvalid_argument.LIBCPMT ref: 00BFD814
    • __CxxThrowException@8.LIBVCRUNTIME ref: 00BFD825
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: Exception@8ThrowXinvalid_argumentstd::_
    • String ID: list<T> too long
    • API String ID: 3614006799-4027344264
    • Opcode ID: 930564553be60f3fe44adb9bdbba5040c75add7b189e052fc57176499e0e8fef
    • Instruction ID: 7fdd9f375b4af6e74dabba89fbbbc63f4a5a86b0991073e4da4a65adba5502b9
    • Opcode Fuzzy Hash: 930564553be60f3fe44adb9bdbba5040c75add7b189e052fc57176499e0e8fef
    • Instruction Fuzzy Hash: 66717176A002199FCB14DF6CC880A6AB7F5EF88310F14C6A9E919DB345D730ED08CBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C20CC0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 213COMMON
    Download Yara Rule
    APIs
    • GetACP.KERNEL32(00000000,00000000,00000000,?,?,00C207E7,00000000,?,?,?,?), ref: 00C20E81
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID:
    • String ID: char$wchar_t
    • API String ID: 0-3809185888
    • Opcode ID: a973bf07c52016c0af8665983d407f109be924e39729f430074211ff8d9fa73d
    • Instruction ID: 974c3d0da87c616b82a02b654999782a38190c51b26c292f7ac9e3a5c757b129
    • Opcode Fuzzy Hash: a973bf07c52016c0af8665983d407f109be924e39729f430074211ff8d9fa73d
    • Instruction Fuzzy Hash: 526144716043698BD7249F74B9C1B667BE6EB45300F24096EDC9A8B743E732ED09CB41
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C1A560 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
    Download Yara Rule
    APIs
    • ApplyControlToken.SECUR32(?,00000000,00000002,00000000,00000000,00000000,CFA550F7), ref: 00C1A5E8
    • InitializeSecurityContextA.SECUR32(?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000001), ref: 00C1A63C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: ApplyContextControlInitializeSecurityToken
    • String ID: irs
    • API String ID: 2510280397-1816269391
    • Opcode ID: 160ca2a48d5b0b6f0a650dc01594292f518913d497b965e8b48d6f2cfee4eec0
    • Instruction ID: 18be0633c84b9ccbdcec26dfeb34636aa8ec57c97e2e3409e29a58484c39ae3b
    • Opcode Fuzzy Hash: 160ca2a48d5b0b6f0a650dc01594292f518913d497b965e8b48d6f2cfee4eec0
    • Instruction Fuzzy Hash: DE416B70D01348EEEB11DBA4CD05BEEBBB8FF59304F244219E805A3281D7B56A85EB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BE65F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117threadinjectionCOMMON
    Download Yara Rule
    APIs
    • SetThreadContext.KERNEL32(?,?,?,?,?,?,?,00BE39A3,00000000,?,?,?,00000000,?,00000040), ref: 00BE66AF
      • Part of subcall function 00BDE1E0: GetModuleHandleA.KERNEL32(kernel32.dll,?,?,?,?,?,00BE55EF,?,00BDB9FD,?,?,?,?,00BE08E1,00000001,?), ref: 00BDE237
      • Part of subcall function 00BDE1E0: GetProcAddress.KERNEL32(00000000,GetEnabledXStateFeatures), ref: 00BDE24B
      • Part of subcall function 00BDE1E0: GetProcAddress.KERNEL32(00000000,InitializeContext), ref: 00BDE256
      • Part of subcall function 00BDE1E0: GetProcAddress.KERNEL32(00000000,GetXStateFeaturesMask), ref: 00BDE261
      • Part of subcall function 00BDE1E0: GetProcAddress.KERNEL32(00000000,LocateXStateFeature), ref: 00BDE26C
      • Part of subcall function 00BDE1E0: GetProcAddress.KERNEL32(00000000,SetXStateFeaturesMask), ref: 00BDE277
      • Part of subcall function 00BDE1E0: GetProcAddress.KERNEL32(00000000,CopyContext), ref: 00BDE282
      • Part of subcall function 00BDE1E0: GetLastError.KERNEL32(?,?,?,00BE55EF,?,00BDB9FD,?,?,?,?,00BE08E1,00000001,?,?,?,?), ref: 00BDE2CE
    • GetThreadContext.KERNEL32(?,?,?,CFA550F7,?,?,?,?,?,00BE39A3,00000000,?,?,?,00000000,?), ref: 00BE6634
    Strings
    • %d: SetThreadContext failed, xrefs: 00BE66E5
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: AddressProc$ContextThread$ErrorHandleLastModule
    • String ID: %d: SetThreadContext failed
    • API String ID: 207368803-3784105849
    • Opcode ID: 27947c0ad2114545ab02e2fd0acc7b91e4dfff7afdc52ce6449b0029fbb4fa2f
