Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kQibsaGS2E.exe

Overview

General Information

Sample name:kQibsaGS2E.exe
renamed because original name is a hash value
Original sample name:9c1047801b38650382f68beedae4bcbd47bba142abad7405cac530f4e09f47ee.exe
Analysis ID:1588574
MD5:622477f506f2cc70c597fcec0aeac1a1
SHA1:cb7bb785347769bff73647976c57350320ca498e
SHA256:9c1047801b38650382f68beedae4bcbd47bba142abad7405cac530f4e09f47ee
Tags:exeuser-adrian__luca
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to query CPU information (cpuid)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Found potential string decryption / allocating functions
One or more processes crash
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • kQibsaGS2E.exe (PID: 1540 cmdline: "C:\Users\user\Desktop\kQibsaGS2E.exe" MD5: 622477F506F2CC70C597FCEC0AEAC1A1)
    • WerFault.exe (PID: 2760 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 532 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: kQibsaGS2E.exeVirustotal: Detection: 36%Perma Link
Source: kQibsaGS2E.exeReversingLabs: Detection: 65%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
Machine Learning detection for sample
Source: kQibsaGS2E.exeJoe Sandbox ML: detected
Source: kQibsaGS2E.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: global trafficTCP traffic: 192.168.2.7:58723 -> 162.159.36.2:53
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: time.windows.com
Source: global trafficDNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net

System Summary

barindex
Binary is likely a compiled AutoIt script file
Source: kQibsaGS2E.exe, 00000000.00000000.1364764603.0000000000D04000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_54c5c528-e
Source: kQibsaGS2E.exe, 00000000.00000000.1364764603.0000000000D04000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_566f7ad0-f
Source: kQibsaGS2E.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_d41b3cf3-9
Source: kQibsaGS2E.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_1e6960cf-b
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C721C50_2_00C721C5
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C862D20_2_00C862D2
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00CD03DA0_2_00CD03DA
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C8242E0_2_00C8242E
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C725FA0_2_00C725FA
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C666E10_2_00C666E1
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C5E6A00_2_00C5E6A0
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00CAE6160_2_00CAE616
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C8878F0_2_00C8878F
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00CB88890_2_00CB8889
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C868440_2_00C86844
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00CD08570_2_00CD0857
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C7CB210_2_00C7CB21
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C86DB60_2_00C86DB6
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C66F9E0_2_00C66F9E
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C630300_2_00C63030
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C7F1D90_2_00C7F1D9
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C731870_2_00C73187
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C512870_2_00C51287
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C714840_2_00C71484
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C655200_2_00C65520
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C776960_2_00C77696
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C657600_2_00C65760
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C7D9750_2_00C7D975
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C719780_2_00C71978
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C89AB50_2_00C89AB5
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C5FCE00_2_00C5FCE0
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00CD7DDB0_2_00CD7DDB
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C71D900_2_00C71D90
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C7BDA60_2_00C7BDA6
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C63FE00_2_00C63FE0
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C5DF000_2_00C5DF00
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: String function: 00C59A98 appears 32 times
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: String function: 00C598C0 appears 32 times
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: String function: 00C78900 appears 42 times
Source: C:\Users\user\Desktop\kQibsaGS2E.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 532
Source: kQibsaGS2E.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engineClassification label: mal60.winEXE@2/5@2/0
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1540
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\118aab88-6490-45db-b4ad-d2806923085dJump to behavior
Source: kQibsaGS2E.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\kQibsaGS2E.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: kQibsaGS2E.exeVirustotal: Detection: 36%
Source: kQibsaGS2E.exeReversingLabs: Detection: 65%
Source: unknownProcess created: C:\Users\user\Desktop\kQibsaGS2E.exe "C:\Users\user\Desktop\kQibsaGS2E.exe"
Source: C:\Users\user\Desktop\kQibsaGS2E.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 532
Source: C:\Users\user\Desktop\kQibsaGS2E.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\kQibsaGS2E.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\kQibsaGS2E.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\kQibsaGS2E.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\kQibsaGS2E.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\kQibsaGS2E.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\kQibsaGS2E.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\kQibsaGS2E.exeSection loaded: wsock32.dllJump to behavior
Source: kQibsaGS2E.exeStatic file information: File size 1360384 > 1048576
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C78945 push ecx; ret 0_2_00C78958
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C52F12 push es; retf 0_2_00C52F13
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: Amcache.hve.4.drBinary or memory string: VMware
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: vmci.sys
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: VMware20,1
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\kQibsaGS2E.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C77DCD ___security_init_cookie,LdrInitializeThunk,0_2_00C77DCD
Source: kQibsaGS2E.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: C:\Users\user\Desktop\kQibsaGS2E.exeCode function: 0_2_00C7862B cpuid 0_2_00C7862B
Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		2
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping21
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		2
Process Injection		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS11
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
kQibsaGS2E.exe36%VirustotalBrowse
kQibsaGS2E.exe66%ReversingLabsWin32.Trojan.AutoitInject
kQibsaGS2E.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0017.t-0009.t-msedge.net
13.107.246.45
truefalse
    		high
    241.42.69.40.in-addr.arpa
    		unknown
    		unknownfalse
      		high
      time.windows.com
      		unknown
      		unknownfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://upx.sf.netAmcache.hve.4.drfalse
          		high

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:42.0.0 Malachite
          Analysis ID:1588574
          Start date and time:2025-01-11 02:34:26 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 4m 52s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:10
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:kQibsaGS2E.exe
          renamed because original name is a hash value
          Original Sample Name:9c1047801b38650382f68beedae4bcbd47bba142abad7405cac530f4e09f47ee.exe
          Detection:MAL
          Classification:mal60.winEXE@2/5@2/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 1
          • Number of non-executed functions: 61
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 104.40.149.189, 104.208.16.94, 13.107.246.45, 40.126.32.134, 20.12.23.50, 40.69.42.241, 52.149.20.212
          • Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, twc.trafficmanager.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
          • Not all processes where analyzed, report is missing behavior information

          Simulations

          Behavior and APIs

          TimeTypeDescription
          20:35:52API Interceptor1x Sleep call for process: WerFault.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          s-part-0017.t-0009.t-msedge.net1907125702104121563.jsGet hashmaliciousStrela DownloaderBrowse
          • 13.107.246.45
          2937924646314313784.jsGet hashmaliciousStrela DownloaderBrowse
          • 13.107.246.45
          RdichqztBg.exeGet hashmaliciousFormBookBrowse
          • 13.107.246.45
          AraK29dzhH.exeGet hashmaliciousFormBookBrowse
          • 13.107.246.45
          YrCSUX2O3I.exeGet hashmaliciousGuLoaderBrowse
          • 13.107.246.45
          http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==Get hashmaliciousUnknownBrowse
          • 13.107.246.45
          uG3I84bQEr.exeGet hashmaliciousFormBookBrowse
          • 13.107.246.45
          12621132703258916868.jsGet hashmaliciousStrela DownloaderBrowse
          • 13.107.246.45
          Cpfkf79Rzk.exeGet hashmaliciousGuLoaderBrowse
          • 13.107.246.45
          https://noiclethomas.wixsite.com/riceGet hashmaliciousUnknownBrowse
          • 13.107.246.45

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_kQibsaGS2E.exe_f12af879545b8ce419ab756d07e8ef81bff6cfd_58958fe6_64b5c7c7-0e96-4516-9030-0e6ce3b40438\Report.wer

          Download File
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):65536
          Entropy (8bit):0.8473868161112874
          Encrypted:false
          SSDEEP:96:37F0HBhuVsFhcX7ZfzQXIDcQvc6QcEVcw3cE/9Bz+HbHgoC5AJ8v3JIDV9Mb/XED:rQhuVC0BU/QjgLqzuiFDZ24IO8SR
          MD5:8C639DC7C8995C4EAC9AF404F7CE8A32
          SHA1:B77B5DEF9E766E2831538710D670D4545D5E3452
          SHA-256:6B57086E4A5A8B4CFDFF59D90B96D19408F3EBABA931F21EC40460F9E8023644
          SHA-512:054903DE9834397B7D41E5D9AD17557D05A6EFCCF061AF9E0EA1401012E13D59611C480D9651F920E80FA3A1A6F392849517BDB867C2E3F524C7561326EAF892
          Malicious:true
          Reputation:low
          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.3.2.9.3.2.9.2.1.8.5.1.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.0.3.2.9.3.3.7.9.6.8.6.3.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.4.b.5.c.7.c.7.-.0.e.9.6.-.4.5.1.6.-.9.0.3.0.-.0.e.6.c.e.3.b.4.0.4.3.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.3.5.8.6.5.e.f.-.5.f.a.8.-.4.a.a.4.-.b.0.c.0.-.f.f.3.4.a.6.c.d.e.3.1.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.k.Q.i.b.s.a.G.S.2.E...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.0.4.-.0.0.0.1.-.0.0.1.4.-.9.0.1.7.-.9.2.1.a.c.9.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.6.4.2.7.f.f.1.6.e.3.d.e.3.6.a.c.7.c.c.a.9.4.2.3.9.6.1.5.3.6.f.0.0.0.0.0.9.0.8.!.0.0.0.0.c.b.7.b.b.7.8.5.3.4.7.7.6.9.b.f.f.7.3.6.4.7.9.7.6.c.5.7.3.5.0.3.2.0.c.a.4.9.8.e.!.k.Q.i.b.s.a.G.S.2.E...e.x.e.....T.a.r.g.e.t.A.p.p.

          C:\ProgramData\Microsoft\Windows\WER\Temp\WER459.tmp.dmp

          Download File
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:Mini DuMP crash report, 14 streams, Sat Jan 11 01:35:33 2025, 0x1205a4 type
          Category:dropped
          Size (bytes):39718
          Entropy (8bit):1.9506506349645674
          Encrypted:false
          SSDEEP:192:hXF2Qjp1oqwsYOYDFYeIPTBNThmQsKMY5Irlq0X:tFfjp+VsfOydnxsKMY5sq8
          MD5:6DCDC8EF55BD3CBC762FCB14E4BEE587
          SHA1:63CF3AEEA12DF770E7714514297F450E906D7A9E
          SHA-256:8DCD75C67B6315B2E506B9E0C379E606AE63009E2BFAB7A7FE2A390D6B15AE37
          SHA-512:06D5DA3FC2A5BE094888B06468AA3A7CB28E0576207A8B7C7DDB8FFDB97A036A58DE1AA4789360B9E3E3078EB6BBE61A0E5F7AF40D130E839DDF591A052D2BF2
          Malicious:false
          Reputation:low
          Preview:MDMP..a..... .........g........................\...............b'..........T.......8...........T...........P..........................................................................................................eJ......|.......GenuineIntel............T.............g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\ProgramData\Microsoft\Windows\WER\Temp\WER574.tmp.WERInternalMetadata.xml

          Download File
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):8298
          Entropy (8bit):3.6959824402747223
          Encrypted:false
          SSDEEP:192:R6l7wVeJxX6t6YN6SUBlBXgmfmwpru89bJssfnjm:R6lXJR6t6YASUTBXgmfmCJ/f6
          MD5:EA684C5CC8DD63479F5F8C18A1266949
          SHA1:8643DB9BD2554BBB08BD6015483AA6E82342D856
          SHA-256:6A85140D91F050421FDEF6E6C88BEA3B4EAC3AEFF25CDAEECE550CCE9440F8A9
          SHA-512:6975AB446D999C355F86A2F8FF0CDB3502566C319E4F7E1898DDEE1F590C86B098890C0906648ED43ADCD11164433DA30F24129E6FAE7E3F2372DB1F66C24D06
          Malicious:false
          Reputation:low
          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.4.0.<./.P.i.

          C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D2.tmp.xml

          Download File
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):4579
          Entropy (8bit):4.471295980997048
          Encrypted:false
          SSDEEP:48:cvIwWl8zsPzJg77aI9YkeWpW8VY0gYm8M4JKmbtIFeR+q8ZWNn8cpfvkd:uIjfPNI7ikf7VnJKo1RSW+cpfvkd
          MD5:7755D27FDA6A704DD281D213B9D2DBCA
          SHA1:BE6F7A18CC152FDBCE548F303E6A33FE3B64F103
          SHA-256:C44BAF18D0333622E81F9F6483DFE08A115616CDB7A58CEF70729A4D729E192F
          SHA-512:3EDB7DE354FDAB9F719BD06BB1E70033CF9A174FD56B1904C4052CE5D4FD5E006EDF42F9A5EF3E4894AD0C9D1BB2B7BEFD69D1EE9820809F181CBC2009269760
          Malicious:false
          Reputation:low
          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670598" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

          C:\Windows\appcompat\Programs\Amcache.hve

          Download File
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:MS Windows registry file, NT/2000 or above
          Category:dropped
          Size (bytes):1835008
          Entropy (8bit):4.416627375337323
          Encrypted:false
          SSDEEP:6144:ccifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNd5+:xi58oSWIZBk2MM6AFB7o
          MD5:F4916D838F4945ADBAB9620FCA47FEEE
          SHA1:683E6291FCBF129896BDC235DEB0569F12AD661A
          SHA-256:164B78A4DBA0E0DA36569BCE0B5F66227C0D940C846FBD288AA85082804FDF53
          SHA-512:0F4E76D33CE23735AC1342CE40BAE52C287A7A3DA03BEB952EA9CFA44DBB2E9EE84DC8E26434FE6CF34103AAE5ACEE4A75ACD58BBCE96C3D58AD4B2C93869C84
          Malicious:false
          Reputation:low
          Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.C...c..............................................................................................................................................................................................................................................................................................................................................y...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):7.2046557062314545
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.70%
          • Win32 EXE Yoda's Crypter (26571/9) 0.26%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:kQibsaGS2E.exe
          File size:1'360'384 bytes
          MD5:622477f506f2cc70c597fcec0aeac1a1
          SHA1:cb7bb785347769bff73647976c57350320ca498e
          SHA256:9c1047801b38650382f68beedae4bcbd47bba142abad7405cac530f4e09f47ee
          SHA512:ddb9ce92109548dac89da604d596ccb9909b1daf6f10a2606c249d94258f4e9a5a45ecb97528b65004392015e68708380f26e2e31df3da7ba448ceb93571b542
          SSDEEP:24576:1u6J33O0c+JY5UZ+XC0kGsoTCcLMkSjkpoftUXoBmZieeiftIZpN:Xu0c++OCvkGsECcLMrQaZoZiEFIZp
          TLSH:5B55D01273DDC360CB669173BF6AB7016EBB7C620630F95B2F980D3DA950161262D7A3
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

          File Icon

          Icon Hash:aaf3e3e3938382a0

          Static PE Info

          General

          Entrypoint:0x427dcd
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
          Time Stamp:0x6750F820 [Thu Dec 5 00:47:28 2024 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:1
          File Version Major:5
          File Version Minor:1
          Subsystem Version Major:5
          Subsystem Version Minor:1
          Import Hash:bd3825b6e0410966f0c31f64b6c7644a

          Entrypoint Preview

          Instruction
          call 00007FE3C88CBECAh
          jmp 00007FE3C88BEC94h
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          push edi
          push esi
          mov esi, dword ptr [esp+10h]
          mov ecx, dword ptr [esp+14h]
          mov edi, dword ptr [esp+0Ch]
          mov eax, ecx
          mov edx, ecx
          add eax, esi
          cmp edi, esi
          jbe 00007FE3C88BEE1Ah
          cmp edi, eax
          jc 00007FE3C88BF17Eh
          bt dword ptr [004C31FCh], 01h
          jnc 00007FE3C88BEE19h
          rep movsb
          jmp 00007FE3C88BF12Ch
          cmp ecx, 00000080h
          jc 00007FE3C88BEFE4h
          mov eax, edi
          xor eax, esi
          test eax, 0000000Fh
          jne 00007FE3C88BEE20h
          bt dword ptr [004BE324h], 01h
          jc 00007FE3C88BF2F0h
          bt dword ptr [004C31FCh], 00000000h
          jnc 00007FE3C88BEFBDh
          test edi, 00000003h
          jne 00007FE3C88BEFCEh
          test esi, 00000003h
          jne 00007FE3C88BEFADh
          bt edi, 02h
          jnc 00007FE3C88BEE1Fh
          mov eax, dword ptr [esi]
          sub ecx, 04h
          lea esi, dword ptr [esi+04h]
          mov dword ptr [edi], eax
          lea edi, dword ptr [edi+04h]
          bt edi, 03h
          jnc 00007FE3C88BEE23h
          movq xmm1, qword ptr [esi]
          sub ecx, 08h
          lea esi, dword ptr [esi+08h]
          movq qword ptr [edi], xmm1
          lea edi, dword ptr [edi+08h]
          test esi, 00000007h
          je 00007FE3C88BEE75h
          bt esi, 03h
          jnc 00007FE3C88BEEC8h

          Rich Headers

          Programming Language:
          • [ASM] VS2013 build 21005
          • [ C ] VS2013 build 21005
          • [C++] VS2013 build 21005
          • [ C ] VS2008 SP1 build 30729
          • [IMP] VS2008 SP1 build 30729
          • [ASM] VS2013 UPD4 build 31101
          • [RES] VS2013 build 21005
          • [LNK] VS2013 UPD4 build 31101

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x83840.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x8f0000x2e10e0x2e200fc8a5b32808697dd41c898d938b66f67False0.3239911500677507data5.674452471189642IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0xc70000x838400x83a006542f8bb443c155611cc24731fefae83False0.9494784247388414data7.937194013764426IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x14b0000x711c0x72008a46a4bc77a3f321996ff4079f834054False0.0017475328947368421data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
          RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
          RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
          RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
          RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
          RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
          RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
          RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
          RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
          RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
          RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
          RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
          RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
          RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
          RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
          RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
          RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
          RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
          RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
          RT_RCDATA0xcf7b80x7ab07data1.0003203756952253
          RT_GROUP_ICON0x14a2c00x76dataEnglishGreat Britain0.6610169491525424
          RT_GROUP_ICON0x14a3380x14dataEnglishGreat Britain1.25
          RT_GROUP_ICON0x14a34c0x14dataEnglishGreat Britain1.15
          RT_GROUP_ICON0x14a3600x14dataEnglishGreat Britain1.25
          RT_VERSION0x14a3740xdcdataEnglishGreat Britain0.6181818181818182
          RT_MANIFEST0x14a4500x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

          Imports

          DLLImport
          KERNEL32.DLLDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
          COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
          GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
          IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
          MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
          OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit
          PSAPI.DLLGetProcessMemoryInfo
          SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
          USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
          USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
          UxTheme.dllIsThemeActive
          VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
          WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
          WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishGreat Britain

          Network Behavior

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Jan 11, 2025 02:35:59.710767031 CET5872353192.168.2.7162.159.36.2
          Jan 11, 2025 02:35:59.715509892 CET5358723162.159.36.2192.168.2.7
          Jan 11, 2025 02:35:59.715692997 CET5872353192.168.2.7162.159.36.2
          Jan 11, 2025 02:35:59.720452070 CET5358723162.159.36.2192.168.2.7
          Jan 11, 2025 02:36:00.219012976 CET5872353192.168.2.7162.159.36.2
          Jan 11, 2025 02:36:00.237606049 CET5872353192.168.2.7162.159.36.2
          Jan 11, 2025 02:36:00.242743015 CET5358723162.159.36.2192.168.2.7
          Jan 11, 2025 02:36:00.242825031 CET5872353192.168.2.7162.159.36.2

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Jan 11, 2025 02:35:27.583873987 CET5337853192.168.2.71.1.1.1
          Jan 11, 2025 02:35:59.710109949 CET5359135162.159.36.2192.168.2.7
          Jan 11, 2025 02:36:00.328289986 CET6031853192.168.2.71.1.1.1
          Jan 11, 2025 02:36:00.335077047 CET53603181.1.1.1192.168.2.7

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Jan 11, 2025 02:35:27.583873987 CET192.168.2.71.1.1.10x5452Standard query (0)time.windows.comA (IP address)IN (0x0001)false
          Jan 11, 2025 02:36:00.328289986 CET192.168.2.71.1.1.10xb0beStandard query (0)241.42.69.40.in-addr.arpaPTR (Pointer record)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Jan 11, 2025 02:35:27.590581894 CET1.1.1.1192.168.2.70x5452No error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
          Jan 11, 2025 02:35:30.361957073 CET1.1.1.1192.168.2.70x828cNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
          Jan 11, 2025 02:35:30.361957073 CET1.1.1.1192.168.2.70x828cNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
          Jan 11, 2025 02:36:00.335077047 CET1.1.1.1192.168.2.70xb0beName error (3)241.42.69.40.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:20:35:32
          Start date:10/01/2025
          Path:C:\Users\user\Desktop\kQibsaGS2E.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\kQibsaGS2E.exe"
          Imagebase:0xc50000
          File size:1'360'384 bytes
          MD5 hash:622477F506F2CC70C597FCEC0AEAC1A1
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:4
          Start time:20:35:32
          Start date:10/01/2025
          Path:C:\Windows\SysWOW64\WerFault.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 532
          Imagebase:0x450000
          File size:483'680 bytes
          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:0%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:66.7%
            Total number of Nodes:3
            Total number of Limit Nodes:0
            execution_graph 123862 c77dcd 123865 c84e87 123862->123865 123866 c77dd2 LdrInitializeThunk 123865->123866

            Executed Functions

            Function 00C77DCD Relevance: 1.5, APIs: 1, Instructions: 2COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 0 c77dcd-c77dd2 call c84e87 LdrInitializeThunk
            APIs
            • ___security_init_cookie.LIBCMT ref: 00C77DCD
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: ___security_init_cookie
            • String ID:
            • API String ID: 3657697845-0
            • Opcode ID: 37d1d09d41eb5fcb3a4af465fc0fb251569986102ab4ab40f909050fe7e311e5
            • Instruction ID: 8d67408759f17f088a8f53c4cde82028f339bcef5b4ca089160a5ee8a42a240c
            • Opcode Fuzzy Hash: 37d1d09d41eb5fcb3a4af465fc0fb251569986102ab4ab40f909050fe7e311e5
            • Instruction Fuzzy Hash:

            Non-executed Functions

            Function 00C66F9E Relevance: 71.5, APIs: 19, Strings: 19, Instructions: 5018COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _memmove$_memset
            • String ID: $ ]K$"$'$)$+$-$0$9$<$@$P\K$R$n$o$p$q$s{p${
            • API String ID: 1357608183-3800155241
            • Opcode ID: b28a790e45669a4902d64bf1598fd7c3bcb7bf2305bb98875f8069baf6f44106
            • Instruction ID: d3a02dbcddce87b8325e9a66f9e7d58a8bf234e1f4e39c69ee7274cba0c7d661
            • Opcode Fuzzy Hash: b28a790e45669a4902d64bf1598fd7c3bcb7bf2305bb98875f8069baf6f44106
            • Instruction Fuzzy Hash: 7C93B371E00216DFDB24CF98C891BADB7B1FF49318F24856AE955AB281E7709E81CB50
            Function 00C63FE0 Relevance: 15.1, APIs: 1, Strings: 7, Instructions: 1132COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID:
            • String ID: 0DJ$0DJ$ERCP$VUUU$VUUU$VUUU$VUUU
            • API String ID: 0-223423113
            • Opcode ID: f5ff305bdbafe341a1db575146456b4f73aa52c1d9f9d9bce80aef23edd1e421
            • Instruction ID: cb33c29515b0edc260feb0bebb7dd85392889c0dba4ad39961260ba48a8f1d9f
            • Opcode Fuzzy Hash: f5ff305bdbafe341a1db575146456b4f73aa52c1d9f9d9bce80aef23edd1e421
            • Instruction Fuzzy Hash: 5CA28E70E0521ACBDF38CF59C9947ADB7B1BF54314F1482AAD92AA7280E7309E81DF50
            Function 00C65760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 2682 c65760-c65772 2683 c65a2a-c65a2c 2682->2683 2684 c65778-c6577c 2682->2684 2686 c65a15-c65a1b 2683->2686 2684->2683 2685 c65782-c6579c call c57d2c 2684->2685 2689 c657a2-c657bc call c57667 * 2 2685->2689 2690 c6579e 2685->2690 2695 c657c0-c657c4 2689->2695 2690->2689 2696 ca04ed-ca04f1 2695->2696 2697 c657ca-c657ce 2695->2697 2698 c659e7-c65a12 call c5784b call c57b2e call c55904 * 2 2696->2698 2699 ca04f7 2696->2699 2697->2698 2700 c657d4-c657d8 2697->2700 2698->2686 2703 ca04fc-ca0502 2699->2703 2700->2698 2701 c657de-c657e1 2700->2701 2701->2698 2704 c657e7-c657ec 2701->2704 2707 ca050c 2703->2707 2708 ca0504 2703->2708 2704->2698 2709 c657f2-c65818 call c63fe0 2704->2709 2714 ca0518-ca052f call c654a8 2707->2714 2708->2707 2715 c6581e-c65836 2709->2715 2716 c659d8-c659db 2709->2716 2727 ca0536-ca0563 call c58029 call c58010 call c70db6 2714->2727 2715->2703 2719 c6583c-c65841 2715->2719 2716->2698 2722 c659dd-c659e1 2716->2722 2719->2698 2723 c65847-c65851 2719->2723 2722->2698 2722->2714 2725 c65857-c6585c 2723->2725 2726 c65981-c65990 call c57d2c 2723->2726 2725->2726 2728 c65862-c65865 2725->2728 2735 c658b9-c658be 2726->2735 2741 ca056b-ca0587 call ca7bdb call c58047 call c55904 2727->2741 2732 c65a21-c65a23 2728->2732 2733 c6586b-c6586f 2728->2733 2732->2683 2736 c65875-c6587d 2733->2736 2737 c65a1e 2733->2737 2735->2741 2742 c658c4-c658c6 2735->2742 2736->2727 2739 c65883-c65889 2736->2739 2737->2732 2744 c65995-c659a3 call c58010 2739->2744 2745 c6588f-c658b6 call c70e40 2739->2745 2750 ca058c-ca05d8 call c58029 call c58010 call c70db6 call c70e40 2741->2750 2747 c6590b-c65921 call c65520 2742->2747 2748 c658c8-c658d0 2742->2748 2767 c659a5-c659ab call c70e2c 2744->2767 2768 c659ae-c659d0 call c70db6 2744->2768 2745->2735 2769 c65927-c6592c 2747->2769 2770 ca0701-ca071d call ca7bdb call c58047 call c55904 2747->2770 2749 c658d6-c658df 2748->2749 2748->2750 2756 c658e5-c65907 call c70e40 2749->2756 2757 ca05e0-ca05e5 2749->2757 2750->2757 2756->2747 2764 ca05ee-ca05f3 2757->2764 2765 ca05e7-ca05e9 2757->2765 2774 ca062e-ca0633 2764->2774 2775 ca05f5-ca05fd 2764->2775 2773 ca06a8-ca06d6 call c58010 call c70d65 2765->2773 2767->2768 2768->2716 2779 c65971-c6597c 2769->2779 2780 c6592e-c65936 2769->2780 2791 ca0722-ca076e call c58029 call c58010 call c70db6 call c70e40 2770->2791 2825 ca06fa 2773->2825 2826 ca06d8-ca06f7 call c70e40 call c72e70 2773->2826 2788 ca066e-ca0676 2774->2788 2789 ca0635-ca063d 2774->2789 2784 ca05ff 2775->2784 2785 ca0605-ca062c 2775->2785 2779->2695 2780->2791 2792 c6593c-c65945 2780->2792 2784->2785 2797 ca06a5 2785->2797 2802 ca0678 2788->2802 2803 ca067e-ca06a2 2788->2803 2798 ca063f 2789->2798 2799 ca0645-ca066c 2789->2799 2800 ca0776-ca077b 2791->2800 2792->2800 2801 c6594b-c6596d call c70e40 2792->2801 2797->2773 2798->2799 2799->2797 2811 ca077d-ca077f 2800->2811 2812 ca0784-ca0789 2800->2812 2801->2779 2802->2803 2803->2797 2820 ca083b-ca0869 call c58010 call c70d65 2811->2820 2814 ca078b-ca0793 2812->2814 2815 ca07c4-ca07c9 2812->2815 2821 ca079b-ca07c2 2814->2821 2822 ca0795 2814->2822 2823 ca07cb-ca07d3 2815->2823 2824 ca0804-ca080c 2815->2824 2845 ca086b-ca088a call c70e40 call c72e70 2820->2845 2846 ca088d 2820->2846 2821->2820 2822->2821 2831 ca07db-ca0802 2823->2831 2832 ca07d5 2823->2832 2834 ca080e 2824->2834 2835 ca0814-ca0838 2824->2835 2825->2770 2826->2825 2831->2820 2832->2831 2834->2835 2835->2820 2845->2846
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _memmove
            • String ID:
            • API String ID: 4104443479-0
            • Opcode ID: bc5590fee32963866547a934e2f4481e6f2daf4eb5e9485274101ae2dbc06eb9
            • Instruction ID: 21489d0dfac1f64bd661c52cdd4c8c691210a72989a9fd870d273d5052b2dc7c
            • Opcode Fuzzy Hash: bc5590fee32963866547a934e2f4481e6f2daf4eb5e9485274101ae2dbc06eb9
            • Instruction Fuzzy Hash: 1012BB70A0060ADFCF14DFA5D981AAEB3F5FF48304F208529E846E7290EB36AD55DB54
            Function 00C63030 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 3329 c63030-c63081 call c65a9d call c59837 * 2 3336 c63083-c63092 call c59b3c 3329->3336 3337 c630a9-c630ad 3329->3337 3347 c6348f 3336->3347 3348 c63098-c6309b 3336->3348 3338 c630b3-c630b6 3337->3338 3339 c96c12-c96c1d call c59b3c 3337->3339 3341 c63496 3338->3341 3342 c630bc-c630d0 call c65b12 3338->3342 3353 c96c26-c96c63 call c598c0 call ca652d call c6fd21 3339->3353 3350 c634a0-c634a5 3341->3350 3352 c630d6-c630e2 call c65bc4 3342->3352 3342->3353 3347->3341 3348->3347 3351 c630a1-c630a5 3348->3351 3354 c96e86 3350->3354 3351->3337 3361 c96c68-c96c7f call c654a8 3352->3361 3362 c630e8-c630f4 call c57667 3352->3362 3353->3361 3357 c96e8f-c96e9c call c57d2c 3354->3357 3374 c96ea5-c96eb9 call ca652d 3357->3374 3372 c96c98-c96ca4 call c598c0 3361->3372 3373 c96c81-c96c8d call c598c0 3361->3373 3375 c96caf-c96cc3 call c654a8 3362->3375 3376 c630fa-c630fd 3362->3376 3372->3375 3373->3372 3387 c96ebe-c96ec1 3374->3387 3390 c96cf5-c96cfb 3375->3390 3391 c96cc5-c96cd6 call c598c0 3375->3391 3380 c63103-c63106 3376->3380 3381 c96d77-c96d8b call c654a8 3376->3381 3380->3387 3388 c6310c-c63126 3380->3388 3402 c96cdc-c96cf0 call ca652d 3381->3402 3403 c96d91-c96dab call c592ce call c59050 3381->3403 3392 c63444-c63467 call c55904 call c65ace call c55904 3387->3392 3393 c96ec7-c96f23 3387->3393 3394 c6312a-c63135 3388->3394 3397 c96d0d-c96d14 call c592ce 3390->3397 3398 c96cfd-c96d0b call c592ce 3390->3398 3391->3402 3400 c96f2b-c96f45 call caf350 3393->3400 3401 c63140-c63146 3394->3401 3426 c96d15-c96d2c call c59050 3397->3426 3398->3426 3421 c96f72-c96f78 3400->3421 3422 c96f47-c96f4f 3400->3422 3405 c63422-c63428 3401->3405 3406 c6314c-c63151 3401->3406 3402->3390 3440 c96de9-c96e01 call c6fd21 3403->3440 3441 c96dad-c96de7 call ca61bb call c5928a call c58ee0 call c598c0 3403->3441 3405->3374 3417 c6342e-c6343f call c59730 call c54014 3405->3417 3406->3405 3414 c63157-c6315a 3406->3414 3414->3405 3423 c63160-c63162 3414->3423 3417->3392 3433 c96f7a-c96f8d call ca652d 3421->3433 3434 c96f8f-c96fa9 call c592ce call c59050 3421->3434 3422->3400 3430 c96f51-c96f70 call c59730 call ca60ef 3422->3430 3423->3405 3431 c63168-c631a3 call c63fe0 3423->3431 3426->3440 3445 c96d32-c96d73 call ca61bb call c5928a call c58ee0 call c598c0 3426->3445 3430->3400 3454 c63414-c6341c 3431->3454 3455 c631a9-c631ca 3431->3455 3457 c96fc3-c96fd5 call c598c0 call ca617e 3433->3457 3434->3457 3468 c96fab-c96fc1 call c58ee0 3434->3468 3466 c96e06-c96e08 3440->3466 3441->3440 3500 c96d75 3445->3500 3454->3405 3463 c96e22-c96e25 3454->3463 3465 c631d0-c631dc 3455->3465 3455->3466 3463->3405 3473 c96e2b-c96e5a call c654a8 3463->3473 3465->3405 3474 c631e2-c631e5 3465->3474 3469 c96e0a 3466->3469 3470 c96e12 3466->3470 3468->3457 3469->3470 3470->3463 3493 c96e63-c96e70 call c57d2c 3473->3493 3480 c6340a 3474->3480 3481 c631eb-c631ef 3474->3481 3480->3454 3481->3401 3487 c631f5-c63200 3481->3487 3490 c63204-c63206 3487->3490 3490->3493 3494 c6320c-c63216 3490->3494 3502 c96e79-c96e7d 3493->3502 3498 c6321c-c63245 3494->3498 3499 c634aa-c634af 3494->3499 3498->3502 3503 c6324b-c6325b call c7571c 3498->3503 3499->3354 3500->3440 3502->3354 3503->3350 3507 c63261-c6328f call c70e40 3503->3507 3507->3357 3510 c63295-c63298 3507->3510 3510->3357 3511 c6329e-c632a0 3510->3511 3511->3357 3512 c632a6-c632ab 3511->3512 3513 c632b1-c632c2 call c70db6 3512->3513 3514 c6346a-c63478 call c57f27 3512->3514 3519 c634b4 3513->3519 3520 c632c8-c632d7 3513->3520 3521 c63481-c6348a 3514->3521 3523 c634bb 3519->3523 3522 c632dd-c63330 call c70db6 call c70e40 3520->3522 3520->3523 3524 c633b2-c633d9 call c70db6 3521->3524 3526 c634c5-c634c7 3522->3526 3535 c63336-c63348 call c72d55 3522->3535 3523->3526 3532 c63401-c63405 3524->3532 3533 c633db-c633dd 3524->3533 3540 c634cc 3526->3540 3536 c6334a-c63356 call c70db6 3532->3536 3533->3532 3537 c633df-c633fe call c70e40 call c70e2c 3533->3537 3535->3536 3546 c633a3-c633ac 3535->3546 3536->3540 3547 c6335c-c63391 3536->3547 3537->3532 3540->3339 3546->3521 3546->3524 3547->3394 3549 c63397-c6339e 3547->3549 3549->3490
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: __itow__swprintf
            • String ID: 3cA
            • API String ID: 674341424-2523384761
            • Opcode ID: bd8f269727dd203b3cd5d455fda2b58de944a4bb22d2e13bbec33b21dd907dda
            • Instruction ID: f5bd5b17200a5d1815561594ac5a653a854d532b6019a41e9a6e55610db78899
            • Opcode Fuzzy Hash: bd8f269727dd203b3cd5d455fda2b58de944a4bb22d2e13bbec33b21dd907dda
            • Instruction Fuzzy Hash: 7222BB716083419FCB24DF24C881B6FBBE4EF84704F14492DF89A97291DB71EA49DB92
            Function 00C5FCE0 Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 1040COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID:
            • String ID: pbL