    • Instruction ID: 45c47121526f93c8fdb3b6e5e33ccad26c1a2a9712249c49ac3a086fcf68d0f2
    • Opcode Fuzzy Hash: 27947c0ad2114545ab02e2fd0acc7b91e4dfff7afdc52ce6449b0029fbb4fa2f
    • Instruction Fuzzy Hash: F63126722007418FE3258F2AEC04BE6B7E4FF65394F14466EE99287691D7B1EC85DB20
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BE6D20 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107threadinjectionCOMMON
    Download Yara Rule
    APIs
    • SetThreadContext.KERNEL32(00000000,?,?,0000003F), ref: 00BE6DBD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: ContextThread
    • String ID: SetThreadContext$write_registers: %d
    • API String ID: 1591575202-2684180185
    • Opcode ID: c1bbb85968551909451b19f3a370368335cf20eba814c3ae05dc2872535fcc43
    • Instruction ID: cca5d13a4dd22ef27cfee7a70bd6fd582e13dd7e67a598362c8e4bbc409f97e9
    • Opcode Fuzzy Hash: c1bbb85968551909451b19f3a370368335cf20eba814c3ae05dc2872535fcc43
    • Instruction Fuzzy Hash: 93212531300299AFCB14DF16DC80BAAB3EAFBA0344F48C4B9F8495B252DB60DC45D760
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BDA5B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BDA654
    Strings
    • . Do you want to continue with the new value?, xrefs: 00BDA661
    • AUTOHIDE SESSIONHIDECANCEL%s %I64u is incorrect, maximum possible value is %I64u%s, xrefs: 00BDA675
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
    • String ID: . Do you want to continue with the new value?$AUTOHIDE SESSIONHIDECANCEL%s %I64u is incorrect, maximum possible value is %I64u%s
    • API String ID: 885266447-2617911333
    • Opcode ID: e78095b98d58ed3a714916ff77ce7a26ca29f80c7c4072edb0c304d551fb0053
    • Instruction ID: 248f9a7a3ee34624eb3b3a4e6fa41277973665f9fd3a45740fb86650b35e8140
    • Opcode Fuzzy Hash: e78095b98d58ed3a714916ff77ce7a26ca29f80c7c4072edb0c304d551fb0053
    • Instruction Fuzzy Hash: 23218D32605701ABD718DE788C81F2BF7DAEBC4720F284A6AF965D7390F6B0DC404656
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00BD8360 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,?,Unhandled C++ exception: %s,00000000,?,?,?,CFA550F7), ref: 00BD8455
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: CreateFile
    • String ID: Unhandled C++ exception: %s$pdb
    • API String ID: 823142352-750547351
    • Opcode ID: 392428b1cc2300d99b3e3ca6d81dad50c4256a3b96b26ab4e6e2f5e0f80c9209
    • Instruction ID: 6be640f628d13e60e31ae20c7883c83560fdaf1d61618893b3e704fa2c410935
    • Opcode Fuzzy Hash: 392428b1cc2300d99b3e3ca6d81dad50c4256a3b96b26ab4e6e2f5e0f80c9209
    • Instruction Fuzzy Hash: D8318D31600209AFD7249F98DC45F9EBBE5EF44B11F10416AF915AB790DB71AC00CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00C2D85D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
    Download Yara Rule
    APIs
    • ___except_validate_jump_buffer.LIBVCRUNTIME ref: 00C2D863
    • RtlUnwind.KERNEL32(?,00C2EB5E,80000026,00000000,?,?), ref: 00C2EB59
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2870031819.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
    • Associated: 00000000.00000002.2870017256.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870078595.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870104770.0000000000C79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2870121361.0000000000C7E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bd0000_win32_remote.jbxd
    Similarity
    • API ID: Unwind___except_validate_jump_buffer
    • String ID: 02CV
    • API String ID: 3589369059-2950495812
    • Opcode ID: bb2dedf9619203fc0d5a76ae38e7ce16adbaca1bd61138bbfa5c7db760550557
    • Instruction ID: a1d68f72430b2873b5b01b279fb23e81eaad212cf495e83e2d79ed63671d4935
    • Opcode Fuzzy Hash: bb2dedf9619203fc0d5a76ae38e7ce16adbaca1bd61138bbfa5c7db760550557
    • Instruction Fuzzy Hash: 9B2149B19002289BEB10EF94E881B9ABBA8FF04310F540560E815BF646D775ED95CBE5
    Uniqueness

    Uniqueness Score: -1.00%