            • API String ID: 0-2198975964
            • Opcode ID: f4dcd20d2bc5d81d89870ef2a695217c5eca1df5ed962e9f7e233abbde67ac23
            • Instruction ID: 6554485dcf0cbe135f2b832ac16bb7eb4da04f67bcbee7b778c313926be3cf38
            • Opcode Fuzzy Hash: f4dcd20d2bc5d81d89870ef2a695217c5eca1df5ed962e9f7e233abbde67ac23
            • Instruction Fuzzy Hash: 699257746083418FDB24DF14C484B2BB7E1BF85304F24896DE89A9B362D771ED86CB96
            Function 00C65520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C70DB6: std::exception::exception.LIBCMT ref: 00C70DEC
              • Part of subcall function 00C70DB6: __CxxThrowException@8.LIBCMT ref: 00C70E01
            • _memmove.LIBCMT ref: 00CA0258
            • _memmove.LIBCMT ref: 00CA036D
            • _memmove.LIBCMT ref: 00CA0414
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _memmove$Exception@8Throwstd::exception::exception
            • String ID:
            • API String ID: 1300846289-0
            • Opcode ID: 7e59d6d005cac17bdf0d515b6185c65b2e751bd3579f41a42c57154c824fcbd6
            • Instruction ID: 44d6de36e13e4a8b058c83e7d0250480bc0f479ffc1161f3cac41b2130b7e053
            • Opcode Fuzzy Hash: 7e59d6d005cac17bdf0d515b6185c65b2e751bd3579f41a42c57154c824fcbd6
            • Instruction Fuzzy Hash: BD02D0B0A00209DBCF14DF64D981AAEBBB5FF45304F248069E80ADB395EB31DE54DB95
            Function 00C5E6A0 Relevance: 6.0, Strings: 4, Instructions: 1004COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID:
            • String ID: DdL$DdL$DdL$DdL
            • API String ID: 0-1563988167
            • Opcode ID: d23c6b499de0a7fbb547df9319404598a5cece590a92a1b032f5e0038fb359f7
            • Instruction ID: 7b987e068d5ee2c0f1b59980b23477db67a8c259d344990bb3fc1ef6cdefb6bc
            • Opcode Fuzzy Hash: d23c6b499de0a7fbb547df9319404598a5cece590a92a1b032f5e0038fb359f7
            • Instruction Fuzzy Hash: 9E929E79A00215CFCB28CF58C484AAEB7B1FF59311F248169EC159B351D775EE8ACB88
            Function 00CD7DDB Relevance: 3.6, APIs: 2, Instructions: 571COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 25a1e612490df0e2fd5aff0df4db96d0646e8fd45de2b35679b98956547aaa80
            • Instruction ID: e58c3f6f69622edb27f640e23834d6917d76e031af0716f917cf4f1158c8a3b7
            • Opcode Fuzzy Hash: 25a1e612490df0e2fd5aff0df4db96d0646e8fd45de2b35679b98956547aaa80
            • Instruction Fuzzy Hash: 7712F171500205ABEB249F65CC49FAF7BF8EF45310F24462AFA15EA3E1EB709949DB10
            Function 00CB8889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
            Download Yara Rule
            APIs
            • __time64.LIBCMT ref: 00CB889B
              • Part of subcall function 00C7520A: __aulldiv.LIBCMT ref: 00C75233
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: __aulldiv__time64
            • String ID: 0eL
            • API String ID: 325419493-3167399643
            • Opcode ID: 173a61627ebe1b4304b39b54128586dabbe463c8e4c1c1e482927ec7599268c1
            • Instruction ID: e5d2489c9bd7b3f4fe806738bf2243d7f7ccd1869e06fdc73baff3a944f972f2
            • Opcode Fuzzy Hash: 173a61627ebe1b4304b39b54128586dabbe463c8e4c1c1e482927ec7599268c1
            • Instruction Fuzzy Hash: BE21AF326256108BC729CF29D841A92B3E5EFA5311F698E6CD0F5CB2C0CA75A909CB54
            Function 00C5DF00 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7fedcd55ce1be01234807a739cd4bdd318ff75d00aeb43b21d4f5e2df7acffac
            • Instruction ID: 28b9c620604f5cf6d4a8b061db0af01e9c6fbbca9500b2a5513e7485aa3ef693
            • Opcode Fuzzy Hash: 7fedcd55ce1be01234807a739cd4bdd318ff75d00aeb43b21d4f5e2df7acffac
            • Instruction Fuzzy Hash: A622CF78900215DFCF28DF94C484AAEB7B0FF08311F148169EC669B391D770AA89DB95
            Function 00C666E1 Relevance: 3.4, Strings: 2, Instructions: 889COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID:
            • String ID: 0DJ0EJ0FJpGJ$pGJ
            • API String ID: 0-2520054932
            • Opcode ID: 6a8c43c5cd2287656802195d535ea908290b48d8ab3bfd826a36c9d68e310c78
            • Instruction ID: f3b13a11c88c80fd30596d6185c215df40b2718e1f7fbc5fb44148aedea6d2d4
            • Opcode Fuzzy Hash: 6a8c43c5cd2287656802195d535ea908290b48d8ab3bfd826a36c9d68e310c78
            • Instruction Fuzzy Hash: 1A728171E0021ADBDF24CF59C8807AEB7B5FF49314F14816AE959EB290E7349E81DB90
            Function 00CAE616 Relevance: 3.1, Strings: 2, Instructions: 561COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID:
            • String ID: ($|
            • API String ID: 0-1631851259
            • Opcode ID: e10e0101c6e5428e3f3f3b8754e90dc55a18d34dd6833db7f52c40727a3dee7e
            • Instruction ID: c2e719418abdcfdd6158d681dae6531794a9296d83ec5d031f1ea2178418479d
            • Opcode Fuzzy Hash: e10e0101c6e5428e3f3f3b8754e90dc55a18d34dd6833db7f52c40727a3dee7e
            • Instruction Fuzzy Hash: B1323675A007069FD728CF59C4819AAB7F0FF48314B15C46EE8AADB3A1D770E941CB94
            Function 00C7F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
            • Instruction ID: 966e53770daa1b5fe9e5e1cf1e0117c52d12e143e203ad30879a7f0427663ce1
            • Opcode Fuzzy Hash: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
            • Instruction Fuzzy Hash: 0C320422D29F014DD7239635D872335A288AFB73D8F15D73BF829B59A6EB28D5834204
            Function 00C8242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
            • Instruction ID: 3fe0576c697d03a9dccc52f34f4ddb31871f5346aa59c7ad13acf6720d2ad6ed
            • Opcode Fuzzy Hash: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
            • Instruction Fuzzy Hash: 68B10231D2AF404DD723A6398835336B65CAFBB2C9F51D72BFC2674D22EB2185934285
            Function 00CD0857 Relevance: .5, Instructions: 477COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5eb806d70b46a9202dd3e543ee6ca14ab650e64b5adbaddcfbe08c0bc828943e
            • Instruction ID: a65c772efe3f2250d6bf97eb70762d5d4fdb27a6ca9a020cfad416022dad27d3
            • Opcode Fuzzy Hash: 5eb806d70b46a9202dd3e543ee6ca14ab650e64b5adbaddcfbe08c0bc828943e
            • Instruction Fuzzy Hash: 810269756006019FCB14EF28C881E2AB7E5FF89710F14885DF9999B3A2CB30ED45DB85
            Function 00CD03DA Relevance: .4, Instructions: 397COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: __itow__swprintf
            • String ID:
            • API String ID: 674341424-0
            • Opcode ID: 4343597e8507452ccff4b02692f110eb0ad94be3eec77fb80de36c15d9900197
            • Instruction ID: 016451a01c64e7819c67d4c1be20c6c1677b577d6535a8483a8da4b8a8462332
            • Opcode Fuzzy Hash: 4343597e8507452ccff4b02692f110eb0ad94be3eec77fb80de36c15d9900197
            • Instruction Fuzzy Hash: 6BE15D71604200EFCB14DF28C891E2ABBE4EF89314F14896DF959DB3A1DB30E945DB92
            Function 00C51287 Relevance: .4, Instructions: 379COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8db6b4c7db5f97784a80f15b687025ec058e6c3025e7102d3aafc5b58ad8fc88
            • Instruction ID: 1db01cf74a842d457b3969627709de309f346143ad9a29aa4136e3e552bb1853
            • Opcode Fuzzy Hash: 8db6b4c7db5f97784a80f15b687025ec058e6c3025e7102d3aafc5b58ad8fc88
            • Instruction Fuzzy Hash: 83A1397C102585BED629BA2A4C8CF7F255CDB42347B1C011AFD22D1192DA249EC9F37D
            Function 00C721C5 Relevance: .3, Instructions: 345COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
            • Instruction ID: 348fce67231e7e0514b7932cc69d5ed44c7f1e4b6ca3601af391cf7c851de175
            • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
            • Instruction Fuzzy Hash: 27C196322051930ADF6E463EC47503EFBA15EA27B131E875DD8BBCB1D5EE20CA65D620
            Function 00C725FA Relevance: .3, Instructions: 341COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
            • Instruction ID: 2fee0fc2522c2bf2c4eabf730e24f9d82612d226aba1af1ea040dcf7b515febd
            • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
            • Instruction Fuzzy Hash: 3AC186332051930ADF2E463EC43513EBBA15FA27B131E976DD8B6DB1D5EE20CA25D620
            Function 00C71D90 Relevance: .3, Instructions: 331COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
            • Instruction ID: f83f53c6054457e6be58e66e6979d1c82b2a3f8651791b143901220b60670df7
            • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
            • Instruction Fuzzy Hash: BAC167322051930ADF2E463E847513EFAA15EA27B131E875DDCBBDB1D4EE10CB65DA20
            Function 00C71978 Relevance: .3, Instructions: 323COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
            • Instruction ID: 2da361cbb85b8673568cb3b1acf026efec14cddf50d7cf48a9e0a90da1ec4325
            • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
            • Instruction Fuzzy Hash: BDC186322051930ADF2E463EC47513EBAA15EA27B131E975DDCBBDB1C4EE10CA25D610
            Function 00C568DC Relevance: 18.3, APIs: 12, Instructions: 275COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1703 c568dc-c56902 call c70db6 call c5522e 1708 c56904-c56906 1703->1708 1709 c56929-c5693b call c737cb 1703->1709 1710 c56907-c5690c 1708->1710 1716 c56941-c56953 call c737cb 1709->1716 1717 c56a72-c56a74 1709->1717 1712 c5691e-c56926 1710->1712 1713 c5690e-c5691d call c70e2c * 2 1710->1713 1713->1712 1721 c56a7a-c56a7d 1716->1721 1724 c56959-c5696b call c737cb 1716->1724 1717->1721 1725 c56a84-c56a87 1721->1725 1729 c8e2ba-c8e2bd 1724->1729 1730 c56971-c56983 call c737cb 1724->1730 1727 c569eb-c569f7 call c5586d 1725->1727 1735 c569fd-c56a20 call c56faa call c56f5d call c737cb 1727->1735 1736 c8e3f7-c8e3fc 1727->1736 1737 c8e2c5-c8e2ed call c6fc86 call c56f5d call c56faa call c72bfc 1729->1737 1730->1737 1739 c56989-c5699b call c737cb 1730->1739 1735->1725 1767 c56a22-c56a34 call c737cb 1735->1767 1736->1710 1738 c8e402-c8e403 1736->1738 1774 c8e2ef-c8e2f5 1737->1774 1775 c8e324-c8e327 1737->1775 1742 c8e408-c8e412 call caf7a1 1738->1742 1752 c8e348-c8e34d 1739->1752 1753 c569a1-c569b3 call c737cb 1739->1753 1751 c8e417-c8e419 1742->1751 1752->1717 1756 c8e353-c8e365 call c57908 1752->1756 1765 c8e38a-c8e39a call cafafd 1753->1765 1766 c569b9-c569cb call c737cb 1753->1766 1769 c8e372-c8e37d 1756->1769 1770 c8e367-c8e36b 1756->1770 1781 c8e39c-c8e3e8 call c57de1 * 2 call c5700b call c56a8c call c55904 * 2 1765->1781 1782 c8e3ef-c8e3f5 1765->1782 1784 c569e5-c569e8 1766->1784 1785 c569cd-c569df call c737cb 1766->1785 1767->1725 1786 c56a36-c56a48 call c737cb 1767->1786 1769->1710 1777 c8e383 1769->1777 1770->1756 1776 c8e36d 1770->1776 1774->1775 1783 c8e2f7-c8e300 1774->1783 1787 c8e329-c8e337 1775->1787 1788 c8e312-c8e31f call c70e2c 1775->1788 1776->1717 1777->1765 1781->1751 1818 c8e3ea 1781->1818 1782->1742 1783->1788 1790 c8e302-c8e305 1783->1790 1784->1727 1785->1717 1785->1784 1800 c56a5e-c56a67 1786->1800 1801 c56a4a-c56a5c call c737cb 1786->1801 1794 c8e33c-c8e343 call c70e2c 1787->1794 1788->1742 1790->1788 1796 c8e307-c8e310 1790->1796 1794->1717 1796->1794 1800->1710 1806 c56a6d 1800->1806 1801->1727 1801->1800 1806->1727 1818->1717
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: __wcsnicmp
            • String ID:
            • API String ID: 1038674560-0
            • Opcode ID: 925611d6804fe502eb64822f337db5433ea1a7a143fe913b499dbfc23ac76dca
            • Instruction ID: 5ecd29b4efaacf4dff1b91d5a1812905541cfc0a2cd3e15eb9a254861703d09f
            • Opcode Fuzzy Hash: 925611d6804fe502eb64822f337db5433ea1a7a143fe913b499dbfc23ac76dca
            • Instruction Fuzzy Hash: 528126B4600205BACF20BA61EC42FAF7768AF15715F544025FC45AB192EB71DE89E3A8
            Function 00CB449A Relevance: 18.2, APIs: 12, Instructions: 179COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1819 cb449a-cb44b6 1821 cb44b8-cb44ba 1819->1821 1822 cb44bf-cb4515 call c70db6 call c72bfc call c70db6 call c72dbc call c7354c 1819->1822 1823 cb4667-cb466d 1821->1823 1835 cb45ab-cb45ba call c72efd 1822->1835 1836 cb451b-cb4536 call c72d8d call c73987 1822->1836 1841 cb45bc-cb45e1 call c740bb call c70e2c * 2 1835->1841 1842 cb45e6-cb45fa 1835->1842 1848 cb4538-cb4550 1836->1848 1849 cb45a2-cb45aa call c72d8d 1836->1849 1841->1823 1851 cb45fc-cb460b call c7354c 1842->1851 1852 cb4654-cb4666 call c70e2c * 2 1842->1852 1862 cb457e-cb458a call c72d8d 1848->1862 1863 cb4552-cb457c call c6fb31 * 2 1848->1863 1849->1835 1867 cb460d-cb4634 call c73698 1851->1867 1868 cb4636-cb4649 call c740bb 1851->1868 1852->1823 1877 cb458b-cb45a0 call c72d8d * 2 1862->1877 1863->1877 1879 cb4650 1867->1879 1868->1879 1877->1835 1879->1852
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _wcscat$_wcscmp_wcscpy_wcsncpy_wcsstr
            • String ID:
            • API String ID: 3576275495-0
            • Opcode ID: f2dd82df36c9484ed452d294227e50002af446f68463c0679fc1068f518ba4c5
            • Instruction ID: ea3d8ac139e555186c5ad1e4d570c2cde8544f2dc491a66a9973bdc54c4a41d4
            • Opcode Fuzzy Hash: f2dd82df36c9484ed452d294227e50002af446f68463c0679fc1068f518ba4c5
            • Instruction Fuzzy Hash: 3C41E632904204BBDB24BB759C47FFF776CDF51710F14846AF909E6182EB349A01A7A9
            Function 00C76E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1885 c76e03-c76e1c 1886 c76e36-c76e4b call c72de0 1885->1886 1887 c76e1e-c76e28 call c78b28 call c78db6 1885->1887 1886->1887 1892 c76e4d-c76e50 1886->1892 1896 c76e2d 1887->1896 1894 c76e64-c76e6a 1892->1894 1895 c76e52 1892->1895 1899 c76e76-c76e87 call c83cbc call c83a13 1894->1899 1900 c76e6c 1894->1900 1897 c76e54-c76e56 1895->1897 1898 c76e58-c76e62 call c78b28 1895->1898 1901 c76e2f-c76e35 1896->1901 1897->1894 1897->1898 1898->1896 1909 c77072-c7707c call c78dc6 1899->1909 1910 c76e8d-c76e99 call c83a3d 1899->1910 1900->1898 1903 c76e6e-c76e74 1900->1903 1903->1898 1903->1899 1910->1909 1915 c76e9f-c76eab call c83a67 1910->1915 1915->1909 1918 c76eb1-c76eb8 1915->1918 1919 c76eba 1918->1919 1920 c76f28-c76f33 call c83a91 1918->1920 1922 c76ec4-c76ee0 call c83a91 1919->1922 1923 c76ebc-c76ec2 1919->1923 1920->1901 1926 c76f39-c76f3c 1920->1926 1922->1901 1930 c76ee6-c76ee9 1922->1930 1923->1920 1923->1922 1928 c76f3e-c76f47 call c83d0c 1926->1928 1929 c76f6b-c76f78 1926->1929 1928->1929 1938 c76f49-c76f69 1928->1938 1932 c76f7a-c76f89 call c84500 1929->1932 1933 c76eef-c76ef8 call c83d0c 1930->1933 1934 c7702b-c7702d 1930->1934 1941 c76f96-c76fbd call c84450 call c84500 1932->1941 1942 c76f8b-c76f93 1932->1942 1933->1934 1943 c76efe-c76f16 call c83a91 1933->1943 1934->1901 1938->1932 1951 c76fbf-c76fc8 1941->1951 1952 c76fcb-c76ff2 call c84450 call c84500 1941->1952 1942->1941 1943->1901 1948 c76f1c-c76f23 1943->1948 1948->1934 1951->1952 1957 c76ff4-c76ffd 1952->1957 1958 c77000-c7700f call c84450 1952->1958 1957->1958 1961 c77011 1958->1961 1962 c7703c-c77055 1958->1962 1963 c77017-c77025 1961->1963 1964 c77013-c77015 1961->1964 1965 c77057-c77070 1962->1965 1966 c77028 1962->1966 1963->1966 1964->1963 1967 c77032-c77034 1964->1967 1965->1934 1966->1934 1967->1934 1968 c77036 1967->1968 1968->1962 1969 c77038-c7703a 1968->1969 1969->1934 1969->1962
            APIs
            • _memset.LIBCMT ref: 00C76E3E
              • Part of subcall function 00C78B28: __getptd_noexit.LIBCMT ref: 00C78B28
            • __gmtime64_s.LIBCMT ref: 00C76ED7
            • __gmtime64_s.LIBCMT ref: 00C76F0D
            • __gmtime64_s.LIBCMT ref: 00C76F2A
            • __allrem.LIBCMT ref: 00C76F80
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C76F9C
            • __allrem.LIBCMT ref: 00C76FB3
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C76FD1
            • __allrem.LIBCMT ref: 00C76FE8
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C77006
            • __invoke_watson.LIBCMT ref: 00C77077
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
            • String ID:
            • API String ID: 384356119-0
            • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
            • Instruction ID: 654b2c65f2767f39b3204084eb5036e87c5f46407fda3d3b476b2ddd7a6a7139
            • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
            • Instruction Fuzzy Hash: 2E710776A00B17ABD714EE79DC81B9AB7A8AF04724F14C229F528E7681E770DE409790
            Function 00CB9155 Relevance: 12.3, APIs: 8, Instructions: 322COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 2544 cb9155-cb9205 call c81940 call c70db6 call c5522e call cb8f5f call c54ee5 call c7354c 2557 cb920b-cb9212 call cb9734 2544->2557 2558 cb92b8-cb92bf call cb9734 2544->2558 2563 cb9218-cb92b6 call c740fb call c72dbc call c72d8d call c740fb call c72d8d * 2 2557->2563 2564 cb92c1-cb92c3 2557->2564 2558->2564 2565 cb92c8 2558->2565 2568 cb92cb-cb9387 call c54f0b * 8 call cb98e3 call c7525b 2563->2568 2567 cb952a-cb952b 2564->2567 2565->2568 2571 cb9548-cb9558 call c55211 2567->2571 2603 cb9389-cb938b 2568->2603 2604 cb9390-cb93ab call cb8fa5 2568->2604 2603->2567 2607 cb943d-cb9449 call c753a6 2604->2607 2608 cb93b1-cb93b9 2604->2608 2615 cb944b-cb945a 2607->2615 2616 cb945f-cb9463 2607->2616 2609 cb93bb-cb93bf 2608->2609 2610 cb93c1 2608->2610 2612 cb93c6-cb93e4 call c54f0b 2609->2612 2610->2612 2620 cb940e-cb9434 call cb8953 call c74863 2612->2620 2621 cb93e6-cb93eb 2612->2621 2615->2567 2618 cb9469-cb94f2 call c740bb call cb99ea call cb8b06 2616->2618 2619 cb9505-cb9519 2616->2619 2630 cb952d-cb9543 call cb98a2 2618->2630 2644 cb94f4-cb9503 2618->2644 2629 cb951b-cb9528 2619->2629 2619->2630 2620->2608 2642 cb943a 2620->2642 2625 cb93ee-cb9401 call cb90dd 2621->2625 2639 cb9403-cb940c 2625->2639 2629->2567 2630->2571 2639->2620 2642->2607 2644->2567
            APIs
              • Part of subcall function 00CB8F5F: __time64.LIBCMT ref: 00CB8F69
              • Part of subcall function 00C54EE5: _fseek.LIBCMT ref: 00C54EFD
            • __wsplitpath.LIBCMT ref: 00CB9234
              • Part of subcall function 00C740FB: __wsplitpath_helper.LIBCMT ref: 00C7413B
            • _wcscpy.LIBCMT ref: 00CB9247
            • _wcscat.LIBCMT ref: 00CB925A
            • __wsplitpath.LIBCMT ref: 00CB927F
            • _wcscat.LIBCMT ref: 00CB9295
            • _wcscat.LIBCMT ref: 00CB92A8
              • Part of subcall function 00CB8FA5: _memmove.LIBCMT ref: 00CB8FDE
              • Part of subcall function 00CB8FA5: _memmove.LIBCMT ref: 00CB8FED
            • _wcscmp.LIBCMT ref: 00CB91EF
              • Part of subcall function 00CB9734: _wcscmp.LIBCMT ref: 00CB9824
              • Part of subcall function 00CB9734: _wcscmp.LIBCMT ref: 00CB9837
            • _wcsncpy.LIBCMT ref: 00CB94C5
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _wcscat_wcscmp$__wsplitpath_memmove$__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
            • String ID:
            • API String ID: 2744720387-0
            • Opcode ID: 399d582de9c20c8765367d64c56b1fa89cf83462de3145a455e9ac53565308cb
            • Instruction ID: 62dd192fdf32753b5c2ca9d9c07d3648b101bd15463f64d25702b532d34a64b4
            • Opcode Fuzzy Hash: 399d582de9c20c8765367d64c56b1fa89cf83462de3145a455e9ac53565308cb
            • Instruction Fuzzy Hash: 8AC14BB1D00219ABDF25DFA5CC85ADEB7BCEF45300F0040AAF609E6151DB309A88DF65
            Function 00CABBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 2646 cabbaf-cabbce call c71484 2649 cabbdf-cabbf0 call c71484 2646->2649 2650 cabbd0 2646->2650 2655 cabbf2-cabbf5 2649->2655 2656 cabbf7-cabc08 call c71484 2649->2656 2651 cabbd3-cabbda 2650->2651 2653 cabc97-cabc9b 2651->2653 2655->2651 2656->2655 2659 cabc0a-cabc1b call c71484 2656->2659 2662 cabc1d-cabc22 2659->2662 2663 cabc24-cabc35 call c71484 2659->2663 2662->2651 2663->2662 2666 cabc37-cabc48 call c71484 2663->2666 2669 cabc4a-cabc4d 2666->2669 2670 cabc4f-cabc60 call c71484 2666->2670 2669->2651 2673 cabc6a-cabc7b call c71484 2670->2673 2674 cabc62-cabc65 2670->2674 2673->2650 2677 cabc81-cabc85 2673->2677 2674->2651 2678 cabc92 2677->2678 2679 cabc87-cabc90 call cabc9e 2677->2679 2678->2653 2679->2653
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _memcmp
            • String ID:
            • API String ID: 2931989736-0
            • Opcode ID: 69f4a9ee4471d3b742fe204232521a94e9e3c838df7205ae948ccdb36eb6070b
            • Instruction ID: d219ce41fcf5553a645d01acf2898b3401be637a4772c41da6e7d560be2ce7e0
            • Opcode Fuzzy Hash: 69f4a9ee4471d3b742fe204232521a94e9e3c838df7205ae948ccdb36eb6070b
            • Instruction Fuzzy Hash: 8F21F3716012077BEB046626AE42FFB775CAE1235CF188021FD0996687EBA8DF1192B5
            Function 00CBC75C Relevance: 10.8, APIs: 7, Instructions: 280COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • __swprintf.LIBCMT ref: 00CBC890
            • __swprintf.LIBCMT ref: 00CBC8D3
              • Part of subcall function 00C57DE1: _memmove.LIBCMT ref: 00C57E22
            • __swprintf.LIBCMT ref: 00CBC927
              • Part of subcall function 00C73698: __woutput_l.LIBCMT ref: 00C736F1
            • __swprintf.LIBCMT ref: 00CBC975
              • Part of subcall function 00C73698: __flsbuf.LIBCMT ref: 00C73713
              • Part of subcall function 00C73698: __flsbuf.LIBCMT ref: 00C7372B
            • __swprintf.LIBCMT ref: 00CBC9C4
            • __swprintf.LIBCMT ref: 00CBCA13
            • __swprintf.LIBCMT ref: 00CBCA62
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: __swprintf$__flsbuf$__woutput_l_memmove
            • String ID:
            • API String ID: 1085135966-0
            • Opcode ID: 08cbf9ea8a07e00e0847f29702dfc94e1c29246ef4a4e0b45be8a7287cd81770
            • Instruction ID: 1ed6a5bf547b96db922e8e5fbaf6d65fbf8b9d4b9a6068570ca9e128cdd7e3ff
            • Opcode Fuzzy Hash: 08cbf9ea8a07e00e0847f29702dfc94e1c29246ef4a4e0b45be8a7287cd81770
            • Instruction Fuzzy Hash: BAA12CB6408344ABC700EFA4C886DAFB7ECFF94701F40492DF99586191EB35DA48DB66
            Function 00CAAED4 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 249COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 2962 caaed4-caaefd 2964 caaeff-caaf01 2962->2964 2965 caaf05-caaf09 2962->2965 2964->2965 2966 caaf3a-caaf3e 2965->2966 2967 caaf0b-caaf32 call c7354c 2965->2967 2968 caaff9-caaffd 2966->2968 2969 caaf44-caaf5b 2966->2969 2983 caaf34 2967->2983 2984 caaf35-caaf36 2967->2984 2970 cab07a-cab07e 2968->2970 2971 caafff-cab040 call c57de1 call c65bc4 call c55904 call caf3c3 2968->2971 2981 caaf5d-caaf6d call c72bfc 2969->2981 2982 caaf74-caaf7c 2969->2982 2975 cab0c9-cab0cd 2970->2975 2976 cab080-cab0c1 call c57de1 call c65bc4 call c55904 call caf3c3 2970->2976 3058 cab042-cab046 2971->3058 3059 cab071-cab076 2971->3059 2979 cab0cf-cab0d1 2975->2979 2980 cab0e3-cab0ec 2975->2980 3060 cab0c3 2976->3060 3061 cab0c4-cab0c8 2976->3061 2986 cab0e2 2979->2986 2987 cab0d3-cab0df call cab1a7 2979->2987 2990 cab159-cab15c 2980->2990 2991 cab0ee-cab101 2980->2991 2981->2982 2992 caafaa-caafba call c73662 2982->2992 2993 caaf7e-caaf7f 2982->2993 2983->2984 2984->2966 2986->2980 2987->2986 3019 cab0e1 2987->3019 2994 cab178-cab17a 2990->2994 2995 cab15e-cab160 2990->2995 3020 cab103-cab10d 2991->3020 3021 cab111-cab11b 2991->3021 3024 caafbd-caafbf 2992->3024 3001 caaf81-caaf82 2993->3001 3002 caaf95-caafa6 call c73987 2993->3002 3006 cab19b-cab19d 2994->3006 3007 cab17c-cab199 call c534c2 2994->3007 3003 cab162-cab174 2995->3003 3004 cab177 2995->3004 3013 caafc2-caafc6 3001->3013 3014 caaf84-caaf93 call c7354c 3001->3014 3002->3013 3035 caafa8 3002->3035 3003->3004 3015 cab176 3003->3015 3004->2994 3017 cab19e-cab1a4 3006->3017 3007->3017 3025 caafc8-caafee call c7354c 3013->3025 3026 caaff4-caaff5 3013->3026 3014->3024 3015->3004 3019->2986 3030 cab10f 3020->3030 3031 cab110 3020->3031 3033 cab11d-cab123 3021->3033 3034 cab127-cab12d 3021->3034 3024->3013 3036 caafc1 3024->3036 3025->3026 3056 caaff0 3025->3056 3026->2968 3030->3031 3031->3021 3039 cab126 3033->3039 3040 cab125 3033->3040 3041 cab12f-cab13d 3034->3041 3042 cab141-cab147 3034->3042 3035->3036 3036->3013 3039->3034 3040->3039 3047 cab13f 3041->3047 3048 cab140 3041->3048 3042->2990 3049 cab149-cab155 3042->3049 3047->3048 3048->3042 3054 cab158 3049->3054 3055 cab157 3049->3055 3054->2990 3055->3054 3056->3026 3062 cab048-cab06e call c7354c 3058->3062 3063 cab070 3058->3063 3059->2970 3060->3061 3061->2975 3062->3059 3062->3063 3063->3059
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _wcscmp$_wcsstr
            • String ID: @
            • API String ID: 3312506106-2766056989
            • Opcode ID: 525916a8bc504fa4b13b14d336d007f5d6dda10833d5cc4250fb434a5272fc3c
            • Instruction ID: 9c29c9ea813d05fc9a2e03748af9c1b62a8871bae6739da33bef1b39b3fb8192
            • Opcode Fuzzy Hash: 525916a8bc504fa4b13b14d336d007f5d6dda10833d5cc4250fb434a5272fc3c
            • Instruction Fuzzy Hash: 9F81C2711082069FDB04DF50C885FAA7BE8FF45318F14856EFDA98A092DB34DE89DB61
            Function 00CB64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 3550 cb64b8-cb64c5 3551 cb64cb-cb64cf 3550->3551 3552 cb662e-cb663a call c57667 3550->3552 3551->3552 3553 cb64d5-cb64df 3551->3553 3561 cb66aa-cb66ae 3552->3561 3562 cb663c-cb664a call ca6084 3552->3562 3555 cb65a3-cb65a7 3553->3555 3556 cb64e5-cb64f6 call c57667 3553->3556 3559 cb65a9-cb65e6 call c70db6 call c70e40 call cb549c call c59a98 call c70e2c * 2 3555->3559 3560 cb65e8-cb6623 call c70db6 call c70e40 call c59a98 call c70e2c 3555->3560 3570 cb6559-cb6566 call c59837 3556->3570 3571 cb64f8-cb6503 call c59837 3556->3571 3618 cb6628-cb6629 3559->3618 3560->3618 3565 cb66cc-cb66dd call c70e40 3561->3565 3566 cb66b0-cb66ca call c70e40 3561->3566 3576 cb664c-cb6651 call c59b3c 3562->3576 3577 cb6653-cb665d call c59837 3562->3577 3588 cb66e0-cb66ef call cb5acd call c59a3c 3565->3588 3566->3588 3596 cb6568-cb6575 call c59837 3570->3596 3597 cb6576-cb659e call c59837 call c5784b call c59a3c 3570->3597 3593 cb6513-cb6554 call c59837 call c5784b call c59a3c call cb5887 call c70e40 call c70e2c 3571->3593 3594 cb6505-cb6512 call c59837 3571->3594 3600 cb6660-cb6683 call cb5acd call c59a3c call c579f2 3576->3600 3577->3600 3621 cb66f4-cb66f7 call c55904 3588->3621 3593->3621 3594->3593 3596->3597 3638 cb669d-cb66a8 call c70e40 3597->3638 3642 cb6691-cb669a 3600->3642 3643 cb6685-cb668f 3600->3643 3625 cb66fc-cb6704 3618->3625 3621->3625 3638->3621 3644 cb669c 3642->3644 3643->3644 3644->3638
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _memmove$__itow__swprintf
            • String ID:
            • API String ID: 3253778849-0
            • Opcode ID: 7737c114a36851362f9cff69a5865d84050081a44473ada8722d867349a6da20
            • Instruction ID: fbcafbced950f7cac6c0405b0a75d3770c040b08287e2b7d052d4c2da8cd6404
            • Opcode Fuzzy Hash: 7737c114a36851362f9cff69a5865d84050081a44473ada8722d867349a6da20
            • Instruction Fuzzy Hash: D4618B3450065A9BCF11EF60CC82EFE37A5EF05308F048559FC696B292DB38AD59EB54
            Function 00CB4CC1 Relevance: 9.2, APIs: 6, Instructions: 170COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 3650 cb4cc1-cb4d0b call c81940 call cb466e * 2 call cb4a31 3659 cb4d0d-cb4d0f 3650->3659 3660 cb4d14-cb4d24 call cb4a31 3650->3660 3661 cb4f22-cb4f27 3659->3661 3664 cb4d2a-cb4d2e 3660->3664 3665 cb4df0-cb4e35 call c57de1 * 2 call cb49c7 call c55904 * 2 3660->3665 3664->3659 3666 cb4d30-cb4d48 3664->3666 3691 cb4e8a-cb4ea3 call c7354c 3665->3691 3692 cb4e37-cb4e4f call cb3671 3665->3692 3671 cb4d4a-cb4d63 call c7354c 3666->3671 3672 cb4d8c-cb4dda call c740fb call c72d8d * 2 3666->3672 3680 cb4d85-cb4d87 3671->3680 3681 cb4d65-cb4d80 3671->3681 3672->3665 3693 cb4ddc-cb4def call c72d8d 3672->3693 3680->3661 3681->3661 3691->3659 3701 cb4ea9-cb4f20 call c72bfc * 2 3691->3701 3692->3659 3700 cb4e55-cb4e85 call c57de1 call cb5123 call c55904 3692->3700 3693->3665 3700->3661 3701->3661
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _wcscmp
            • String ID:
            • API String ID: 856254489-0
            • Opcode ID: 9f483328b87e2f9089392b2207326b9a11b8e00c1f4561b81bc0a43578ca8f4b
            • Instruction ID: 537652d47a7f9bd0c3c8e9b696274924afc6bef224320fd77141c624f2ee183a
            • Opcode Fuzzy Hash: 9f483328b87e2f9089392b2207326b9a11b8e00c1f4561b81bc0a43578ca8f4b
            • Instruction Fuzzy Hash: 895164B200C3859BC724DBA0D8919DFB3ECAF84351F00492EF589D3152EF35A689D76A
            Function 00C59837 Relevance: 9.1, APIs: 6, Instructions: 146COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 3713 c59837-c59849 3714 c59851-c59855 3713->3714 3715 c5984b-c59850 3713->3715 3716 c59857-c59867 call c734c0 3714->3716 3717 c5988b-c5988c 3714->3717 3725 c5986a-c59874 call c70db6 3716->3725 3718 c8f5d8-c8f5e6 call c73490 3717->3718 3719 c59892-c59893 3717->3719 3726 c8f5eb 3718->3726 3723 c8f4da-c8f4dd 3719->3723 3724 c59899-c598b4 call c73698 3719->3724 3728 c8f5c0-c8f5d3 call c73698 3723->3728 3729 c8f4e3-c8f4e8 3723->3729 3724->3725 3743 c59886-c59889 3725->3743 3744 c59876-c59884 call c57de1 3725->3744 3726->3726 3728->3718 3733 c8f59c-c8f5a5 3729->3733 3734 c8f4ee-c8f4ef 3729->3734 3739 c8f5ae 3733->3739 3740 c8f5a7-c8f5ac 3733->3740 3735 c8f4f1-c8f4f2 3734->3735 3736 c8f564-c8f597 call c72dbc call c55904 3734->3736 3741 c8f502-c8f526 call c70db6 3735->3741 3742 c8f4f4-c8f4f6 3735->3742 3736->3733 3746 c8f5b3-c8f5ba call c72dbc 3739->3746 3740->3746 3755 c8f528-c8f537 call cb550b 3741->3755 3756 c8f539-c8f53b 3741->3756 3742->3741 3743->3715 3744->3743 3746->3728 3759 c8f53e-c8f548 call c70db6 3755->3759 3756->3759 3763 c8f54a-c8f552 call c57de1 3759->3763 3764 c8f554-c8f55e call c70e2c 3759->3764 3763->3764 3764->3736
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: __i64tow__itow__swprintf
            • String ID:
            • API String ID: 421087845-0
            • Opcode ID: 7bcafa12e8cb9d546087ae0c13376f8b73a3c8d299bf9db3645951ad734d3080
            • Instruction ID: ec55572f518c0f99a6e0356b73a17f953cb9c63cf379ab1959f4a35ea7903cf3
            • Opcode Fuzzy Hash: 7bcafa12e8cb9d546087ae0c13376f8b73a3c8d299bf9db3645951ad734d3080
            • Instruction Fuzzy Hash: 37410475500205EFDB24EF74D842A7A77E8FF05304F3044BEE959D7281EA319A86DB24
            Function 00CB55FD Relevance: 9.1, APIs: 6, Instructions: 138COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 3769 cb55fd-cb5614 3771 cb561a-cb5624 call c72bfc 3769->3771 3772 cb5775 3769->3772 3771->3772 3776 cb562a-cb5632 3771->3776 3774 cb5777-cb577c 3772->3774 3777 cb5638-cb5668 call c740bb call c7358a call c72bfc 3776->3777 3778 cb56cf-cb56d9 call c72bfc 3776->3778 3777->3778 3792 cb566a-cb569b call c740bb call c7358a call c72bfc 3777->3792 3783 cb56df-cb5717 call c740bb call c7358a call c72bfc 3778->3783 3784 cb5770-cb5773 3778->3784 3783->3784 3799 cb5719-cb5746 call c740bb call c7358a call c72bfc 3783->3799 3784->3774 3792->3778 3806 cb569d-cb56ca call c740bb call c7358a call c72bfc 3792->3806 3799->3784 3812 cb5748-cb576c call c740bb call c7358a 3799->3812 3806->3778 3820 cb56cc 3806->3820 3812->3784 3820->3778
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _wcsncpy
            • String ID:
            • API String ID: 1735881322-0
            • Opcode ID: 07e0947fe95a8180eaf0aa6e348e8d9897622cda980e67335bb2af8a3bf9752e
            • Instruction ID: 0044b740244ef4e76c3341f7d2cbc3f6163b9cbf5a2ad1fac5fad81c3dd623ac
            • Opcode Fuzzy Hash: 07e0947fe95a8180eaf0aa6e348e8d9897622cda980e67335bb2af8a3bf9752e
            • Instruction Fuzzy Hash: 07419176C1065476CB11EBB48C86ACFB3B8AF04310F50C966F91DE3221EB34A355D7AA
            Function 00C79AE6 Relevance: 9.0, APIs: 6, Instructions: 45COMMON
            Download Yara Rule
            APIs
            • __init_pointers.LIBCMT ref: 00C79AE6
              • Part of subcall function 00C73187: __initp_misc_winsig.LIBCMT ref: 00C731A5
            • __mtinitlocks.LIBCMT ref: 00C79AEB
            • __mtterm.LIBCMT ref: 00C79AF4
              • Part of subcall function 00C79B5C: _free.LIBCMT ref: 00C79C5D
            • __calloc_crt.LIBCMT ref: 00C79B19
            • __initptd.LIBCMT ref: 00C79B3B
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: __calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
            • String ID:
            • API String ID: 206718379-0
            • Opcode ID: 077d5c0f99fda34c06fd1b26cca46798951cce19c7061b0ffca82948e383fe55
            • Instruction ID: f858f817bc1eb7984bd7910209a888ce54e9e82b34fe06d2ba6edb8e9f05d27e
            • Opcode Fuzzy Hash: 077d5c0f99fda34c06fd1b26cca46798951cce19c7061b0ffca82948e383fe55
            • Instruction Fuzzy Hash: 23F0BE3261A7116BE6347B76BC07A8A3795DF02730F20CA2AF46DD61D2FF30894162B4
            Function 00CBA1EF Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: __swprintf_memset_wcsncpy
            • String ID: :$\
            • API String ID: 214737766-1166558509
            • Opcode ID: f5c4c2d66afbbd10ee5f85d9a25c73fd31d49a88663bd8fadf72adc8619a6d0a
            • Instruction ID: e4bf016a338c6f97b2260e4f33a2d1925cab979e18289eb81f28aa31f5c86eff
            • Opcode Fuzzy Hash: f5c4c2d66afbbd10ee5f85d9a25c73fd31d49a88663bd8fadf72adc8619a6d0a
            • Instruction Fuzzy Hash: 21319EB1904109ABDB219FA0DC49FEF77BCEF88740F1045BAF919D6160EB7097448B29
            Function 00CAA439 Relevance: 7.8, APIs: 5, Instructions: 273COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _wcscmp$__swprintf_iswctype
            • String ID:
            • API String ID: 3564621516-0
            • Opcode ID: 22f345dc1749fc61d738452cff1ec01fec5d702c3361f6a434a16c0623e3483b
            • Instruction ID: ab5fba402ea5039d23047c9d2ac4e726e004a868fa9ed0e25fbdbae98c1257fa
            • Opcode Fuzzy Hash: 22f345dc1749fc61d738452cff1ec01fec5d702c3361f6a434a16c0623e3483b
            • Instruction Fuzzy Hash: 68A1B171204707BFD715DF60C884BAAB7E8FF45318F108629F9A9D2190DB30EA56DB92
            Function 00C7541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
            • String ID:
            • API String ID: 1559183368-0
            • Opcode ID: 5f1ff27ecb40ff672c6b963bdcbb91b938089e4726130bfa6a2e3a5f931ee01a
            • Instruction ID: c6f16bf4249fbdecc0330c4e80e89a8c1c8045d349c36f8933577944d8b6a37a
            • Opcode Fuzzy Hash: 5f1ff27ecb40ff672c6b963bdcbb91b938089e4726130bfa6a2e3a5f931ee01a
            • Instruction Fuzzy Hash: 3E51C470A00B05DBCB649FA9D88066E7BA6EF40325F24C729F83D962D0D7B09E909B41
            Function 00CB46B7 Relevance: 7.6, APIs: 5, Instructions: 73COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _wcscpy$_memmove_strcat
            • String ID:
            • API String ID: 559723171-0
            • Opcode ID: de56ce9617f3aca52c0813d3aa7d2567c867b191378b8155293d27d06681c82b
            • Instruction ID: bd96c85fb3a5e0fe4851dc302e280b640d478368418776c0b0a4f4f6ad52d5dc
            • Opcode Fuzzy Hash: de56ce9617f3aca52c0813d3aa7d2567c867b191378b8155293d27d06681c82b
            • Instruction Fuzzy Hash: 61112731504104AFDB24AB309C46EEE77BCEF12711F1041BAF459A6092FF748AC5DB54
            Function 00CABC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _memcmp
            • String ID:
            • API String ID: 2931989736-0
            • Opcode ID: 7c26e2e8b89362a653cc0400413d5b10d698c9d03250d8de96d81db894dbabbb
            • Instruction ID: cc31dd96d6097e34da7cd6e328f1ce328a6299a0f564259fd3f16ff1bffc9b05
            • Opcode Fuzzy Hash: 7c26e2e8b89362a653cc0400413d5b10d698c9d03250d8de96d81db894dbabbb
            • Instruction Fuzzy Hash: BF01B5716001067FD7046A1A9E42FBBB75CDE1239CF188021FD1997247EB54EE10A2A4
            Function 00C56A8C Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 478COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _iswctype_wcscpy
            • String ID: AU3!$EA06
            • API String ID: 2497406411-2658333250
            • Opcode ID: 4781125ca166825588d68b5edf5b5f887c139103f418c94bf321b8132ec7d7c5
            • Instruction ID: a7e6fed446e1af4814f9da533dafb03092f9be98cf78d3c10e940551ccdb2b8c
            • Opcode Fuzzy Hash: 4781125ca166825588d68b5edf5b5f887c139103f418c94bf321b8132ec7d7c5
            • Instruction Fuzzy Hash: 2502BF341083419FC724EF20C8919AFBBF5EF95318F50491DF89A972A1DB30DA89DB5A
            Function 00CBEB23 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 323COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C59837: __itow.LIBCMT ref: 00C59862
              • Part of subcall function 00C59837: __swprintf.LIBCMT ref: 00C598AC
              • Part of subcall function 00C6FC86: _wcscpy.LIBCMT ref: 00C6FCA9
            • _wcstok.LIBCMT ref: 00CBEC94
            • _wcscpy.LIBCMT ref: 00CBED23
            • _memset.LIBCMT ref: 00CBED56
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _wcscpy$__itow__swprintf_memset_wcstok
            • String ID: X
            • API String ID: 774024439-3081909835
            • Opcode ID: 5f63eabd900585ca30706693ede9ba4275561f5c38432772f56cd3c6626f7487
            • Instruction ID: 5c2762c8fe1f58a8c51be0be7b59ae801cd5dcade5f0c1babaa704fc0275c5a7
            • Opcode Fuzzy Hash: 5f63eabd900585ca30706693ede9ba4275561f5c38432772f56cd3c6626f7487
            • Instruction Fuzzy Hash: 22C18075508740DFC724EF24D841AAAB7E4FF85310F14492DF8999B2A2DB30ED89DB86
            Function 00C62CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C70DB6: std::exception::exception.LIBCMT ref: 00C70DEC
              • Part of subcall function 00C70DB6: __CxxThrowException@8.LIBCMT ref: 00C70E01
              • Part of subcall function 00C57DE1: _memmove.LIBCMT ref: 00C57E22
              • Part of subcall function 00C57A51: _memmove.LIBCMT ref: 00C57AAB
            • __swprintf.LIBCMT ref: 00C62ECD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
            • String ID: (+I
            • API String ID: 1943609520-2960116247
            • Opcode ID: 21f521673211c63e055d0da72932523ff923a3a2e42963ed3dbe2612b8802916
            • Instruction ID: 709b0698b890688db85eb900156806f48b0d080a0e72773b0e5f4ebe772ee47c
            • Opcode Fuzzy Hash: 21f521673211c63e055d0da72932523ff923a3a2e42963ed3dbe2612b8802916
            • Instruction Fuzzy Hash: A591AF751087019FCB24EF24D885C6FB7A8EF95311F00491DF8959B2A1EB30EE88EB56
            Function 00C63137 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _memmove$_free
            • String ID: 3cA
            • API String ID: 2620147621-2523384761
            • Opcode ID: 1b99c16daf26ba05b26fd3cba724ea838179ea068b8530a01c401a2aae47b380
            • Instruction ID: d390a38749f103509c7759483d6f52130c3e25163794905ec5ea3e54be60e155
            • Opcode Fuzzy Hash: 1b99c16daf26ba05b26fd3cba724ea838179ea068b8530a01c401a2aae47b380
            • Instruction Fuzzy Hash: CE515A716083818FDB35CF28C880B6EBBE5EF85314F04882DE99997351DB31EA41CB42
            Function 00C66192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _memset$_memmove
            • String ID: ERCP
            • API String ID: 2532777613-1384759551
            • Opcode ID: f26897e622874a94d3a5be45ebb38ce857f1f7ed6e3ab2c2ed74d649e7167b68
            • Instruction ID: 4dbcc8559c91dd23c47d35f76225110b7c814faec136d8ce06c37a036473ce94
            • Opcode Fuzzy Hash: f26897e622874a94d3a5be45ebb38ce857f1f7ed6e3ab2c2ed74d649e7167b68
            • Instruction Fuzzy Hash: F951AF71A00706DBDB24CF65C985BAABBE8EF04304F20857EE95ADB251E770EA44CB50
            Function 00CDB635 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _memset
            • String ID: oL$doL
            • API String ID: 2102423945-3421622115
            • Opcode ID: f6592324f54b6d11ff0072cf87150bc2a8f8a0fa5e3a8a7e269d397b8f6a706e
            • Instruction ID: 30ec9ee8f6885bece9ac25b6ee260e45bd0cfb8f82f7232f7f5a284dc870832d
            • Opcode Fuzzy Hash: f6592324f54b6d11ff0072cf87150bc2a8f8a0fa5e3a8a7e269d397b8f6a706e
            • Instruction Fuzzy Hash: D0F05EB2540300BAE2502761BC06FBB3A9CEB08395F01C439BA08E5192D7759C00C7AC
            Function 00CBD899 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _wcscat$__wsplitpath
            • String ID:
            • API String ID: 1413645957-0
            • Opcode ID: 188660a599668010583c76a9614ab57aaee43a98a951f5589b54779c745aba27
            • Instruction ID: c2d1fcf3239a6c2b85defea2a88c62b9f299b403a0949e604ae07178e0240b9a
            • Opcode Fuzzy Hash: 188660a599668010583c76a9614ab57aaee43a98a951f5589b54779c745aba27
            • Instruction Fuzzy Hash: BE81B3719043009FCB24EF65C8449EAB7E4EF89310F18882EF89AC7251EB35DA84DB52
            Function 00CBDC1A Relevance: 6.2, APIs: 4, Instructions: 185COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _wcscat$__wsplitpath_wcscpy
            • String ID:
            • API String ID: 3240238573-0
            • Opcode ID: 4f4890e2e2a3eabc3efe22c229ca72d21f946308a6877a74bd565c218d50dfe6
            • Instruction ID: febf2d6456cd82d3c8d5d3cd102b1727bc9ed2b6ac97e38146433ae2fd76dfbe
            • Opcode Fuzzy Hash: 4f4890e2e2a3eabc3efe22c229ca72d21f946308a6877a74bd565c218d50dfe6
            • Instruction Fuzzy Hash: 67617B765043459FCB10EF20C8449EEB7E8FF89314F04496DF99A87251EB31EA49CB96
            Function 00CB9E4A Relevance: 6.2, APIs: 4, Instructions: 156COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: __swprintf_wprintf$_memmove
            • String ID:
            • API String ID: 2249476411-0
            • Opcode ID: caf2c998783c6d6a87866aef771a2fbcf86fc1c5da1596bf467658d350e7574b
            • Instruction ID: 66951260da8f90b16d39e1c8b28827aabda28f7b64e4f7656af7daac2d80e10c
            • Opcode Fuzzy Hash: caf2c998783c6d6a87866aef771a2fbcf86fc1c5da1596bf467658d350e7574b
            • Instruction Fuzzy Hash: D5517E71900509ABCF15EBE0DD46EEEB778EF04301F204165B905721A2EB316F99EB69
            Function 00CB955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C54EE5: _fseek.LIBCMT ref: 00C54EFD
              • Part of subcall function 00CB9734: _wcscmp.LIBCMT ref: 00CB9824
              • Part of subcall function 00CB9734: _wcscmp.LIBCMT ref: 00CB9837
            • _free.LIBCMT ref: 00CB96A2
            • _free.LIBCMT ref: 00CB96A9
            • _free.LIBCMT ref: 00CB9714
            • _free.LIBCMT ref: 00CB971C
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _free$_wcscmp$_fseek
            • String ID:
            • API String ID: 3404660211-0
            • Opcode ID: 8c66bba008aa022ea217763876d92d68911b16dfe2cdbb3685ec8a45d3e1b5f3
            • Instruction ID: f42b6d931b29af01c464dc5c0ecce6b9c3fdb6cdea7eb5994a005dd70b5c64c1
            • Opcode Fuzzy Hash: 8c66bba008aa022ea217763876d92d68911b16dfe2cdbb3685ec8a45d3e1b5f3
            • Instruction Fuzzy Hash: BE517CB1D04218ABDF289FA4CC85ADEBBB9EF48300F10419EF60DA3241DB715A84DF58
            Function 00CB9C38 Relevance: 6.2, APIs: 4, Instructions: 150COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: __swprintf_wprintf$_memmove
            • String ID:
            • API String ID: 2249476411-0
            • Opcode ID: 3b826556c743c12135e1125909714c24acfff879d9fb167c7e2db4d00805d54e
            • Instruction ID: 41ac5172d25352c5ed88f8b3d765243904e0a600938376b99688d4c87d26765b
            • Opcode Fuzzy Hash: 3b826556c743c12135e1125909714c24acfff879d9fb167c7e2db4d00805d54e
            • Instruction Fuzzy Hash: FA518071900509ABCF14EBE0DD46EEEB778EF14301F604165F909721A2EB352F99EB68
            Function 00C7470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
            • String ID:
            • API String ID: 2782032738-0
            • Opcode ID: 8d5e84d796d2a622fb585a85b2cb739199fd67226ed781522a47284023b78b74
            • Instruction ID: 3d7223854d1d90362120e5e87c300726f3452f9f14cd9a956529d4adc2ff9d95
            • Opcode Fuzzy Hash: 8d5e84d796d2a622fb585a85b2cb739199fd67226ed781522a47284023b78b74
            • Instruction Fuzzy Hash: 5C41B775A007499BDB1CCF69C8809AE77A6EF46364B24C53DE82DCB680DB70DE41CB41
            Function 00C88F37 Relevance: 6.1, APIs: 4, Instructions: 130COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: __write$__getbuf__getptd_noexit__lseeki64
            • String ID:
            • API String ID: 4182129353-0
            • Opcode ID: b77aae38ed6e34726ab9f9f279fa09a21295c2db3db9c1ce0869ba17ac253568
            • Instruction ID: 1f2d3ff078937c3ec072b98900bb0e989b85871851e7633a98456ef2ce918842
            • Opcode Fuzzy Hash: b77aae38ed6e34726ab9f9f279fa09a21295c2db3db9c1ce0869ba17ac253568
            • Instruction Fuzzy Hash: B9411871100B019FD334AF69C881A7A77E5EF45328F08C61DE6BA8B6D1DB74E9409B58
            Function 00CBEF95 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _wcscmp
            • String ID:
            • API String ID: 856254489-0
            • Opcode ID: 6ca42bdee5e764a2d4c938babfd9147ccfee36eb28773e9f100ec5c7d0d625b2
            • Instruction ID: c207347f39e469d827635dbb9332f51e099ad4236727282cfe2d79c352e78387
            • Opcode Fuzzy Hash: 6ca42bdee5e764a2d4c938babfd9147ccfee36eb28773e9f100ec5c7d0d625b2
            • Instruction Fuzzy Hash: 2B31F3325002186ADF14FFB4EC48AEE77AC9F48360F1045BAE814E21A1DB75DB85DB69
            Function 00CBF0F2 Relevance: 6.1, APIs: 4, Instructions: 112COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _wcscmp
            • String ID:
            • API String ID: 856254489-0
            • Opcode ID: 5e4c1ca136502ca1550e0c7352cbc5842e7fcfe98f56b9ff86b85f6952a77760
            • Instruction ID: 5406df75b77cc38f84dd9d83ec6f8c1b79de7a02d5a30eb6f83d9c0e6e04b7b9
            • Opcode Fuzzy Hash: 5e4c1ca136502ca1550e0c7352cbc5842e7fcfe98f56b9ff86b85f6952a77760
            • Instruction Fuzzy Hash: 6C31E7365002197ADF14AFB4EC49BEE77AC9F45360F200579E824E21A0DB31DF46DB69
            Function 00C86FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
            • String ID:
            • API String ID: 3016257755-0
            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
            • Instruction ID: c9bcdafa2dda591dfdd0374f0b62248d9ea36421bb063f7943ebe4283ea40cb4
            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
            • Instruction Fuzzy Hash: EF014E7244814ABBCF166F84CC45CED3F62BB18359B698615FA2859031E336CAB1BB85
            Function 00CCAEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: __itow_s
            • String ID: xbL$xbL
            • API String ID: 3653519197-3351732020
            • Opcode ID: d646e4bb21cf180c2b3bcf2ba2aa6e399e6fdbde90ff57f1201e620ffab942ef
            • Instruction ID: a084054dc5c76ca481a99dce5e0be48c2846176ef6ea8423cf21be52714302f4
            • Opcode Fuzzy Hash: d646e4bb21cf180c2b3bcf2ba2aa6e399e6fdbde90ff57f1201e620ffab942ef
            • Instruction Fuzzy Hash: 02B16B74A00209AFCB14DF95C895EAEBBB9FF58300F14805DF9459B291EB30EE85DB64
            Function 00CA8310 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _memset
            • String ID:
            • API String ID: 2102423945-3916222277
            • Opcode ID: aa973d33a02bfa199831d235f317d3626315b443824ea58ce6c4261de3f61784
            • Instruction ID: 0eb2fae853032d68aa8bd5daf7ff46166d195de61ca540e1923d67dbaf3e01a5
            • Opcode Fuzzy Hash: aa973d33a02bfa199831d235f317d3626315b443824ea58ce6c4261de3f61784
            • Instruction Fuzzy Hash: 30816D71D0020AAFEF119FA4CC45AEE7BB9FF09308F144169FD24A6161DB319E19EB24
            Function 00C5708B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _wcscat
            • String ID: \
            • API String ID: 2563891980-2967466578
            • Opcode ID: 37f8556a626ae037f6edf7abe1d4f3c4d2ba69555b9a07e1d7be78a4c2c9eb1a
            • Instruction ID: daded4130ba34010a89e51b35c424e7155d9c7652a6c66b426d20cfcbc2844f3
            • Opcode Fuzzy Hash: 37f8556a626ae037f6edf7abe1d4f3c4d2ba69555b9a07e1d7be78a4c2c9eb1a
            • Instruction Fuzzy Hash: 57719D751083019EC340FF65E841DAFBBE8FF94350B51893EF845871A0EB719988DB5A
            Function 00CCF41E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177COMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00CCF448
            • _memset.LIBCMT ref: 00CCF511
              • Part of subcall function 00C59837: __itow.LIBCMT ref: 00C59862
              • Part of subcall function 00C59837: __swprintf.LIBCMT ref: 00C598AC
              • Part of subcall function 00C6FC86: _wcscpy.LIBCMT ref: 00C6FCA9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _memset$__itow__swprintf_wcscpy
            • String ID: @
            • API String ID: 2523036003-2766056989
            • Opcode ID: fc9b12f333b0dcf5a4b7df1c92d6160ab3b60f831e68bfb17c9988c3f6607c25
            • Instruction ID: f96e32a1a0c1ee0774de5729a60519a2bcb4defcae52521df76357b5d80200c5
            • Opcode Fuzzy Hash: fc9b12f333b0dcf5a4b7df1c92d6160ab3b60f831e68bfb17c9988c3f6607c25
            • Instruction Fuzzy Hash: 15618075A00619DFCB14DF54C881AAEBBF5FF49310F14806DE855AB351CB30AE46DB94
            Function 00CD7152 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: _memset
            • String ID: 0$F
            • API String ID: 2102423945-3044882817
            • Opcode ID: 8d361ed52167b8eab7a66d10bcbcea6876906ccdec482831028141534145e52f
            • Instruction ID: 504db13b6ac27d7e494d6403d5001a4c402a64b2db241b5517d4aa51ed586fb4
            • Opcode Fuzzy Hash: 8d361ed52167b8eab7a66d10bcbcea6876906ccdec482831028141534145e52f
            • Instruction Fuzzy Hash: E1417B74A01205EFDB20DF64D884E9ABBF5FF09310F144529FA15A7361E731AA24CFA4
            Function 00C76B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: __calloc_crt
            • String ID: K
            • API String ID: 3494438863-4153964727
            • Opcode ID: fc675e1694061d9c38afe518b907dae0cef97e15bff182515fce2e9d9647b47a
            • Instruction ID: 614ad17d53b45e796259f3f96909aeda50628ce3013140682530f75911336c02
            • Opcode Fuzzy Hash: fc675e1694061d9c38afe518b907dae0cef97e15bff182515fce2e9d9647b47a
            • Instruction Fuzzy Hash: 33F0C871204E128BF7A48F15BC51F9667D4E741330F508066F209CE180EB3099C16AD8
            Function 00C79B79 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
            Download Yara Rule
            APIs
            • __lock.LIBCMT ref: 00C79B94
              • Part of subcall function 00C79C0B: __mtinitlocknum.LIBCMT ref: 00C79C1D
            • __updatetlocinfoEx_nolock.LIBCMT ref: 00C79BA4
              • Part of subcall function 00C79100: ___addlocaleref.LIBCMT ref: 00C7911C
              • Part of subcall function 00C79100: ___removelocaleref.LIBCMT ref: 00C79127
              • Part of subcall function 00C79100: ___freetlocinfo.LIBCMT ref: 00C7913B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1568277658.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
            • Associated: 00000000.00000002.1568253148.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568345180.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D0E000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568392013.0000000000D12000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1568439264.0000000000D17000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c50000_kQibsaGS2E.jbxd
            Similarity
            • API ID: Ex_nolock___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
            • String ID: 8K
            • API String ID: 3369060592-2802361588
            • Opcode ID: d41c92ecd1d7e74e0adb9f475a826e210c9bd16fdcadbad4fdccb8f20f9f3334
            • Instruction ID: ae1a57ae6b64cace8a264f5fde871176aefc6f4d44a49c6ab8a524ad52019f47
            • Opcode Fuzzy Hash: d41c92ecd1d7e74e0adb9f475a826e210c9bd16fdcadbad4fdccb8f20f9f3334
            • Instruction Fuzzy Hash: 4DE08C3198B301ABEA64FBA9A907BCD2660DB81B21F20826AF15D550C1CE782500A66F